I inherited a hex router and recently changed ISP's from fiber to cable/RIP and some services are not connecting after changing the ip, namely remote access by ip & port and OWA. Can someone take a look at this and tell me if they see where the issue is? Or maybe I should reset and start over, but I'm not that confident....
11/26/2018 23:00:23 by RouterOS 6.43.4
# software id = 8NT6-T4TU
#
# model = RouterBOARD 750G r2
# serial number = XXXXXX
/interface bridge
add admin-mac=***auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=***name=\
ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc lifetime=1d \
pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.0.20-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=\
bridge1 name=default
/ppp profile
set *FFFFFFFE use-encryption=required
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name=//pub/log
/interface bridge port
add bridge=bridge1 interface=ether3-slave-local
add bridge=bridge1 interface=ether4-slave-local
add bridge=bridge1 interface=ether5-slave-local
add bridge=bridge1 interface=ether2-master-local
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set accept-redirects=yes
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes ipsec-secret=******r \
keepalive-timeout=disabled use-ipsec=yes
/interface list member
add interface=bridge1 list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge1 list=mactel
add interface=ether3-slave-local list=mactel
add interface=bridge1 list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=ether5-slave-local list=mac-winbox
add interface=ether1-gateway list=WAN
/ip address
add address=192.168.0.1/24 comment="default configuration" interface=\
ether3-slave-local network=192.168.0.0
add address=192.1xx.xxx.xxx/30 interface=ether1-gateway network=\
192.1xx.xxx.xxx
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1-gateway
/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" gateway=\
192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=108.166.149.2,8.8.8.8
/ip dns static
add address=192.168.0.1 name=router
/ip firewall address-list
add address=192.168.0.0/24 comment=Domain list=Safe
/ip firewall filter
add action=accept chain=input comment="Accept established connection packets" \
connection-state=established
add action=accept chain=forward comment="Accept related connection packets" \
connection-nat-state=dstnat connection-state=established,related \
in-interface=ether1-gateway
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=accept chain=input comment=\
"Allow access to router from known network" src-address-list=Safe
add action=drop chain=input comment="Detect and drop port scan connections" \
protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 protocol=tcp src-address-list=Black_list
add action=add-src-to-address-list address-list=Black_list \
address-list-timeout=1d chain=input comment="Detect DoS attack" \
connection-limit=150,32 protocol=tcp
add action=jump chain=input comment="Jump to chain ICMP" jump-target=ICMP \
protocol=icmp
add action=jump chain=input comment="Jump to chain services" jump-target=\
services log-prefix=Jump
add action=accept chain=input comment="Allow Broadcast Traffic" \
dst-address-type=broadcast
add action=drop chain=input comment="drop everything else"
add action=drop chain=input comment="Drop connections from Black_list IP's" \
log=yes log-prefix=Blacklist src-address-list=Black_list
add action=accept chain=services comment="accept localhost" dst-address=\
127.0.0.1 src-address=127.0.0.1
add action=accept chain=services comment=" MT Discovery Protocol" dst-port=\
5678 protocol=udp
add action=accept chain=services comment="allow SNMP" disabled=yes dst-port=\
161 protocol=tcp
add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=\
179 protocol=tcp
add action=accept chain=services comment="allow BGP" disabled=yes dst-port=\
5000-5100 protocol=udp
add action=accept chain=services comment="Allow NTP" dst-port=123 protocol=\
udp
add action=accept chain=services comment="Allow PPTP" disabled=yes dst-port=\
1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=yes \
protocol=gre
add action=accept chain=services comment=SMTP dst-port=25 protocol=tcp
add action=drop chain=input comment="Block DNS from External for WAN" \
dst-port=53 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="Block DNS from External for WAN" \
dst-port=53 in-interface=ether1-gateway protocol=udp
add action=drop chain=forward comment="Block DNS from External for WAN" \
dst-port=53 out-interface=!ether1-gateway protocol=tcp
add action=drop chain=forward comment="Block DNS from External for WAN" \
dst-port=53 out-interface=!ether1-gateway protocol=udp
add action=accept chain=services comment="allow DNS request" dst-port=53 \
protocol=tcp
add action=drop chain=forward comment="Block Port 445 from External for WAN" \
dst-port=445 in-interface=ether1-gateway protocol=tcp
add action=accept chain=services comment="Allow DNS request" disabled=yes \
dst-port=53 protocol=udp
add action=accept chain=SYN-Protect comment=" " connection-state=new limit=\
400,5:packet protocol=tcp tcp-flags=syn
add action=accept chain=services comment=UPnP disabled=yes dst-port=1900 \
protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=2828 \
protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=yes dst-port=\
67-68 protocol=udp
add action=accept chain=services comment="allow Web Proxy" disabled=yes \
dst-port=8080 protocol=tcp
add action=accept chain=services comment="allow IPIP" disabled=yes protocol=\
ipencap
add action=accept chain=services comment="allow IPSec connections" disabled=\
yes dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=\
ipsec-esp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=\
ipsec-ah
add action=accept chain=services comment="allow RIP" disabled=yes dst-port=\
520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=yes protocol=\
ospf
add action=return chain=services
add action=jump chain=forward comment=" SYN Flood protect" connection-state=\
new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment=" " connection-state=new log=yes \
log-prefix=SYNProtecg protocol=tcp tcp-flags=syn
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=add-dst-to-address-list address-list="nat list" chain=forward \
connection-nat-state=dstnat dst-address-list=!nat-list in-interface=\
ether1-gateway log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="SMTP" dst-address=\ <----This works
192.1xx.xxx.xxx dst-port=25 protocol=tcp to-addresses=192.168.0.4 \
to-ports=25
add action=dst-nat chain=dstnat comment="SMTP1" disabled=yes \ <---Not relevant at the moment
dst-address=192.1xx.xxx.xxx dst-port=25 protocol=tcp to-addresses=\
192.168.0.5 to-ports=25
add action=dst-nat chain=dstnat comment="Quickbooks Desktop" dst-address=\
192.1xx.xxx.xxx protocol=tcp to-addresses=192.168.0.3 to-ports=0-65535
add action=dst-nat chain=dstnat comment= dst-address=\ <----This works
192.1xx.xxx.xxx dst-port=5xxx-5xxx in-interface=ether1-gateway protocol=\
tcp to-addresses=192.168.0.3 to-ports=5xxx-5xxx
add action=dst-nat chain=dstnat comment= dst-address=\ <----This does not work
192.1xx.xxx.xxx dst-port=5xxx-5xxx in-interface=ether1-gateway protocol=\
tcp to-addresses=192.168.0.4 to-ports=5xxx-5xxx
add action=dst-nat chain=dstnat comment=OWA dst-address=192.1xx.xxx.xxx \ <---No external connection to OWA - internal ok
dst-port=443 protocol=tcp to-addresses=192.168.0.4 to-ports=443