HW INFO:
AP1=RB951
AP2=RB951
SmartTV

DIAGRAM:
INTERNET < AP1 < AP2
-AP1 ip range=192.168.1.101-150
-AP2 ip range=192.168.1.151-200
-SmartTV connected to AP1

AP2 settings
/interface wireless print
default-forwarding=no
/ip firewall filter
add action=drop chain=input dst-address-type=multicast
add action=drop chain=input dst-port=8008,8009,32768-61000 protocol=tcp
add action=drop chain=input protocol=udp src-port=1900,32768-61000

PROBLEMS:

1. guest connecting to AP2 can chromecast youtube to my tv

QUESTIONS:

1. how to block all chromecast traffic on AP2?

tq

By using chain=forward … input is for traffic targeting router/AP itself.

And even if you fix it, it can happen it still won’t work, depending on overall configuration of AP2. So if it doesn’t work, post complete output of command /export hide-sensitive

change firewall filter to forward won't fix the problem

INFO:
-AP1 and AP2 connected through ethernet
-TV connected through wifi to AP1. Guest connected through wifi to AP2

AP2

export hide-sensitive

jul/19/2019 08:43:13 by RouterOS 6.45.1

software id = M40N-PGNH

model = 951Ui-2HnD

serial number = 643105AFCC07

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=8 band=2ghz-g/n country=india default-forwarding=no disabled=no frequency=
2437 mode=ap-bridge scan-list=2412,2437,2462 ssid=AP2 wmm-support=enabled wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" group-ciphers=tkip,aes-ccm
management-protection=allowed mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp_pool0 ranges=192.168.88.151-192.168.88.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/interface bridge filter
add action=accept chain=forward dst-port=67 ip-protocol=udp mac-protocol=ip out-interface=wlan1 src-port=68
add action=drop chain=forward dst-port=67 ip-protocol=udp mac-protocol=ip src-port=68
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=192.168.88.225/24 interface=ether1 network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set servers=8.8.8.8,9.9.9.9
/ip firewall filter
add action=drop chain=forward dst-address-type=multicast
add action=drop chain=forward dst-port=8008,8009,32768-61000 protocol=tcp
add action=drop chain=forward protocol=udp src-port=1900,32768-61000
/ip route
add distance=1 gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=AP2

There are a few problems with your setup. I’m assuming your AP1 has similar configuration …

• AP1 (LAN part of it at least) and AP2 share same L2 domain … this is an assumption as you didn’t post config of AP1.
  Which means that only one DHCP server (on one of APs) should be running
• Your subnet is 24-bit (192.168.88.0/24) meaning that devices on AP1 and AP2 are supposed to communicate directly without (knowingly) involving any gateway. With default (and your current) settings firewall is only engaged for packets which are handled by router part of ROS (in contrast to switching/bridging part of ROS). AP2 is currently used exclusively as switch/bridge.
  If you want to apply filter rules also to switched/bridged traffic, you have to instruct ROS to do so (setting /interface bridge settings use-ip-firewall) and force relevant traffic to pass CPU (by disabling HW acceleration on certain interfaces … if they are HW accelerated, wlan is not, ether ports usually are).
• conceptually it would be better to separate guests from your LAN by deploying separate VLANs (between main router and the rest of LAN gear) and separate SSIDs for guests (tied to guest VLANs and by deploying appropriate firewall on main router this would mean effective separation of guest traffic from LAN traffic)

I was at an hotell in Brazil where there was many private appartement as well.
Since it was just one big Wifi subnet, I could see all that uses Chromecast .
It showed up on my phone and I could start/stop mute/unmute all streams.

So with only one big net, its not simple to block you from seeing other Chromecast and at the same time allow Chromecast

The reason I create same subnet to AP1 and AP2, which AP1 as DHCP server are because

1. I want to do MAC filtering on AP1
   So AP2 only as bridge of AP1
2. with bridge, I can simply do mac filtering on 1 central location which is AP1