I inherited a hex router and recently changed ISP's from fiber to cable/RIP and some services are not connecting after changing the ip, namely remote access by ip & port and OWA. Can someone take a look at this and tell me if they see where the issue is? Or maybe I should reset and start over, but I'm not that confident....

11/26/2018 23:00:23 by RouterOS 6.43.4
# software id = 8NT6-T4TU
#
# model = RouterBOARD 750G r2
# serial number = XXXXXX
/interface bridge
add admin-mac=***auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=***name=\
ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc lifetime=1d \
pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.0.20-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=\
bridge1 name=default
/ppp profile
set *FFFFFFFE use-encryption=required
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name=//pub/log
/interface bridge port
add bridge=bridge1 interface=ether3-slave-local
add bridge=bridge1 interface=ether4-slave-local
add bridge=bridge1 interface=ether5-slave-local
add bridge=bridge1 interface=ether2-master-local
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set accept-redirects=yes
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes ipsec-secret=******r \
keepalive-timeout=disabled use-ipsec=yes
/interface list member
add interface=bridge1 list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge1 list=mactel
add interface=ether3-slave-local list=mactel
add interface=bridge1 list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=ether5-slave-local list=mac-winbox
add interface=ether1-gateway list=WAN
/ip address
add address=192.168.0.1/24 comment="default configuration" interface=\
ether3-slave-local network=192.168.0.0
add address=192.1xx.xxx.xxx/30 interface=ether1-gateway network=\
192.1xx.xxx.xxx
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1-gateway
/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" gateway=\
192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=108.166.149.2,8.8.8.8
/ip dns static
add address=192.168.0.1 name=router
/ip firewall address-list

add address=192.168.0.0/24 comment=Domain list=Safe

/ip firewall filter
add action=accept chain=input comment="Accept established connection packets" \
connection-state=established
add action=accept chain=forward comment="Accept related connection packets" \
connection-nat-state=dstnat connection-state=established,related \
in-interface=ether1-gateway
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=accept chain=input comment=\
"Allow access to router from known network" src-address-list=Safe
add action=drop chain=input comment="Detect and drop port scan connections" \
protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 protocol=tcp src-address-list=Black_list
add action=add-src-to-address-list address-list=Black_list \
address-list-timeout=1d chain=input comment="Detect DoS attack" \
connection-limit=150,32 protocol=tcp
add action=jump chain=input comment="Jump to chain ICMP" jump-target=ICMP \
protocol=icmp
add action=jump chain=input comment="Jump to chain services" jump-target=\
services log-prefix=Jump
add action=accept chain=input comment="Allow Broadcast Traffic" \
dst-address-type=broadcast
add action=drop chain=input comment="drop everything else"
add action=drop chain=input comment="Drop connections from Black_list IP's" \
log=yes log-prefix=Blacklist src-address-list=Black_list
add action=accept chain=services comment="accept localhost" dst-address=\
127.0.0.1 src-address=127.0.0.1
add action=accept chain=services comment=" MT Discovery Protocol" dst-port=\
5678 protocol=udp
add action=accept chain=services comment="allow SNMP" disabled=yes dst-port=\
161 protocol=tcp
add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=\
179 protocol=tcp
add action=accept chain=services comment="allow BGP" disabled=yes dst-port=\
5000-5100 protocol=udp
add action=accept chain=services comment="Allow NTP" dst-port=123 protocol=\
udp
add action=accept chain=services comment="Allow PPTP" disabled=yes dst-port=\
1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=yes \
protocol=gre
add action=accept chain=services comment=SMTP dst-port=25 protocol=tcp
add action=drop chain=input comment="Block DNS from External for WAN" \
dst-port=53 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="Block DNS from External for WAN" \
dst-port=53 in-interface=ether1-gateway protocol=udp
add action=drop chain=forward comment="Block DNS from External for WAN" \
dst-port=53 out-interface=!ether1-gateway protocol=tcp
add action=drop chain=forward comment="Block DNS from External for WAN" \
dst-port=53 out-interface=!ether1-gateway protocol=udp
add action=accept chain=services comment="allow DNS request" dst-port=53 \
protocol=tcp
add action=drop chain=forward comment="Block Port 445 from External for WAN" \
dst-port=445 in-interface=ether1-gateway protocol=tcp
add action=accept chain=services comment="Allow DNS request" disabled=yes \
dst-port=53 protocol=udp
add action=accept chain=SYN-Protect comment=" " connection-state=new limit=\
400,5:packet protocol=tcp tcp-flags=syn
add action=accept chain=services comment=UPnP disabled=yes dst-port=1900 \
protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=2828 \
protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=yes dst-port=\
67-68 protocol=udp
add action=accept chain=services comment="allow Web Proxy" disabled=yes \
dst-port=8080 protocol=tcp
add action=accept chain=services comment="allow IPIP" disabled=yes protocol=\
ipencap
add action=accept chain=services comment="allow IPSec connections" disabled=\
yes dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=\
ipsec-esp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=\
ipsec-ah
add action=accept chain=services comment="allow RIP" disabled=yes dst-port=\
520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=yes protocol=\
ospf
add action=return chain=services
add action=jump chain=forward comment=" SYN Flood protect" connection-state=\
new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment=" " connection-state=new log=yes \
log-prefix=SYNProtecg protocol=tcp tcp-flags=syn
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=add-dst-to-address-list address-list="nat list" chain=forward \
connection-nat-state=dstnat dst-address-list=!nat-list in-interface=\
ether1-gateway log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="SMTP" dst-address=\ <----This works
192.1xx.xxx.xxx dst-port=25 protocol=tcp to-addresses=192.168.0.4 \
to-ports=25
add action=dst-nat chain=dstnat comment="SMTP1" disabled=yes \ <---Not relevant at the moment
dst-address=192.1xx.xxx.xxx dst-port=25 protocol=tcp to-addresses=\
192.168.0.5 to-ports=25
add action=dst-nat chain=dstnat comment="Quickbooks Desktop" dst-address=\
192.1xx.xxx.xxx protocol=tcp to-addresses=192.168.0.3 to-ports=0-65535
add action=dst-nat chain=dstnat comment= dst-address=\ <----This works
192.1xx.xxx.xxx dst-port=5xxx-5xxx in-interface=ether1-gateway protocol=\
tcp to-addresses=192.168.0.3 to-ports=5xxx-5xxx
add action=dst-nat chain=dstnat comment= dst-address=\ <----This does not work
192.1xx.xxx.xxx dst-port=5xxx-5xxx in-interface=ether1-gateway protocol=\
tcp to-addresses=192.168.0.4 to-ports=5xxx-5xxx
add action=dst-nat chain=dstnat comment=OWA dst-address=192.1xx.xxx.xxx \ <---No external connection to OWA - internal ok
dst-port=443 protocol=tcp to-addresses=192.168.0.4 to-ports=443

