This is how my network is setup
Router 1--->Router 2--->POE Switch--->Wireless AP's

Router 1 is connected to the ISP via a Static Public IP 41.XX.XXX.XXX on Port 1
Router 1 has a local network address of 192.168.1.0/24
Port 2 of Router 1 has an IP address 192.168.255.1/30 and is not part of the LAN bridge

Router 2 has a local network address of 192.168.2.0/24
Port 1 of Router 2 has an IP address 192.168.255.2/30

Port 2 on Router 1 is connected to Port 1 on Router 2

On Router 1 created a static route to 192.168.2.0/24 to Router 2 via 192.168.255.2

All of the Wireless AP's connected Router 2 via a POE switch have static IP's 192.168.2.21-30

All the wireless AP's internet access via Router 1

There is NAT rule on Router 1 that allows me to access Router 2 from anywhere in the world

Want to be able to access all the wireless AP's on port 443 from the internet as well.

Can anyone assist? All responses will be highly appreciated

You will not be able to access"All AP's" directly on port 443, i.e. Port Forwarding / Dst NAT.

Use VPN access, and then access APs via private IP:443

There is just one port 443 on one public IP 41.x.x.x, so you can have just one AP accessible via that single port. But you can use port-forwarding rules in the firewall, so that e.g. port 21443 on the public IP will be forwarded to port 443 on the private IP of AP 1, port 22443 to port 443 of the private IP of AP 2 etc., if that is sufficient for the purpose (or use ports 44301, 44302 etc. instead if you like it more). If you use some management application which insists on port 443, CZFan's suggestion is your only way.

Reverse proxy could work too (each AP would have different hostname), but it would require another machine to run it. But since it's for management purposes, VPN is probably better idea.

Sindy
I kinda like your suggestion.
On which router should I put in the port forwarding rule?
Can you give me a simple example for one?

Do I put in the NAT rules on both routers?

Created NAT rule as follows to test connectivity to one AP:
Chain dstnat
Dst. Address 41.XX.XXX.XXX
Protocol tcp
Dst. Port 21443
To Address 192.168.2.21
To Port 443

That's a correct one. If you otherwise use the default firewall configuration, it should be enough. If not, post the export.

Just bear in mind that while this rule port-forwards connections initiated from anywhere, connections initiated from LAN will not work properly, you have to test from outside. Look for "hairpin NAT" for explanation why.

The NAT rule I created was on Router 1
Does not give me access to the AP with the local address specified with 41.x.x.x:21443
The manufacturers of the AP suggested this:
1. First port forwarding needs to be done on Router2 for example to use tcp port 10 to access AP on tcp port 443
2. Second port forwarding needs to be done one Router 1 for example tcp port 10 to access router 2 on tcp port 443

Oh, sorry, I didn't realize the double router part was also problem as you seemed to have the internal routing solved and transparent.. If the inner router's WAN (internet-facing) interface has a firewall on it preventing incoming connections via WAN, you have to set some rules on it too, but as you've said that you've set the route to 192.168.2.0/24 on the outer router, I've expected it's not the case.

But port forwarding rules may not be necessary, filter rules may be sufficient. Hard to say without seeing the configuration of the inner router.

You want the full dump of both the routers?

Let me re-state the network setup

Internet ---> Router 1 (LAN=192.168.1.0/24) ---> Router 2 ---> (LAN2=192.168.2.0/24) --->PoE Switch ---> WiFi AP1 (192.168.2.21)

Router 1 (LAN1)
Ether1 connected to the ISP with a static IP 41.x.x.x
Local network 192.168.1.0/24
Ether2 removed from LAN bridge and has a static IP of 192.168.255.1/30

Router 2 (LAN2)
Ether1 connected to Ether 2 on Router 1 and has a static IP 192.168.255.2/30
Local network 192.168.2.0/24

On Router 1 added a static route to 192.168.2.0/24 via 192.168.255.2
On Router 1 added a scrnat rule that allows 192.168.2.0/24 to go to the internet with NAT
On Router 2 the default gateway is 192.168.255.1
On Router 2 there is no NAT

This way, the traffic from LAN2 to the Internet does not go through LAN1

The IP ranges for all the WiFI AP's are 192.168.2.21-30

There are no firewall rules.

Is this more clearer?
Any suggestions?

No NAT and no firewall rules are different things. Post export of both routers (see anonymization hints in my automatic signature below). If there was nothing in the inner router's firewall, the single dst-nat rule in the outer one would be sufficient.

