Hello,
I moved locations for my office. We have tried everything to get our router to work with Comcast, but it won’t. The Gateway is X.X.X.142 and the IP’s are before it. Our X.X.X.137. I think it may be causing our issues. Does anyone have any other issues they have had with this? I have an RB433 running 5.6. Thank you in advance for your help!
You need to provide a lot more info. I use Mikrotik on cable connections and never had an issue.
Do you have static IPs from Comcast?
If you moved locations then your IPs will likely be different because you’re on a different network segment.
The solution if you don’t have static IPs, or even if you do, could be as simple as deleting your default route and the address on the internet facing port and turning on DHCP on that port.
We have a static IP. We had a static IP at the old location. I changed everything in the IP address, and I even updated the IP Route to the new gateway.
Call Comcast and make sure they updated everything for your new location.
We can get Internet on another router with the exact same IP and setup.
Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print detail”, “/ip firewall export”, and an accurate network diagram.
Does Comcast use MAC filtering? I know our local cable provider does.
Perhaps try setting the MAC of the working router?
/interface ethernet set <Wan interface> mac-address=<MAC to Clone>
You know, that’s really the kind of information you should include in the initial post. That basically says to people that they can focus on the router rather than outside factors. It would have saved me from guessing to try and get more information and wasting time.
Sorry, you are correct. It's been a while since I have posted or replied on a topic.. 
Here is the output requested. I have changed the IP and router name for security.
/ip address
add address=192.168.10.1/24 broadcast=192.168.10.255 comment=LAN disabled=no
interface=ether3 network=192.168.10.0
add address=X.X.X.137/29 broadcast=X.X.X.143 comment=WAN-Wintek
disabled=yes interface=ether1 network=X.X.X.136
add address=X.X.X.138/29 broadcast=X.X.X.143 comment=WAN-Comcast
disabled=no interface=ether2 network=X.X.X.136
[M@M] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; LAN
address=192.168.10.1/24 network=192.168.10.0 interface=ether3
actual-interface=ether3
1 X ;;; WAN-Wintek
address=X.X.X.137/29 network=X.X.X.136 interface=ether1
actual-interface=ether1
2 ;;; WAN-Comcast
address=X.X.X.138/29 network=X.X.X.136 interface=ether2
actual-interface=ether2
3 D address=192.168.10.42/24 network=192.168.10.0 interface=ether2
actual-interface=ether2
[M@M] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=192.168.10.1
gateway-status=192.168.10.1 reachable ether2 distance=0 scope=30
target-scope=10 vrf-interface=ether2
1 S dst-address=0.0.0.0/0 gateway=X.X.X.142
gateway-status=X.X.X.142 unreachable check-gateway=ping
distance=1 scope=30 target-scope=10
2 X S dst-address=10.1.21.0/24 gateway=10.0.100.1,(unknown)
gateway-status=10.0.100.1 inactive,(unknown) inactive distance=1
scope=30 target-scope=10
3 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.1 gateway=ether3,ether2
gateway-status=ether3 unreachable,ether2 reachable distance=0 scope=10
4 X S dst-address=192.168.20.0/24 gateway=192.168.100.2,ether1
gateway-status=192.168.100.2 inactive,ether1 inactive distance=1
scope=30 target-scope=10
5 X S dst-address=192.168.20.0/24 gateway=192.168.100.1,(unknown)
[M@M] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 X ;;; PoE - Wintek
name="ether1" type="ether" mtu=1500 l2mtu=1526 max-l2mtu=1526
1 R ;;; WAN - Comcast
name="ether2" type="ether" mtu=1500 l2mtu=1522 max-l2mtu=1522
2 ;;; LAN
name="ether3" type="ether" mtu=1500 l2mtu=1522 max-l2mtu=1522
3 X name="pptp-in1" type="pptp-in"
[M@M] > /ip firewall export
jan/01/1970 19:06:05 by RouterOS 5.6
software id = Q7J1-N2PD
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=AllowedPorts disabled=no dst-port=25 protocol=tcp
add action=tarpit chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS"
disabled=yes dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=
30m chain=forward comment="Detect and add-list SMTP virus or spammers"
connection-limit=30,32 disabled=yes dst-port=25 limit=50,5 protocol=tcp
src-address-list=!WhiteListed
add action=drop chain=input disabled=yes dst-address=0.0.0.0/0 in-interface=
ether2 src-address=212.122.161.247
add action=drop chain=input disabled=no dst-address=0.0.0.0/0 in-interface=
ether1 src-address=212.122.161.247
add action=jump chain=forward comment="Allowed Ports" disabled=yes
in-interface=ether2 jump-target=AllowedPorts
add action=jump chain=forward comment="Allowed Ports" disabled=no
in-interface=ether1 jump-target=AllowedPorts
add action=drop chain=customer comment="Drop invalid connection packets"
connection-state=invalid disabled=no
add action=drop chain=customer comment="Drop and log everything else"
disabled=no
add action=accept chain=customer comment="Allow established connections"
connection-state=established disabled=no
add action=accept chain=customer comment="Allow related connections"
connection-state=related disabled=no
add action=accept chain=AllowedPorts disabled=no dst-port=80 protocol=tcp
add action=log chain=customer comment="Log dropped connections" disabled=no
log-prefix=customer_drop
add action=accept chain=AllowedPorts disabled=no dst-port=3389 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=587 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=53 protocol=udp
add action=accept chain=AllowedPorts disabled=no dst-port=53 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=1723 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=443 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=143 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=5901 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=5500 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=993 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=8324 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=3399 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=21 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=987 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=8530 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=18768 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=8530 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=7272 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no in-interface=ether3
new-connection-mark=fpn-conn passthrough=yes
add action=mark-packet chain=input connection-mark=fpn-conn disabled=no
new-packet-mark=in-fpn-packet passthrough=yes
add action=mark-packet chain=output connection-mark=fpn-conn disabled=no
new-packet-mark=in-fpn-packet passthrough=yes
add action=mark-routing chain=prerouting disabled=no new-routing-mark=fpn
packet-mark=in-fpn-packet passthrough=yes
add action=mark-routing chain=output disabled=no new-routing-mark=fpn
packet-mark=in-fpn-packet passthrough=yes
add action=change-dscp chain=output disabled=no dst-port=1701 new-dscp=8
protocol=udp
add action=jump chain=prerouting comment=VoIP disabled=no dscp=46 jump-target=
VoIPChain
add action=jump chain=prerouting comment=VoIP connection-type=sip disabled=no
jump-target=VoIPChain
add action=mark-packet chain=VoIPChain disabled=no new-packet-mark=VoIP
passthrough=yes
add action=add-dst-to-address-list address-list="Active VoIP Clients"
address-list-timeout=5m chain=VoIPChain disabled=no dst-address-list=
"!VoIP Servers"
add action=change-dscp chain=VoIPChain disabled=no dscp=!46 new-dscp=46
add action=accept chain=VoIPChain disabled=no
add action=return chain="LAN Traffic" disabled=no src-address-list=
"LAN Servers"
add action=mark-routing chain="LAN Traffic" disabled=no new-routing-mark=fpn
passthrough=yes
add action=mark-packet chain=forward disabled=yes new-packet-mark=Normal
packet-mark=!VoIP passthrough=yes
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.20.0/24
src-address=192.168.10.0/24
add action=dst-nat chain=dstnat comment=SMTP disabled=no dst-port=25
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=25
add action=dst-nat chain=dstnat comment=Website disabled=no dst-port=80
in-interface=ether1 protocol=tcp to-addresses=192.168.10.21 to-ports=80
add action=dst-nat chain=dstnat comment=SMTP disabled=no dst-port=587
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=587
add action=dst-nat chain=dstnat comment="Public DNS to VSRV01" disabled=no
dst-port=53 in-interface=ether1 protocol=udp to-addresses=192.168.10.22
to-ports=53
add action=dst-nat chain=dstnat comment="Public DNS to VSRV01" disabled=no
dst-port=53 in-interface=ether1 protocol=tcp to-addresses=192.168.10.22
to-ports=53
add action=dst-nat chain=dstnat comment=RDP disabled=no dst-port=3389
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=3389
add action=dst-nat chain=dstnat comment=FTP disabled=no dst-port=21
in-interface=ether1 protocol=tcp to-addresses=192.168.10.21 to-ports=21
