Unable to access port on a LAN device

FlippinTurt · October 13, 2023, 12:03am

Hi All,

As the title suggests, I am unable to access the web port of a device on my local network. This worked fine with another router, so have concluded a setting I have set has broken the connection.

Trying to go to this site results in a ‘The server at 10.20.20.241 is taking too long to respond.’. The site is on a non standard port.
I can ping the device fine from mikrotik and other devices.

I have a dual WAN setup, however only select devices go out of the first WAN, with everything, including the ‘main’ table going out WAN2
I can’t see it getting blocked in any of the block rules either

# 2023-10-13 11:31:36 by RouterOS 7.11.2
# software id = ########
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = #########
/interface bridge
add name=BR1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mtu=1472 name=ether1-WAN-SPARK poe-out=off
set [ find default-name=ether2 ] mtu=1472 name=ether2-WAN-2D
set [ find default-name=ether3 ] name=ether3-network_out
set [ find default-name=ether4 ] name=ether4-network_out
set [ find default-name=ether5 ] name=ether5-network_out
/interface vlan
add interface=BR1 name=vHOME vlan-id=20
add interface=BR1 name=vIOT vlan-id=30
add interface=BR1 name=vVMS vlan-id=40
/interface list
add name=wan
add name=lan
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=2ghz wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=5ghz
add authentication-types=wpa2-psk disabled=no name=IoT
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-n .width=20mhz \
    configuration.country="New Zealand" .mode=ap .ssid=$$$$$$$ disabled=\
    no name=AC_2.4 security=2ghz
add configuration.hide-ssid=yes .mode=ap .ssid=$$$$$$ disabled=no \
    mac-address=11:22:33:44:55:66 master-interface=AC_2.4 name=AC_2.4_IoT \
    security=IoT
set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=\
    disabled .width=20/40/80mhz configuration.country="New Zealand" .mode=ap \
    .ssid=$$$$$$$$$$$$$$ disabled=no name=AX_5 security=5ghz
/ip pool
add name=dhcp_pool1 ranges=10.20.20.65-10.20.20.200
add name=IoT_Pool ranges=10.30.30.20-10.30.30.50
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vHOME lease-time=1d name=dhcp1
add address-pool=IoT_Pool interface=vIOT name=IoT_dhcp
/routing table
add disabled=no fib name=spark
add disabled=no fib name=2D
/system logging action
add name=MinervaSyslog remote=10.20.20.10 src-address=10.20.20.1 target=\
    remote
/user group
add name=api policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,\
    !test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name=AtlasV2_Link network=###############
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3-network_out pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4-network_out pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5-network_out pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    AC_2.4_IoT pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    AC_2.4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    AX_5 pvid=20
add bridge=BR1 disabled=yes interface=AtlasV2_Link
/ip firewall connection tracking
set tcp-established-timeout=1h
/ip neighbor discovery-settings
set discover-interface-list=lan
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=\
    ether3-network_out,ether4-network_out,ether5-network_out,AC_2.4,AX_5 \
    vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=AC_2.4_IoT vlan-ids=30
/interface list member
add interface=ether1-WAN-SPARK list=wan
add interface=ether2-WAN-2D list=wan
add interface=vHOME list=lan
add interface=vIOT list=lan
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.20.20.1/24 interface=vHOME network=10.20.20.0
add address=192.168.10.10/24 comment=WAN1 interface=ether1-WAN-SPARK network=\
    192.168.10.0
add address=192.168.11.10/24 comment=WAN2 interface=ether2-WAN-2D network=\
    192.168.11.0
add address=10.30.30.1/24 interface=vIOT network=10.30.30.0
/ip arp
add address=10.20.20.238 comment=Remote interface=vHOME mac-address=\
    52:54:00:A7:0C:B5
/ip dhcp-client
add disabled=yes interface=ether2-WAN-2D
add disabled=yes interface=ether1-WAN-SPARK
/ip dhcp-server alert
add interface=AC_2.4
/ip dhcp-server network
add address=10.20.20.0/24 dns-server=10.20.20.6,10.20.20.7 gateway=10.20.20.1
add address=10.30.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.30.30.1
/ip dns
set allow-remote-requests=yes doh-timeout=10s max-udp-packet-size=512 \
    servers=1.0.0.1,1.1.1.1 verify-doh-cert=yes
/ip dns static
add address=1.1.1.1 name=cloudflare-dns.com
/ip firewall address-list
add address=10.20.20.0/24 list=trusted_admin
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=10.30.30.10 comment=Bulb list=Trusted_IoT
add address=10.20.20.200 comment=TurtBook list=my_devices
add address=10.20.20.201 comment=TurtMax list=my_devices
add address=10.20.20.2 comment=SWAG list=spark_wan
add address=10.20.20.9 comment=PLEX list=spark_wan
add address=10.20.20.31 comment=Smokeping-Spark list=spark_wan
add address=10.20.20.7 comment="PiHole Wireguard" list=my_devices
add address=10.30.30.11 comment=Kindle list=Trusted_IoT
add address=172.18.0.0/24 comment=MINERVA-Docker list=Trusted_IoT
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=reject chain=forward comment="Drop IoT" log-prefix=IoTDrop>> \
    out-interface-list=wan reject-with=icmp-network-unreachable src-address=\
    10.30.30.0/24 src-address-list=!Trusted_IoT
add action=accept chain=input comment="ZeroTier Input" connection-state=\
    established,related,untracked in-interface=AtlasV2_Link
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=IN-INVLD>>
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp \
    src-address-list=trusted_admin
add action=accept chain=input comment="defconf: allow admin to router" \
    in-interface-list=lan log-prefix=LANR>> src-address-list=trusted_admin
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Allow lan DNS queries-UDP and NTP  services" dst-port=53,123 \
    in-interface-list=lan log-prefix=DNS>> protocol=udp
add action=accept chain=input comment="Allow lan DNS queries - TCP" dst-port=\
    53 in-interface-list=lan log-prefix=TCPDNS>> protocol=tcp
add action=drop chain=input comment="drop all else" log-prefix=IN_DROP>>
add action=accept chain=forward comment="ZeroTier Forward" connection-state=\
    "" in-interface=AtlasV2_Link
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=FWD-INVLD>>
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=lan out-interface-list=wan
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="access cam" dst-address=10.30.30.5 \
    src-address-list=my_devices
add action=accept chain=forward comment="Iot to Home lan" out-interface=vHOME \
    src-address-list=Trusted_IoT
add action=drop chain=forward comment="drop all else" log=yes log-prefix=\
    FWD-DROP>>
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Spark Mark" \
    connection-mark=no-mark in-interface=ether1-WAN-SPARK \
    new-connection-mark=spark_conn passthrough=yes
add action=mark-connection chain=prerouting comment="2D Mark" \
    connection-mark=no-mark in-interface=ether2-WAN-2D new-connection-mark=\
    2d_conn passthrough=yes
add action=mark-routing chain=prerouting comment="Spark Return Mark" \
    connection-mark=spark_conn in-interface-list=lan log-prefix=ServReturn>> \
    new-routing-mark=spark passthrough=yes
add action=mark-routing chain=prerouting comment="2D Return Mark" \
    connection-mark=2d_conn in-interface-list=lan log-prefix=ServReturn>> \
    new-routing-mark=main passthrough=yes
add action=mark-routing chain=output comment="Spark Return Traffic" \
    connection-mark=spark_conn log-prefix=Spark-R>> new-routing-mark=spark \
    passthrough=no
add action=mark-routing chain=output comment="2D Return Traffic" \
    connection-mark=2d_conn log-prefix=2DReturn>> new-routing-mark=2D \
    passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="MASQ Spark" out-interface=\
    ether1-WAN-SPARK
add action=masquerade chain=srcnat comment="MASQ 2Deg" out-interface=\
    ether2-WAN-2D
add action=masquerade chain=srcnat dst-address=10.20.20.2 log=yes log-prefix=\
    MASQLCL>> out-interface=vHOME protocol=tcp src-address=10.20.20.0/24
add action=dst-nat chain=dstnat comment=SWAG-Proxy dst-port=443 in-interface=\
    ether1-WAN-SPARK protocol=tcp to-addresses=10.20.20.2 to-ports=443
/ip firewall raw
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
/ip route
add comment=WAN1 disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
    192.168.10.254 pref-src="" routing-table=spark scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WAN2 disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
    192.168.11.1 pref-src="" routing-table=2D scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=PrimaryRoute disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=192.168.11.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.20.20.0/24 disabled=yes port=82
set ssh address=10.20.20.0/24
set www-ssl address=10.20.20.0/24
set api address=10.20.20.10/32
set winbox address=10.20.20.0/24
set api-ssl disabled=yes
/routing rule
add action=lookup-only-in-table comment=SWAG disabled=no src-address=\
    10.20.20.2/32 table=spark
add action=lookup-only-in-table comment=PLEX disabled=no src-address=\
    10.20.20.9/32 table=spark
add action=lookup-only-in-table comment=SMOKEPING disabled=no src-address=\
    10.20.20.31/32 table=spark
add action=lookup-only-in-table comment=SMOKEPING-2D disabled=no src-address=\
    10.20.20.30/32 table=2D
add action=lookup-only-in-table comment="Wireguard PiHole" disabled=no \
    src-address=10.20.20.7/32 table=spark
add action=lookup-only-in-table comment=QBit disabled=no src-address=\
    10.20.20.248/32 table=2D
add action=lookup-only-in-table comment=MACBOOK disabled=yes src-address=\
    10.20.20.200/32 table=spark
add action=lookup-only-in-table comment=TURTREMOTE disabled=yes src-address=\
    10.20.20.238/32 table=spark
add action=lookup-only-in-table disabled=yes src-address=10.20.20.200/32 \
    table=2D
add action=lookup-only-in-table comment="Whole Lan Rule" disabled=yes \
    src-address=10.20.20.0/24 table=main
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=AtlasV2
/system logging
set 0 topics=info,!dhcp
add action=MinervaSyslog topics=warning
add action=MinervaSyslog topics=critical
add action=MinervaSyslog topics=error
add action=MinervaSyslog topics=interface
add action=MinervaSyslog topics=system
add action=MinervaSyslog topics=firewall
add action=MinervaSyslog disabled=yes topics=wireguard
add action=MinervaSyslog topics=info
add disabled=yes topics=debug
add disabled=yes topics=wireguard
add disabled=yes topics=wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=101.100.146.146
add address=202.68.92.244
add address=43.252.70.34
add address=162.159.200.123
/system package update
set channel=testing
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=lan
/tool mac-server mac-winbox
set allowed-interface-list=lan

I am a bit lost as to what is causing this, and would appreciate any insight into what might be causing this behavior