Herewith are the configuration files

Router 1
# aug/18/2019 08:02:03 by RouterOS 6.45.3
# software id = VERF-DUV5
#
# model = 2011UiAS-2HnD
# serial number = B9070AA4FA9D
/interface bridge
add admin-mac=CC:2D:E0:39:D0:7E auto-mac=no name="Bridge Nyika Master"
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no mac-address=\
CC:2D:E0:39:D0:7D name=Ether01_WAN speed=100Mbps
set [ find default-name=ether2 ] mac-address=CC:2D:E0:39:D0:7E name=\
Ether02_LAN_DS speed=100Mbps
set [ find default-name=ether3 ] mac-address=CC:2D:E0:39:D0:7F name=\
Ether03_LAN speed=100Mbps
set [ find default-name=ether4 ] mac-address=CC:2D:E0:39:D0:80 name=\
Ether04_LAN speed=100Mbps
set [ find default-name=ether5 ] mac-address=CC:2D:E0:39:D0:81 name=\
Ether05_LAN speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
CC:2D:E0:39:D0:82 name=Ether06_LAN
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
CC:2D:E0:39:D0:83 name=Ether07_LAN
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
CC:2D:E0:39:D0:84 name=Ether08_LAN
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
CC:2D:E0:39:D0:85 name=Ether09_LAN
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
CC:2D:E0:39:D0:86 name=Ether10_LAN
set [ find default-name=sfp1 ] disabled=yes mac-address=CC:2D:E0:39:D0:7C
/interface vlan
add interface=Ether01_WAN name=Safaricom vlan-id=798
/interface ethernet switch
set 0 name="Mara Nyika Master Gb"
set 1 name="Mara Nyika Master 100Mbps"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name="Mara Nyika Master" \
supplicant-identity="" wpa-pre-shared-key=XXXXXX wpa2-pre-shared-key=\
XXXXXX
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-b="" disabled=no \
frequency=auto mode=ap-bridge name="WiFi Nyika Master" radio-name=\
"Mara Nyika Master" rate-set=configured security-profile=\
"Mara Nyika Master" ssid="Mara Nyika Master" supported-rates-b="" \
wds-default-bridge="Bridge Nyika Master" wds-mode=dynamic
/ip pool
add name="DHCP Server Pool Nyika Master" ranges=192.168.1.51-192.168.1.254
/ip dhcp-server
add address-pool="DHCP Server Pool Nyika Master" disabled=no interface=\
"Bridge Nyika Master" lease-time=1d name="DHCP Server Nyika Master"
/interface bridge port
add bridge="Bridge Nyika Master" interface=Ether06_LAN
add bridge="Bridge Nyika Master" interface=Ether03_LAN
add bridge="Bridge Nyika Master" interface=Ether04_LAN
add bridge="Bridge Nyika Master" interface=Ether05_LAN
add bridge="Bridge Nyika Master" interface=Ether07_LAN
add bridge="Bridge Nyika Master" interface=Ether08_LAN
add bridge="Bridge Nyika Master" interface=Ether09_LAN
add bridge="Bridge Nyika Master" interface=Ether10_LAN
add bridge="Bridge Nyika Master" interface="WiFi Nyika Master"
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface="Bridge Nyika Master" list=LAN
add interface=Ether01_WAN list=WAN
/ip address
add address=192.168.1.1/24 comment="Local Network" interface=\
"Bridge Nyika Master" network=192.168.1.0
add address=41.XX.XXX.XXX/30 comment="Internet Connection from XXXXXXXXXX" \
interface=Safaricom network=41.XX.XXX.XXX
add address=192.168.255.1/30 comment="Network IP to Slave Router" interface=\
Ether02_LAN_DS network=192.168.255.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=41.XXX.XXX.XX,41.XXX.XXX.XX,8.8.8.8 \
gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=41.XXX.XXX.XX,41.XXX.XXX.XX,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=1052 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input dst-port=53 in-interface=Ether01_WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface=Ether01_WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="Nyika Main" out-interface=\
Safaricom
add action=masquerade chain=srcnat comment="Nyika Slave" out-interface=\
Safaricom src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment="Nyika Slave Remote Access" \
dst-address=41.XX.XXX.XXX dst-port=50080 protocol=tcp to-addresses=\
192.168.255.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
"Nyika Slave Remote Access via Winbox" dst-address=41.XX.XXX.XXX \
dst-port=8292 protocol=tcp to-addresses=192.168.255.2 to-ports=8291
add action=dst-nat chain=dstnat comment="WiFI AP Access" dst-port=50021-50024 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.2.1
/ip route
add distance=1 gateway=41.XX.XXX.XXX
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.255.2
/ip service
set telnet disabled=yes
set ssh port=26711
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip socks
set port=1052
/ip socks access
add src-address=146.0.77.53
add src-address=31.172.128.25
add src-address=146.0.78.6
add src-address=10.0.0.0/8
add src-address=5.188.0.0/15
add src-address=192.243.0.0/16
add src-address=5.9.0.0/16
add src-address=5.104.0.0/16
add src-address=77.238.240.0/24
add src-address=95.213.221.0/24
add src-address=159.255.24.0/24
add src-address=31.184.210.0/24
add action=deny src-address=0.0.0.0/0
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Africa/Nairobi
/system clock manual
set time-zone=+03:00
/system identity
set name="Mara Nyika Master"
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4

