Okay, there's a lot to unpack here.
REMOVE THIS RULE FROM THE INPUT CHAIN UNTIL YOU CAN EXPLAIN THIS RULE
add action=accept chain=input dst-address=10.1.69.1 src-address=10.1.69.69
I was having issues with management from my computer (10.1.69.69), but anything from the 192.168.88.0/24 worked fine, so I added that rule, and haven't tried without it yet.
If you have hairpin nat (users in same subnet as server and are forced to use WANIP to access the server ) then you need to state this clearly.
I do NOT have hairpin NAT. Just segmented networks for different purposes.
ALL your port forwarding rules are in error by missing either the dst-address (for fixed static wanip)
Port forwarding is working as intended. Since there is only a single WAN IP, and I am blocking the dst-nat for certain ports, the rules are listening to all addresses.
DOUBLE CHECK YOUR NTP Settings, I thought it was NTP SERVER is simply ENABLED and the NTP CLient setting is where you add external servers???
NTP Client is active so the RB5009 can get the time, but I run an NTP server on my network for the rest of the clients.
add interface=bridge name=homevlan vlan-id=10
Why are you adding a VLAN to my network? This makes the least sense to me. I have my network segmented in a specific way, and one that is not being affected by the current issue. Speed testing from my computer (10.1.69.69) to an iperf2 server (10.1.33.4) shows that multi-gig routing is working as intended.
VLAN69 = Home Network
VLAN33 = Server Network
VLAN96 = Network Management (APs, switches, etc)
VLAN14 = IPMI for servers
add name=dhcp-pool4 ranges=10.1.14.20-10.1.14.200
VLAN14 does not need a DHCP pool/scope, as it is just for IPMI of my servers. As well, it does not need to be a /24, as there are only 3 active devices on that network (RB5009, and 2x Dell R820 iDRAC)
add bridge=bridge comment=defconf interface=ether2 pvid=10 ingress filtering=yes frame-types=admit-priority-and-untagged-vlans
add bridge=bridge comment=defconf interface=ether3 pvid=10 ingress filtering=yes frame-types=admit-priority-and-untagged-vlans
add bridge=bridge comment=defconf interface=ether4 pvid=10 ingress filtering=yes frame-types=admit-priority-and-untagged-vlans
add bridge=bridge comment=defconf interface=ether5 pvid=10 ingress filtering=yes frame-types=admit-priority-and-untagged-vlans
add bridge=bridge comment=defconf interface=ether6 pvid=10 ingress filtering=yes frame-types=admit-priority-and-untagged-vlans
add bridge=bridge comment=defconf interface=ether7 pvid=10 ingress filtering=yes frame-types=admit-priority-and-untagged-vlans
add bridge=bridge interface=sfp-sfpplus1 ingress filtering=yes frame-types=admit-only-vlan-tagged
These ports are unused, and are disabled. I don't need them in a bridge.
DONT MAKE A FIREWALL ADDRESS LIST WITH THE SAME NAME AS INTERFACE LIST aka LAN'
The list names in use are default. I didn't change the names, or add a list. This is how it came, all I did was add/remove items from the lists.
add action=accept chain=input in-interface-list=LAN dst-port=53,123 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
These rules are unnecessary, as I run load-balanced DNS servers on the network, so there is a dst-nat rule going to the virtual IP (10.1.33.33).
/tool mac-server mac-winbox
set allowed-interface-list=Trusted
I don't use WinBox, since I run Linux. Since my last config upload, I have completely disable WinBox.
GET RID OF ANY FUNKY DHCP Settings for now!!!
DONT MAKE A FIREWALL ADDRESS LIST WITH THE SAME NAME AS INTERFACE LIST aka LAN'
REMOVE THIS RULE FROM THE INPUT CHAIN UNTIL YOU CAN EXPLAIN THIS RULE
I don't understand why you are so upset at me for having an issue. I had seen similar forum posts about the RB5009, but all of the fixes that worked there are not working for me, so I started my own thread. If my previous replies have come across as rude or demeaning, that is not my intention. I am just trying to get this solved, as I am paying for Gigabit internet, and would like to have access to all of that bandwidth.