I have a CRS326-24G-2S+RM switch connected at 192.168.0.10 to a hAP^ac2 router (192.168.0.1). Both are running the latest stable RouterOS version. On both devices I have web-ssl enabled set to port 8888 with a self-signed certificate installed. Same settings on both devices. I can login via web on the hAP but not on the CRS. I can’t tell exactly when this happened and I’m not sure what is blocking access. I think it has to do with the firewall settings of the hAP but am unsure. I can’t reach the CRS over SSH either, but I can via Winbox. Which settings shall I export to help troubleshoot this?
Here are the firewall settings of the hAP:
# jul/02/2020 12:38:19 by RouterOS 6.47
# software id = W18H-RWL8
#
# model = RBD52G-5HacD2HnD
# serial number = B4A10B676823
/ip firewall address-list
add address=192.168.0.0/24 comment="entire network - during installation only, then disable" disabled=yes list=support
add address=192.168.0.100 comment="Henrik's Macbook Pro Thunderbolt Ethernet" list=support
add address=192.168.0.102 comment="Henrik's Macbook Pro Wifi" list=support
add address=192.168.0.241 comment="devices linked to the VPN tunnel, as per Mikrotik-authored article on nordvpn.com" list=tunnel_NordVPN_MY
add address=10.0.88.0/24 comment="IPSec Connected Clients" list=support
add address=192.168.0.105 comment="Henrik's iPhone 8 Plus" list=support
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Router Access to certain devices" in-interface-list=LAN src-address-list=support
add action=drop chain=input comment="Drop spoofed DNS requests over UDP" connection-state=new dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Drop spoofed DNS requests over TCP" connection-state=new dst-port=53 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Accept DNS - UDP" in-interface-list=LAN port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input comment="IKE2: Allow ALL incoming traffic from 10.0.88.0/24 to this RouterOS" ipsec-policy=in,ipsec src-address=10.0.88.0/24
add action=accept chain=input comment="Allow UDP 500,4500 IPSec" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to HOME network" dst-address=192.168.0.0/24 ipsec-policy=in,ipsec src-address=10.0.88.0/24
add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to ANY network" dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=10.0.88.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from 10.0.88.0/24 to ANY" new-mss=1280 passthrough=yes protocol=tcp src-address=10.0.88.0/24 tcp-flags=syn tcp-mss=\
!0-1280
add action=passthrough chain=forward comment="ipsec out passthrough for counting" ipsec-policy=out,ipsec protocol=tcp
add action=passthrough chain=forward comment="ipsec in passthrough for counting" ipsec-policy=in,ipsec protocol=tcp
add action=set-priority chain=postrouting comment="Set DSCP to interface priority for WMM" disabled=yes new-priority=from-dscp-high-3-bits passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat comment="SRC-NAT IKE2:10.0.0.88.0/24 --> ether1 traffic" out-interface=ether1 src-address=10.0.88.0/24 to-addresses=0.0.0.0/0
add action=masquerade chain=srcnat comment="MSQRD IKE2:10.0.88.0/24 --> WAN traffic" disabled=yes ipsec-policy=out,none out-interface-list=WAN src-address=10.0.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=Unifi
add action=dst-nat chain=dstnat dst-port=8080 in-interface=Unifi protocol=tcp to-addresses=192.168.0.100 to-ports=8080
add action=dst-nat chain=dstnat dst-address-type=local port=80 protocol=tcp to-addresses=192.168.0.6
add action=dst-nat chain=dstnat dst-address-type=local port=443 protocol=tcp to-addresses=192.168.0.6