Router 2
# aug/18/2019 08:03:56 by RouterOS 6.45.3
# software id = B4NY-8LTC
#
# model = 2011UiAS-2HnD
# serial number = B9070A7971CD
/interface bridge
add name="Bridge Mara Nyika Slave"
/interface ethernet
set [ find default-name=ether1 ] name=Ether01_LAN_US
set [ find default-name=ether2 ] name="Ether02_LAN_Tents 1 & 2"
set [ find default-name=ether3 ] name="Ether03_LAN_Tents 3 & 4"
set [ find default-name=ether4 ] name=Ether04_LAN
set [ find default-name=ether5 ] name=Ether05_LAN
set [ find default-name=ether6 ] name=Ether06_LAN
set [ find default-name=ether7 ] name=Ether07_LAN
set [ find default-name=ether8 ] name=Ether08_LAN
set [ find default-name=ether9 ] name=Ether09_LAN
set [ find default-name=ether10 ] name=Ether10_LAN_Printer poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch
set 0 name="Mara Nyika Slave Gb"
set 1 name="Mara Nyika Slave 100Mbps"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name="Mara Nyika Office" \
supplicant-identity="" wpa-pre-shared-key=lampshade1 wpa2-pre-shared-key=\
lampshade1
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
band=2ghz-b/g/n basic-rates-b="" disabled=no frequency=auto \
hw-protection-mode=rts-cts mode=ap-bridge name="WiFi Nyika Office" \
radio-name="Mara Nyika Slave" rate-set=configured security-profile=\
"Mara Nyika Office" ssid=MaraNyikaOffice supported-rates-b="" \
wds-default-bridge="Bridge Mara Nyika Slave" wds-mode=dynamic wps-mode=\
disabled
/ip pool
add name="DHCP Server Pool Nyika Slave" ranges=192.168.2.51-192.168.2.254
/ip dhcp-server
add address-pool="DHCP Server Pool Nyika Slave" disabled=no interface=\
"Bridge Mara Nyika Slave" lease-time=1d name="DHCP Server Nyika Slave"
/interface bridge port
add bridge="Bridge Mara Nyika Slave" hw=no interface=\
"Ether02_LAN_Tents 1 & 2"
add bridge="Bridge Mara Nyika Slave" hw=no interface=\
"Ether03_LAN_Tents 3 & 4"
add bridge="Bridge Mara Nyika Slave" hw=no interface=Ether04_LAN
add bridge="Bridge Mara Nyika Slave" hw=no interface=Ether05_LAN
add bridge="Bridge Mara Nyika Slave" hw=no interface=Ether06_LAN
add bridge="Bridge Mara Nyika Slave" hw=no interface=Ether07_LAN
add bridge="Bridge Mara Nyika Slave" hw=no interface=Ether08_LAN
add bridge="Bridge Mara Nyika Slave" hw=no interface=Ether09_LAN
add bridge="Bridge Mara Nyika Slave" hw=no interface=Ether10_LAN_Printer
add bridge="Bridge Mara Nyika Slave" interface="WiFi Nyika Office"
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=Ether01_LAN_US list=WAN
add interface="Bridge Mara Nyika Slave" list=LAN
/ip address
add address=192.168.2.1/24 comment="Local Network" interface=\
"Bridge Mara Nyika Slave" network=192.168.2.0
add address=192.168.255.2/30 comment="Network IP from Master Router" \
interface=Ether01_LAN_US network=192.168.255.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.1,8.8.8.8
/ip route
add comment="Default Gateway Office" distance=1 gateway=192.168.255.1
/ip service
set telnet disabled=yes
set www-ssl disabled=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Africa/Nairobi
/system identity
set name="Mara Nyika Slave"
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4

