Unable to access internet but able to ping websites.

Hi, I have setup my Mikrotik 2011UiAS-2HnD as my main router by making the ISP one as a Bridge, This was done a few years ago by someone else. Recently due to some issues we had to reset and re configure this setup which I have done so, There is a server that is connected to this that needs to be accessed remotely hence we have a static IP setup, I am able to access this server fine but devices connected to this router both LAN and WiFi cannot access the net. I followed the first time config guide’s toruble shooting flowchart on this site:

and I am able to ping google from PCs connected to the network yet I am not able to access it.

My config:

# sep/10/2023 09:45:56 by RouterOS 6.49.10
# software id = F0DG-HDXR
#
# model = 2011UiAS-2HnD
# serial number = XXXXXXXXXX
/interface bridge
add fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=\
    no_country_set disabled=no frequency-mode=manual-txpower mode=ap-bridge \
    ssid=Q4 station-roaming=enabled wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    XXXXXXXXXXXX
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.1.3-192.168.1.255
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge name=dhcp2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether9
add bridge=bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.1.1 interface=ether1 network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
add address=XXXXXXXXXXX list=WAN
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=WAN \
    new-connection-mark=hairpinNAT passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin connection-mark=hairpinNAT
add action=masquerade chain=srcnat out-interface=pppoe-out1 \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-type="" dst-port=5432 protocol=\
    tcp src-address-type="" to-addresses=192.168.1.2 to-ports=5432
add action=dst-nat chain=dstnat comment=ssh dst-port=22 protocol=tcp \
    to-addresses=192.168.1.2 to-ports=22
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=\
    192.168.1.2 to-ports=443
/ip service
set telnet disabled=yes
set ssh port=2200
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/lcd
set default-screen=stats-all
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Africa/Accra
/system identity
set name=XXXXXXX

Just to add one more thing, I tried using both ISP DNS(one obtained from pppoe) and external dns like google and cloudfare but still no luck

You have to remove the IP address assigned to ether1

Thanks for the reply, but Its still not working, As of now I have contacted ISP to check if something is wrong on their end

There is NOTHING wrong from your ISPs side.

Add Input Chain Filters on Firewall, your router is currently open, anyone can access your services like DNS etc.

add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=\
    192.168.1.2 to-ports=443

Add “in-interface” here then internet should work again

Changes I would make.

(1) /ip neighbor discovery-settings
set discover-interface-list=LAN

(2) WHAT ARE YOU DOING WITH THIS ???
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.1.1 interface=ether1 network=192.168.1.0

—> ETHER1 is for your WAN, and yet you are mimicking the bridge IP here… NONSENSICAL!!!

(3) Where are firewall rules ??? Use this:

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" 
{forward chain}
(default rules to keep)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

…

(4) Why the hairpin nat rule in mangling**???** Firstly it does NOT belong in mangling but in sourcenat!! I would assume you have servers on the LAN and you want LAN users to access these servers using something other than the servers direct LANIP address??

Thus from this:
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=WAN
new-connection-mark=hairpinNAT passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin connection-mark=hairpinNAT
add action=masquerade chain=srcnat out-interface=pppoe-out1 </small>
TO:
/ip firewall mangle ( no entries )
/ip firewall nat
add chain=srcnat action=masquerade dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface-list=WAN

Thank you very much for the reply, I changed my setup as you have mentioned and its working now. I believe the mistake was the firewall rules part, I only made the 3 shown in the first time config article and not the others you have mentioned especially the one allowing traffic from LAN to WAN. Thank you again, you are a lifesaver, spent weeks trying to resolve this issue.