add action=dst-nat chain=dstnat comment=SSL disabled=no dst-port=443
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=443
add action=dst-nat chain=dstnat comment=IMAP disabled=yes dst-port=143
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=143
add action=dst-nat chain=dstnat comment=RWW-VPN disabled=no dst-port=1723
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=1723
add action=dst-nat chain=dstnat comment=VNC disabled=no dst-port=5500
in-interface=ether1 protocol=tcp to-addresses=192.168.10.22 to-ports=5500
add action=dst-nat chain=dstnat comment=RDP-VSRV02 disabled=yes dst-port=3399
in-interface=ether1 protocol=tcp to-addresses=192.168.10.54 to-ports=3399
add action=dst-nat chain=dstnat comment=IMAP-SSL disabled=yes dst-port=993
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=993
add action=dst-nat chain=dstnat comment=FTP disabled=yes dst-port=8324
in-interface=ether1 protocol=tcp to-addresses=192.168.10.24 to-ports=8324
add action=dst-nat chain=dstnat comment=WSUS disabled=no dst-port=8530
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=8530
add action=dst-nat chain=dstnat comment=VNC disabled=yes dst-port=5901
in-interface=ether1 protocol=tcp to-addresses=192.168.10.22 to-ports=5901
add action=masquerade chain=srcnat comment=NAT-WAN disabled=no out-interface=
ether1
add action=accept chain=srcnat disabled=no dst-address=192.168.20.0/24
src-address=192.168.10.0/24
add action=accept chain=srcnat disabled=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
[M@M] >
That’s completely misconfigured.
You have IP addresses on both ether1 and ether2 on the same network, but one is disabled. ether1 is disabled, but nearly all your NAT rules refer to ether1. What’s up with that?
Your default route (0.0.0.0/0) points to 192.168.10.1, which is the router itself. It should point to your ISP gateway.
A wild stab is that you need to fix your default route as stated, and need to update every firewall filter and NAT rule that refers to ether1 and use ether2 instead.
I took it back to the original setup. I have messed with it quite a bit. I have the Internet port coming in on Ether1 now and the LAN on Ether 3.
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 5.6 (c) 1999-2011 http://www.mikrotik.com/
[M@M] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; LAN
address=192.168.10.1/24 network=192.168.10.0 interface=ether3
actual-interface=ether3
1 ;;; WAN-Wintek
address=X.X.X.137/29 network=X.X.X.136 interface=ether1
actual-interface=ether1
2 X ;;; WAN-Comcast
address=X.X.X.138/29 network=X.X.X.136 interface=ether2
actual-interface=ether2
[M@M] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 S dst-address=0.0.0.0/0 gateway=X.X.X.142
gateway-status=X.X.X.142 unreachable check-gateway=ping
distance=1 scope=30 target-scope=10
1 X S dst-address=10.1.21.0/24 gateway=10.0.100.1,(unknown)
gateway-status=10.0.100.1 inactive,(unknown) inactive distance=1
scope=30 target-scope=10
2 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.1 gateway=ether3
gateway-status=ether3 unreachable distance=0 scope=200
3 X S dst-address=192.168.20.0/24 gateway=192.168.100.2,ether1
gateway-status=192.168.100.2 inactive,ether1 inactive distance=1
scope=30 target-scope=10
4 X S dst-address=192.168.20.0/24 gateway=192.168.100.1,(unknown)
gateway-status=192.168.100.1 inactive,(unknown) inactive distance=1
scope=30 target-scope=10
5 ADC dst-address=X.X.X.136/29 pref-src=X.X.X.137 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
[M@M] > firewall export
bad command name firewall (line 1 column 1)
[M@M] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R ;;; PoE - Wintek
name="ether1" type="ether" mtu=1500 l2mtu=1526 max-l2mtu=1526
1 X ;;; WAN - Comcast
name="ether2" type="ether" mtu=1500 l2mtu=1522 max-l2mtu=1522
2 ;;; LAN
name="ether3" type="ether" mtu=1500 l2mtu=1522 max-l2mtu=1522
3 X name="pptp-in1" type="pptp-in"
[M@M] > /ip firewall export
jan/01/1970 19:45:43 by RouterOS 5.6
software id = Q7J1-N2PD
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=AllowedPorts disabled=no dst-port=25 protocol=tcp
add action=tarpit chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS"
disabled=yes dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=
30m chain=forward comment="Detect and add-list SMTP virus or spammers"
connection-limit=30,32 disabled=yes dst-port=25 limit=50,5 protocol=tcp
src-address-list=!WhiteListed
add action=drop chain=input disabled=yes dst-address=0.0.0.0/0 in-interface=
ether2 src-address=212.122.161.247
add action=drop chain=input disabled=no dst-address=0.0.0.0/0 in-interface=
ether1 src-address=212.122.161.247
add action=jump chain=forward comment="Allowed Ports" disabled=yes
in-interface=ether2 jump-target=AllowedPorts
add action=jump chain=forward comment="Allowed Ports" disabled=no
in-interface=ether1 jump-target=AllowedPorts
add action=drop chain=customer comment="Drop invalid connection packets"
connection-state=invalid disabled=no
add action=drop chain=customer comment="Drop and log everything else"
disabled=no
add action=accept chain=customer comment="Allow established connections"
connection-state=established disabled=no
add action=accept chain=customer comment="Allow related connections"
connection-state=related disabled=no
add action=accept chain=AllowedPorts disabled=no dst-port=80 protocol=tcp
add action=log chain=customer comment="Log dropped connections" disabled=no
log-prefix=customer_drop
add action=accept chain=AllowedPorts disabled=no dst-port=3389 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=587 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=53 protocol=udp
add action=accept chain=AllowedPorts disabled=no dst-port=53 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=1723 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=443 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=143 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=5901 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=5500 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=993 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=8324 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=3399 protocol=tcp
add action=accept chain=AllowedPorts disabled=no dst-port=21 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=987 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=8530 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=18768 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=8530 protocol=tcp
add action=accept chain=AllowedPorts disabled=yes dst-port=7272 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no in-interface=ether3
new-connection-mark=fpn-conn passthrough=yes
add action=mark-packet chain=input connection-mark=fpn-conn disabled=no
new-packet-mark=in-fpn-packet passthrough=yes
add action=mark-packet chain=output connection-mark=fpn-conn disabled=no
new-packet-mark=in-fpn-packet passthrough=yes
add action=mark-routing chain=prerouting disabled=no new-routing-mark=fpn
packet-mark=in-fpn-packet passthrough=yes
add action=mark-routing chain=output disabled=no new-routing-mark=fpn
packet-mark=in-fpn-packet passthrough=yes
add action=change-dscp chain=output disabled=no dst-port=1701 new-dscp=8
protocol=udp
add action=jump chain=prerouting comment=VoIP disabled=no dscp=46 jump-target=
VoIPChain
add action=jump chain=prerouting comment=VoIP connection-type=sip disabled=no
jump-target=VoIPChain
add action=mark-packet chain=VoIPChain disabled=no new-packet-mark=VoIP
passthrough=yes
add action=add-dst-to-address-list address-list="Active VoIP Clients"
address-list-timeout=5m chain=VoIPChain disabled=no dst-address-list=
"!VoIP Servers"
add action=change-dscp chain=VoIPChain disabled=no dscp=!46 new-dscp=46
add action=accept chain=VoIPChain disabled=no
add action=return chain="LAN Traffic" disabled=no src-address-list=
"LAN Servers"
add action=mark-routing chain="LAN Traffic" disabled=no new-routing-mark=fpn
passthrough=yes
add action=mark-packet chain=forward disabled=yes new-packet-mark=Normal
packet-mark=!VoIP passthrough=yes
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.20.0/24
src-address=192.168.10.0/24
add action=dst-nat chain=dstnat comment=SMTP disabled=no dst-port=25
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=25
add action=dst-nat chain=dstnat comment=Website disabled=no dst-port=80
in-interface=ether1 protocol=tcp to-addresses=192.168.10.21 to-ports=80
add action=dst-nat chain=dstnat comment=SMTP disabled=no dst-port=587
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=587
add action=dst-nat chain=dstnat comment="Public DNS to VSRV01" disabled=no
dst-port=53 in-interface=ether1 protocol=udp to-addresses=192.168.10.22
to-ports=53
add action=dst-nat chain=dstnat comment="Public DNS to VSRV01" disabled=no
dst-port=53 in-interface=ether1 protocol=tcp to-addresses=192.168.10.22
to-ports=53
add action=dst-nat chain=dstnat comment=RDP disabled=no dst-port=3389