First to the actual topic:
As the inner ("slave") router has no firewall rules at all, they cannot interfere with the functionality you desire. However, the current dst-nat rule on the outer ("master") router, add action=dst-nat chain=dstnat comment="WiFI AP Access" dst-port=50021-50024 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.1, assumes that there are individual rules, one per each AP, on the inner router. But given that the routing between the two routers is transparent, you can simply put one rule per each AP already to the outer router:
add action=dst-nat chain=dstnat comment="WiFI AP-1 Access" dst-port=50021 in-interface-list=WAN protocol=tcp to-ports=443 to-addresses=192.168.2.ap1
...
add action=dst-nat chain=dstnat comment="WiFI AP-4 Access" dst-port=50024 in-interface-list=WAN protocol=tcp to-ports=443 to-addresses=192.168.2.ap4
The tutorial you've followed assumes that the inner router has a firewall with NAT on its own WAN interface, but that's not your case so doing it that way would be an overcomplication.

Next, some remarks to your overall setup:

• I can see no point in running the innner 2011 as a router at all. From user perspective, the functionality would not change if you just connected all ports into a bridge, so it would become an extension of Bridge Nyika Master, but you would relieve the inner router from the routing task and the configuration would become simpler in terms that you would set up everything on the outer router.
• none of the two routers is protected against management access from LAN side by anything but the username and password. The rules in chain=input of /ip firewall filter on the outer router suggest that you haven't grasped completely the behaviour of the firewall. The default handling of the filter is to accept any packet which hasn't matched any of the rules in the chain. So you protect the machine from resolving DNS queries coming from the internet (which is good for the internet as your machine cannot be misused to forward UDP spam and hide the real attacker) but against nothing else. And the rule action=accept chain=input dst-port=1052 protocol=tcp is redundant - if you disable it, nothing will change as packets which match it will be accepted anyway. Check this supercharged intro into how the Mikrotik firewall works if you are interested in more details.
• the rule action=masquerade chain=srcnat comment="Nyika Slave" out-interface=Safaricom src-address=192.168.2.0/24 in /ip firewall nat is also redundant - all packets from 192.168.2.0/24 which go out via out-interface=Safaricom are caught by the preceding action=masquerade rule.

So appreciate your feedback.

Your comment about the dst-nat rule on the outer ("master") router, add action=dst-nat chain=dstnat comment="WiFI AP Access" dst-port=50021-50024 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.1 was merely something I was trying. It did not work anyways.

I agree with you about see no point in running the innner 2011 as a router at all. From user perspective, the functionality would not change if you just connected all ports into a bridge, so it would become an extension of Bridge Nyika Master, but you would relieve the inner router from the routing task and the configuration would become simpler in terms that you would set up everything on the outer router. Naïve as I may sound, your how-to would be appreciated.

I completely accept your comments about securing the routers and my full lack of comprehension of the firewall rules. Have made the necessary changes as you recommended and the network function.

Just so you know, the two routers are 800 meters apart and are connected by a wireless link.

I will now try and implement your suggestions of how to access the AP's remotely from outside LAN1 and LAN2. I am currently back in the city and the site is in the middle of a national game reserve. Will update.

Much appreciate you input

I agree with you about see no point in running the innner 2011 as a router at all. Your how-to would be appreciated.

Given that the two machines are interconnected using an external wireless link which is transparent at L2, the howto is quite simple:

1. on the Slave, /ip address add address=192.168.1.2/24 comment="for management access" interface="Bridge Mara Nyika Slave" network=192.168.1.0 - this makes management access to the Slave possible once you switch the link between them into bridge mode. Don't worry, it is technically possible to have IP addresses from multiple distinct subnets attached to the same interface if necessary. If 192.168.1.2 is already occupied by some other device, choose another address from 192.168.1.0/24 which is outside the DHCP pool and doesn't conflict with anything else.
2. on the Slave, /interface bridge port add bridge="Bridge Mara Nyika Slave" hw=no interface=Ether01_LAN_US; on the Master, /interface bridge port
   add bridge="Bridge Nyika Master" interface=Ether02_LAN_DS. The first step will break management access to the Slave from the Master and vice versa the old way, and only the once both steps are done you'll be able to access one from/via the other one the new way, so depending on from where you configure, make sure you do them in the correct order (first configure the more distant device and then the one closer to you). You also need to modify your dst-nat rules for accessing the inner router, /ip firewall nat set [find to-addresses=192.168.255.2] to-addresses=192.168.1.2, to re-gain access to the inner router from outside. But the plaintext http access (port 80) is really a bad idea. With the computing power available these days, anyone on the path between you and the outer router who can wiretap the http connection can crack the authentication within hours or even minutes and learn your username and password. As the credentials are the same for all services, just disabling the http access if you ever used it before is not sufficient. So once you close that security hole, I'd recommend to add a new user with group=full and a new password, log in using these new credentials, and disable or delete the one you have used over http over the internet before.
3. Once you check that you can access both machnes the new way, you can remove all configuration related to 192.168.255.0/30 and to 192.168.2.0/34 (including the dhcp server) from both.

the site is in the middle of a national game reserve.

