It is late here in Europe but I believe I applied this as you requested but I am still not being able to call services hosted on the target server from the internal network. Attached config is after applying your suggestion.
I am deeply sorry that I lack the understanding to debug this. My - arguably little - experience tells me to test in the following order:
- ping IP
- ping DNS
- traceroute
- ip r get
After that, I am letting a ping run forever and look at the counters of my firewall. If possible I would love to get a bit more knowledgeable about debugging problems like this myself. Any more tips on how to do that?
# apr/08/2023 22:54:09 by RouterOS 7.5
# software id = RHQM-G990
#
# model = CCR2004-16G-2S+
# serial number = HD408E3HNNC
/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
use-peer-dns=yes user=0028346329705511387679220001@t-online.de
/interface list
add name=listBridge
/ip pool
add name=dhcp_family_pool ranges=192.168.178.20-192.168.178.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp_family_pool interface=bridge1 lease-script=\
dhcp-lease-script-family name=family_server
/port
set 0 name=serial0
set 1 name=serial1
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=cap3
add bridge=bridge1 interface=cap2
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether13
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=listBridge
/ip address
add address=192.168.178.1/24 interface=bridge1 network=192.168.178.0
/ip dhcp-server network
add address=192.168.178.0/24 caps-manager=192.168.178.1 dns-server=\
192.168.178.1 domain=home.lan gateway=192.168.178.1 netmask=24 \
ntp-server=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=192.168.178.1,8.8.8.8
/ip dns static
add address=192.168.178.1 comment="Manual: homerack-05-router" name=\
homerack-05-router.home.lan
/ip firewall address-list
add address=192.168.178.2-192.168.178.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/24 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=vpn.4seul.de list=public_ip
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
out-interface=!bridge1
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT'ted" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=pppoe-out1 log=yes \
log-prefix=!NAT
add action=accept chain=forward comment="Port Forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward in-interface-list=listBridge out-interface=\
pppoe-out1
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public ip" in-interface=\
pppoe-out1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
yes log-prefix=LAN_!LAN src-address=!192.168.178.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
192.168.178.0 src-address=192.168.178.0
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="HTTP main server" dst-address-list=\
public_ip dst-port=80 protocol=tcp to-addresses=192.168.178.85 to-ports=\
80
add action=dst-nat chain=dstnat comment="HTTPS main server" dst-address-list=\
public_ip dst-port=443 protocol=tcp to-addresses=192.168.178.85 to-ports=\
443
add action=dst-nat chain=dstnat comment="Wireguard main server" \
dst-address-list=public_ip dst-port=51820 protocol=udp to-addresses=\
192.168.178.85 to-ports=51820
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.178.1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=172.30.0.0/24 gateway=192.168.178.85 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.179.0/24 gateway=192.168.178.85 \
routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=homerack-05-router
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=2.europe.pool.ntp.org
add address=0.europe.pool.ntp.org
add address=1.europe.pool.ntp.org
add address=3.europe.pool.ntp.org
/system script
add dont-require-permissions=no name=dhcp-lease-script-family owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="<<REMOVED>>"
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge