Okay one way to achieve your goals is this path…
Is to start by having a safer place to change settngs (aka not be on the bridge while making bridge settings changes)
Remove ether4 from the Bridge Port Settings
Rename it to ether4-mine
Create a separate subnet attached to ether-mine
Create an address for it
IP address 192.168.50.1/24 network 192.168.50.0 with interface ether4-mine
Create an IP pool lets say 192.168.50.2-192.168.50.5, DHCP server and DHCP server network
Lastly ensure that the new subnet is part of the interface list LAN
/interface list member
add interface=ether3-mine list=LAN
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Since the subnet is different from the main subnet and its off the bridge you are separated a L2
With a subtle change to forward chain firewall rules, the new subnet will be isolated from the rest off the network.
Take the last rule in the Forward Chain and we are going to make some changes…
FROM
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
TO
add action=accept chain=forward comment=“allow internet access” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=“drop all else”
Now ether3 cannot reach the bridge or the bridge cannot reach ether3 at Layer 3.
If you want a single IP to be able to connect to the server locally via LANIP, then you would add a rule just BEFORE the drop rule…
add action=accept chain=forward in-interface=bridge dst-address=IPofMinecraft server src-address=IPofSonsPC
Which translates to, for traffic coming from the bridge, and specifically your sons computer please connect that to the minecraft server at the local address (dst…)
++++++++++++++++++++++++++++++++++++++++++
So we have created another subnet, added it to the LAN and then modified firewall rules to ensure all traffic is stopped (by the last rule), then above that we added in the rules required to allow the traffic you want … internet traffic, port forwarded traffic, and one person to access the new subnet.
Whats left.
a. DST NAT rule (to detail the port forwarding)
b. Change INput rules slightly because we dont want the minecraft server or that subnet to have full access to the router on the input chain.
a. add chain=dstnat action=dst-nat dst-port=25565 protocol=tcp in-interface-list=WAN
to-addresses=IPofminecraftserver {note dont need to-ports if same as dst-port)
b. Harder nut to crack… since the entire LAN needs access to the router for at least DNS… normally
So at the bottom of the input chain add these 3 rules and remove one
FROM
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
TO
add chain=input action=accept in-interface=bridge
add action=accept chain=input comment=“Allow ether3-mine DNS queries-UDP”
connection-state=new dst-port=53 in-interface=ether3-mine protocol=udp
add action=accept chain=input comment=“Allow ether3-min DNS queries - TCP”
connection-state=new dst-port=53 in-interfacet=eteher3-mine protocol=tcp
Now you have allowed main lan users to access DNS services and the admin to access the router
and you have allowed the new subnet to get DNS queries from the router but not full access.
Later you may wish to consider ONLY giving you the admin full access to the router and all other users, on the bridge,only access to DNS services.
The last step here is to block all other traffic to the input chain so add at the bottom of the input chain
add chain=input action=drop comment=“drop all else”
DONE…
Finesse points.
- You should only allow known addresses to access the server (for better security).
a. get the WANIP addresses of all those requiring access - that have FIXED/ STATIC WANIPs
b. for those that dont, get their dyndns URL , which the MT router will resolve to IP address.
Hint, there are many sites that will provide FREE dyndns URLs to keep a dynamic IP updated and thus there are no excuses for not providing them.
THis way you control who joins by access list this way.
a. add chain=dstnat action=dst-nat dst-port= protocol=tcp in-interface-list=WAN
to-addresses=IPofminecraftserver src-address-list=authorizedusers
where authorizedusers is a firewall address list you maintain
add IP=fixedwanipFriendA list=authorizedusers
add IP=fixedwanipFriendB list=authorizedusers
add IP=fixedwanipFriendC list=authorizedusers
add IP=dyndnsURL(FriendD) list=authorizedusers
add IP=dyndnsURL(FriendE list=authorizedusers
add IP=dyndnsURL(FriendF) list=authorizedusers
etc…
Last point, turn UPNP off, shouldnt be required for anything