Do use code tag around your code y clicking the button </>

It looks like you are running an older configuation with upgraded RouterOS.
You should get rid og master/slave, deprecated.
IP for LAN should be on the bridge1 and not on the interface.

Som my tip is to do a full reset to default configuration and start over.

@jotne: OP's config is converted to all-bridge, only interface names remained the old way. While this can be confusing, it's not relevant.

However, @jotne's observation about LAN address being assigned to wrong interface is correct.

The following NAT configuration seems confusing, but it might be just fine depending on particular configuration:

Code: Select all

add action=dst-nat chain=dstnat comment="Quickbooks Desktop" dst-address=\
192.1xx.xxx.xxx protocol=tcp to-addresses=192.168.0.3 to-ports=0-65535
add action=dst-nat chain=dstnat comment= dst-address=\ <----This works
192.1xx.xxx.xxx dst-port=5xxx-5xxx in-interface=ether1-gateway protocol=\
tcp to-addresses=192.168.0.3 to-ports=5xxx-5xxx
add action=dst-nat chain=dstnat comment= dst-address=\ <----This does not work
192.1xx.xxx.xxx dst-port=5xxx-5xxx in-interface=ether1-gateway protocol=\
tcp to-addresses=192.168.0.4 to-ports=5xxx-5xxx
add action=dst-nat chain=dstnat comment=OWA dst-address=192.1xx.xxx.xxx \ <---No external connection to OWA - internal ok
dst-port=443 protocol=tcp to-addresses=192.168.0.4 to-ports=443

.
The first rule grabs all tcp ports on a particular address (I can only guess that it's public one if it's not from 192.168/16 address range) and forwards them to LAN host with IP address 192.168.0.3.

Which makes other NAT rules, quoted in excerpt above and placed below the first one, redundant if the dst-address used is indeed WAN IP address ... In this case the second rule actually doesn't work as it is over-shadowed by the first rule. The same is the reason why 3rd and 4th rule don't work ... as some particular ports are forwarded to another LAN host (with IP address 192.168.0.4) but are already stolen by rule #1. In addition: make sure that tcp port range, forwarded by rules #2 and #3, doesn't overlap. If it does overlap, then here's another conflict to solve.

To test the last 3 rules, you should disable the first one. If you find everything, intended by last 3 rules, working, then rework the first rule to make it less general. Or, if you can not or don't want to, move it to the end of rules list. Keep in mind that rules are evaluated top to bottom and first one matching is used.

All of my babbling above is meaningless if OP is actually using more than one WAN IP address and the configuration is slightly too obfuscated.

I inherited a hex router is the clue here.........
if the op didnt create the configuration, the best thing as jotne says is to configure from scratch and use the newer method of vlans on bridge with latest firmware installed.
Trying to pick apart a configuration the op doesnt understand is a dogs breakfast..............

Thank you mkx - We do only have one WAN IP. That first rule should actually be on the LAN only and was the straw. Once I moved it to the bottom everything else worked as it was before. The other rules with 5xxx are all different ports going to different machines and do forward successfully now. I still don't get why it worked until the WAN IP was changed, but I knew I was overlooking something obvious.

I'm going to reset and start from scratch after I do some reading (and get some down time). This community is awesome!