Allowing Plex server through 2 separated LANS

Hi All.
I am posting this risking upsetting everyone as I know this has been asked before. Unfortunately I am a novice when it comes to MikroTik setup and I am struggling with understanding some of the responses to the questions so I hope I could get some help with my specific problem
I am sharing my internet connection with my neighbour and lately we noticed that some of our devices like TV’s and Chromecasts are advertising on our devices. To avoid that I have implemented 2 separate LANs and a firewall rule that blocks all incoming LAN traffic from my neighbours LAN to mine. It is setup to work only “one way” as I need to manage his WiFi AP so need access to that.
The good news is the rule I implemented works as intended but I want my neighbour to be able to access my Plex Server on my LAN but only this and nothing else. Some of the solutions I saw were quite complicated and I want to keep my firewall rules as simple as possible so not to add any more strain on my poor old RB2011iL that already has to handle gigabit symmetric connection over PPPoE

ether 3 is my neighbour
all bridge ports are in my network
This is my current config

/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan911 vlan-id=911
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan911 name=PPPoE_Out \
    use-peer-dns=yes user=*****
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=l2tp-pool ranges=192.168.3.10-192.168.3.13
add name=lan3_pool ranges=192.168.2.10-192.168.2.250
/ip dhcp-server
add address-pool=dhcp_pool0 allow-dual-stack-queue=no disabled=no interface=\
    bridge1 lease-time=30m name=dhcp1
add address-pool=lan3_pool authoritative=after-2sec-delay disabled=no \
    interface=ether3 lease-time=30m name=LAN3_DHCP
/ppp profile
add local-address=192.168.3.1 name=l2tp-profile remote-address=l2tp-pool
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=yes
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.2.1/24 interface=ether3 network=192.168.2.0
/ip dhcp-server config
set store-leases-disk=8h
/ip dhcp-server lease
add address=192.168.1.101 allow-dual-stack-queue=no client-id=\
    1:4:18:d6:9c:2a:e2 mac-address=04:18:D6:9C:2A:E2 server=dhcp1
add address=192.168.1.100 allow-dual-stack-queue=no client-id=\
    1:b4:fb:e4:90:4b:18 mac-address=B4:FB:E4:90:4B:18 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=\
    90.255.255.255,192.168.1.1,90.255.255.255 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=90.255.255.255 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=new dst-address=192.168.1.0/24 \
    src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=5130 in-interface=PPPoE_Out \
    protocol=tcp to-addresses=192.168.1.7 to-ports=5130
add action=dst-nat chain=dstnat dst-port=32400 in-interface=PPPoE_Out \
    protocol=tcp to-addresses=192.168.1.4 to-ports=32400
add action=dst-nat chain=dstnat dst-port=1194 in-interface=PPPoE_Out \
    protocol=udp to-addresses=192.168.1.242 to-ports=1194
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ssh disabled=yes

My plex server sits on 192.168.1.4:32400
Also If you see any odd stuff that you’d care to point out in my setup I’d be grateful
Thanks

/ip firewall filter (Where are your INPUT chain rules??)
add action=fasttrack-connection chain=forward connection-state=
established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward connection-state=new dst-address=192.168.1.x (ip of server)
src-address=192.168.2.0/24
add action=drop chain=forward connection-state=new dst-address=192.168.1.0/24
src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan


note: ensure the ethernet port for wan and the PPOE are both listed as interface members on WAN.

Here are the firewall rules

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=new dst-address=192.168.1.0/24 src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=5130 in-interface=PPPoE_Out protocol=tcp to-addresses=192.168.1.7 \
    to-ports=5130
add action=dst-nat chain=dstnat dst-port=32400 in-interface=PPPoE_Out protocol=tcp to-addresses=192.168.1.4 \
    to-ports=32400
add action=dst-nat chain=dstnat dst-port=1194 in-interface=PPPoE_Out protocol=udp to-addresses=\
    192.168.1.242 to-ports=1194
/ip firewall service-port
set ftp disabled=yes

Would you also mind explaining a bit what each of the action does. I admin that my config is a collection of youtube videos and my best attempts on understanding forum posts.
Also thank you for your prompt reply. I really appreciate it

Actually no need to explain I think I got it now Thanks so much.
Only other question I’d have is with regards to this:

ensure the ethernet port for wan and the PPOE are both listed as interface members on WAN.

How would I go about achieving this ?

This is still not correct
/ip firewall nat
add action=masquerade chain=srcnat

should be
add action=masquerade chain=srcnat out-interface-list=WAN

You should have this on your config already
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

Ensure you also have something like this
/interface list member
add interface=pppoe _out list=WAN
add interface=vlan911 list=WAN
add interface=subnet1 list=LAN
add interface=subnet2 list=LAN

OK so I changed to:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=vlan911 list=WAN
add interface=bridge1 list=LAN
add interface=ether3 list=LAN

But as soon as I change masquerade to

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

my internet drops

EDIT
Saw my error correcting now…

OK So one more time - sorry …

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add interface=vlan911 list=WAN
add interface=bridge1 list=LAN
add interface=ether3 list=LAN
add interface=PPPoE_Out list=WAN

Everything is working great.
Can I ask what the the implementation of list and change to masquerade means ?

Very basically, You have to let the router know which interface you are masquerading out of ( so it knows to assign your public IP to outgoing traffic, and then route the return packets to the correct originating source). The list approach is a wide swath in that if one has multiple wan interfaces it covers them all. Also not familiar with pppoe and thus not sure which is the best choice, eth1, vlan999 or pppoe, by adding all into the mix you are covered!!

Thank you so much
I have learned a lot and am very happy with the config.
Thank you anav