Ok,
here's the deal.
Let's say that my public facing IP is 10.0.01.
I can't webfig into 10.0.01 from external and can't SSH into mikrotik router from external IP.
I can do it if I am physically connected to the router (on the same lan). It allows me to webfig and SSH both either by using 10.0.0.1 or using 192.168.88.1.
However, if I'm on diferent LAN, can't connect.
BTW, I set my IP > Services > ports for webfig is 64291 and SSH is 23.
Here's my firewall rules and NAT.
RULES
0 ;;; ALLOW ALL TO LAN
chain=input action=accept connection-state=established,related,new in-interface=bridge-local log=no log-prefix=""
1 ;;; ALLOW ICMP (Ping) ON ALL
chain=input action=accept protocol=icmp log=no log-prefix=""
2 ;;; Drop Everything Else
chain=input action=drop log=no log-prefix=""
3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""
4 ;;; default configuration
chain=forward action=accept connection-state=established,related,new in-interface=bridge-local log=no log-prefix=""
5 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""
6 ;;; default configuration
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""
NAT
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=X.X.X.X out-interface=ether1-gateway log=no log-prefix=""
1 chain=dstnat action=dst-nat to-addresses=192.168.88.200 protocol=tcp dst-address=X.X.X.X dst-port=80 log=no log-prefix=""
2 chain=srcnat action=src-nat to-addresses=X.X.X.X protocol=tcp src-address=192.168.88.0/24 log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=192.168.88.200 to-ports=22 protocol=tcp dst-address=X.X.X.X dst-port=22 log=no log-prefix=""
4 chain=srcnat action=src-nat to-addresses=192.168.88.200 to-ports=22 protocol=tcp src-address=192.168.88.0/24 log=no log-prefix=""
5 chain=dstnat action=dst-nat to-addresses=192.168.88.1 protocol=tcp dst-address=X.X.X.X dst-port=23 log=no log-prefix=""
Best Answer
Disable rule #2 + #3 and test again. Or you can make an exception for your ssh+www ports
You are dropping all in traffic from ether1-gateway.
Rules #2 + #3 are practically the same. I recommend you to remove #2
UPDATED REPLY
For making a secure Router isn't a best practice to change ports, creating a false sense of security. However is an easy implemantation.
How to secure open/redirect ports
And then , securize your passwords + connections and make a active analisy-control of you fail/bruteforce attemt connections: