I feel dumb asking for help here, but I'm beginning to get a love/hate relationship with these Mikrotik products and it's bordering more on the hate side.
I'm trying to setup a simple wireless station that will NAT to the ethernet port as well as broadcast another wlan2 that is bridged to the ethernet to provide repeater type functionality for weak internet access in RV parks. I've been able to configure this and get everything working EXCEPT ping from the outside. My WAN connection is to an existing wireless AP that hands out 192.168.99.x addresses... wlan1 gets 192.168.99.44 easily and NAT works just fine from both the wlan2 and ethernet connections.
I can ping the 10.10.10.1 interface address and 192.168.99.44 from inside, but NOT from the wlan1 side from other 192.168.99.x clients. It will however accept and act normally for the machine that gave it it's DHCP address - I can ping and telnet on port 80 and 81 from 192.168.99.1 to 192.168.99.44 (wlan's ip).
No matter what combination of firewall rules I try I can't seem to get it to accept WAN side ping from other machines in the 192.168.99.x subnet OTHER than 192.168.99.1 to it's received address.
Thanks in advance for your help,
Jon
Config below...
apr/12/2018 14:59:07 by RouterOS 6.39.2
software id = 2JRU-NFJL
/interface bridge
add admin-mac=6C:3B:6B:3D:D3:00 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto ssid=SkyNet wireless-protocol=nv2-nstreme-802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=
tkip,aes-ccm wpa-pre-shared-key=*** wpa2-pre-shared-key=***
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=fbivan supplicant-identity="" wpa-pre-shared-key=
*** wpa2-pre-shared-key=***
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:3D:D3:01 master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=fbivan
ssid=FBISurveillanceVan wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=dhcp ranges=10.10.10.20-10.10.10.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan2
/ip settings
set icmp-rate-limit=2000
/ip address
add address=10.10.10.1/24 interface=ether1 network=10.10.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge
add dhcp-options=hostname,clientid disabled=no interface=wlan1
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1 netmask=24
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.99.44 dst-port=81 log=yes protocol=tcp to-addresses=10.10.10.2 to-ports=80
add action=masquerade chain=srcnat out-interface=wlan1
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=UglyStick