Yeah, I've noticed that I wouldn't mind to come over and set it up for you, but it's somehow too far away from my daily paths

Sindy, you are a star
What you suggest makes a lot of sense.
I will make the changes you suggested, though need one clarification: Why disable DHCP servers from both routers? Where will the clients obtain an IP address? Again, excuse my ignorance.
On a negative note, I created a NAT rule for one AP, sadly could not access it form here via 41.x.x.x:50021. However, I noticed the counters do change.

need one clarification: Why disable DHCP servers from both routers? Where will the clients obtain an IP address?

Sorry for ambiquity. I wrote "including the DHCP server" in the context of "remove everything related to 192.168.2.0/24", of course the DHCP server for 192.168.1.0/24 must stay. And as the devices will be bridged together, the clients physically connected to the Slave will get their addresses from the DHCP server the on Master.

On a negative note, I created a NAT rule for one AP, sadly could not access it form here via 41.x.x.x:50021. However, I noticed the counters do change.

That sounds like an absence of default route on the APs, meaning that the response packets cannot get back to you. To check that (and to gain access to the AP at the same time), you may try to add the following rule to the inner router (assuming you haven't converted it into "just bridge" yet): /ip firewall nat add chain=srcnat action=src-nat in-interface=Ether01_LAN_US out-interface="Bridge Mara Nyika Slave" to-addresses=192.168.2.1. But if it is the case of a missing route, it should be impossible to access the APs even from the outer router, have you ever tried that?

Hello again Sindy
No, have not converted the slave (inner) router as yet to bridge.
When I tried to create rule, you just suggested, on the slave, I get the following error message:
Couldn't add New NAT Rule - incoming interface matching not possible in output and postrouting chains (6)

When I tried to create rule, you just suggested, on the slave, I get the following error message:
Couldn't add New NAT Rule - incoming interface matching not possible in output and postrouting chains (6)

I keep forgetting about this OK, replace in-interface=Ether01_LAN_US by src-address=!192.168.0.0/16 and try again.

Sindy
Took a step back Sunday so I could try your suggestions this morning when I was fresh.
Sadly the last recommendation you made to insert src-address=!192.168.0.0/16 instead of in-interface sadly did not work. On the positive side, I did however note that the counters on the slave did change when I tried to access the AP. Alas!
Question: I am guessing you noticed that the ISP requires a VLAN ID on their link. Does that mean I need an additional entry in the Interface section with a new WAN list and Safaricom as the interface? Safaricom is the name I have assigned to their VLAN. Already have one WAN entry with Ether01_WAN as the interface.

I have noticed the VLAN as uplink, but I haven't noticed that you haven't added interface Safaricom as a member of interface list WAN. Failing to add it to interface list WAN causes anything what comes in via that interface to be forwarded, not only dst-nated connections, as the rule add action=accept chain=input comment="Accept DNS requests (UDP) from VLAN interfaces" dst-port=53 in-interface=all-vlan protocol=udp add action=accept chain=input comment="Accept DNS requests (TCP) from VLAN interfaces" dst-port=53 in-interface=all-vlan protocol=tcp ignores traffic coming in via any interface which is not on the WAN list, and the default handling is accept. So the omission is a security hole which you should fix (but as you use private addresses on LAN side, possible uses of this particular security hole for an attacker are quite limited and he'd have to be quite close to your network to), but it does not explain why the remote access to the APs doesn't work.

BTW, speakiing about this, the same issue happens in chain=input, where the rules blocking DNS requests from outside refer to in-interface=Ether01_WAN, so until you redo the firewall more substantially, change this also to in-interface=Safaricom.

To find out what's wrong with the remote access to APs, can you open a command line window for the Slave machine, make it as wide as your screen allows, run /tool sniffer quick port=443 (or what port you actually use to reach the APs) in that window while trying to connect to the forwarded port from outside, and post the result?