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=3389
add action=dst-nat chain=dstnat comment=FTP disabled=no dst-port=21
in-interface=ether1 protocol=tcp to-addresses=192.168.10.21 to-ports=21
add action=dst-nat chain=dstnat comment=SSL disabled=no dst-port=443
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=443
add action=dst-nat chain=dstnat comment=IMAP disabled=yes dst-port=143
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=143
add action=dst-nat chain=dstnat comment=RWW-VPN disabled=no dst-port=1723
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=1723
add action=dst-nat chain=dstnat comment=VNC disabled=no dst-port=5500
in-interface=ether1 protocol=tcp to-addresses=192.168.10.22 to-ports=5500
add action=dst-nat chain=dstnat comment=RDP-VSRV02 disabled=yes dst-port=3399
in-interface=ether1 protocol=tcp to-addresses=192.168.10.54 to-ports=3399
add action=dst-nat chain=dstnat comment=IMAP-SSL disabled=yes dst-port=993
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=993
add action=dst-nat chain=dstnat comment=FTP disabled=yes dst-port=8324
in-interface=ether1 protocol=tcp to-addresses=192.168.10.24 to-ports=8324
add action=dst-nat chain=dstnat comment=WSUS disabled=no dst-port=8530
in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=8530
add action=dst-nat chain=dstnat comment=VNC disabled=yes dst-port=5901
in-interface=ether1 protocol=tcp to-addresses=192.168.10.22 to-ports=5901
add action=masquerade chain=srcnat comment=NAT-WAN disabled=no out-interface=
ether1
add action=accept chain=srcnat disabled=no dst-address=192.168.20.0/24
src-address=192.168.10.0/24
add action=accept chain=srcnat disabled=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
[M@M] >
Remove the ‘check-gateway=ping’ from the default route.
Shut down the cable modem by unplugging its power, shut down the router. Bring up the cable modem and wait until it has fully connected, then turn on the router.
Right now your default route is saying ‘unreachable’. I’m wildly guessing that your cable modem has cached an old MAC address, and also can’t be pinged. Rebooting everything may fix that. The other possibility is that you have a typo in the gateway IP - since you are masking out all your public IPs I can’t verify that from here.
I did what you recommended and I have it plugged in this time. I didn’t have it plugged in last time.
[M@M] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; LAN
address=192.168.10.1/24 network=192.168.10.0 interface=ether3
actual-interface=ether3
1 ;;; WAN-Wintek
address=X.X.X.137/29 network=X.X.X.136 interface=ether1
actual-interface=ether1
2 X ;;; WAN-Comcast
address=X.X.X.138/29 network=X.X.X.136 interface=ether2
actual-interface=ether2
[M@M] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=X.X.X.142
gateway-status=X.X.X.142 reachable ether1 distance=1 scope=30
target-scope=10
1 X S dst-address=10.1.21.0/24 gateway=10.0.100.1,(unknown)
gateway-status=10.0.100.1 inactive,(unknown) inactive distance=1
scope=30 target-scope=10
2 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.1 gateway=ether3
gateway-status=ether3 reachable distance=0 scope=10
3 X S dst-address=10.214.20.0/24 gateway=192.168.100.2,ether1
gateway-status=192.168.100.2 inactive,ether1 inactive distance=1
scope=30 target-scope=10
4 X S dst-address=10.214.20.0/24 gateway=192.168.100.1,(unknown)
gateway-status=192.168.100.1 inactive,(unknown) inactive distance=1
scope=30 target-scope=10
5 ADC dst-address=X.X.X.136/29 pref-src=X.X.X.137 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
[M@M] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R ;;; PoE - Wintek
name=“ether1” type=“ether” mtu=1500 l2mtu=1526 max-l2mtu=1526
1 X ;;; WAN - Comcast
name=“ether2” type=“ether” mtu=1500 l2mtu=1522 max-l2mtu=1522
2 R ;;; LAN
name=“ether3” type=“ether” mtu=1500 l2mtu=1522 max-l2mtu=1522
3 X name=“pptp-in1” type=“pptp-in”
[M@M] >
According to that everything is working.
I know, that is what is frustrating… 
You’ve tried that, I assume?
Otherwise I don’t know what to tell you - I’m sure it could work, but we’re all overlooking something. Don’t know what, though.
This might sound a little too obvious, but in the interest of trying everything, have you powercycled the cable modem? The ones around here generally need a reboot when you plug a different device in.
I have tried the MAC clone, and I have tried power cycling the modem… I’m going to just wipe and start over to see if I can get it to work…