Fatti aiutare da @anav, ha scritto pure una guida, cercala sul forum
Prima che ci riprendano, scriviamo in inglese....
Translation your firewall rules SUCK!
Keep the default rules, add user needed rules, drop all else.
From the link -
viewtopic.php?t=180838
Recommend:
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(user rules)
add action=accept chain=input src-address=list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53,123 protocol=tcp { access to dns and ntp services }
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else" *****
{forward chain}
(default rules)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(user rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
Note1: Where
Authorized is a firewall address list for the admin to access the router and consists of
add ip of admin (at desktop) list=Authorized
add ip of admin (at ipad ) list=Authorized
add ip of admin ( remote vpn like wireguard ) list =Authorized
Let me get this straight,
a. you do not have a public IP address.
b. you have two routers attached to the ISPs modem router.
c. R1 which you have access too is the mikrotik hapac2 but the router you are trying to reach it from is a big UNKNOWN and we dont even know if you can access it.??????
Q. WTF model of router is at R2? and if its a mikrotik where is the config..........??? you only provide config of R1.
In any case,..........
Access is predicated by a few things..............
-winbox service allowed addresses, if left blank all addresses are permitted
-mac-winbox setting in the config should include an interface list which may be blocking access depending
-firewall rules in the input chain could be an issue.
So, Your config is missing the settings..........
/tool mac-server mac-winbox
set allowed-interface-list=LAN ** or any interface list you create.................. If missing not sure what the outcome is.............. But it probably defaults to ALL, which is fine in terms its not causing issues in your case.
Finally being in a different subnet with no real linkages, winbox via mac may not find the hapac.............. without some additional help and thats assuming both routers are MT.
+++++++++++++++++++++++++++
Consider rejigging your setup, why use three routers......