Hi !
I have setup a Guest Wifi for a Camera system in my block, it’s connected to that Wifi, the guest network is blocked to access my network (I’m ok with that) but is it possible to open a port between a device connected on the guest wifi to my internat network ? so i can be able to access the Cameras ?
P.S. both devices are on 192.168.88.x
Thanks !
Why not avoiding using Guest Wifi for cameras and other non-guest devices?
You can add a VirtualAP and use a virtual SSID for cameras. I believe this will be a lot easier for you
Because my neighboors access the cameras, i don’t want them to browse my network
for blocking access between networks firewall can be used
Please read my first post 
i need yo open a port between a device in the guest network and my lan network.
Try to share few more details, perhaps post exported config, then you can get better answer.
and a diagram would help too.
Sorry but i don’t know how to do a diagram, i thought that my question was clear.
I did a Guest wifi network (wlan3), the PVP (192.168.88.192) is connected to that WIFI, my computer (192.168.88.
is connected to the Mikrotik on the port 2, i want to access the web page of the pvr at the port 88 but the Mikrotik block it. Is it possible to unblock that port ?
Thanks again !
Okay lets see if I have this right.
A. Guest Network
i. wifi camera is in guest network
ii. neighbours are also on guest network so they can view the cameras
iii. guest network only has access to the internet
B. Home Network.
i. has access to the internet only
ii You wish to access the wifi camera for viewing or setup etc…
This is dirt simple
Firewall filter Forward Chain rule,
Allow your IP(sourceip) access to destinationIP(WIFI camera).
Thats it in general concepts. However without posting your config here its only a concept.
How to best do this or to do it safely depends on how your router is configured.
Please post it…
/export hide-sensitive file=yourconfig
That’s exactly what i want to do, what part of the config you need ? I don’t like to expose all that on the internet.
/export hide-sensitive file=yourconfigmay05
Is what I need.
Just ensure that you remove your wanip and wanip gateway and you should be good to go.
I believe the above removes your wifi passwords as well but safe to check…
Ensure your IP services dont show your winbox port number or enter in a fake one…
You have no idea how many creative ways to (mis)configure things people find. 
Also when a person says that they did X, you never know if they really did X, or they only think they did and actually did Y.
Here is the configuration
removed for privacy
I am not familiar with putting filters on bridges so I am not of much help here.
Hey
To do what you want you need to have the notion of connection tracking: allow connection from lan to guest (and related responses, so conn tracking needed) but don’t allow connections (new) from guest to lan.
Bridge firewall doesn’t have that capability. You could try “use-ip-firewall” (which will further burden the cpu)… BUT
Why not isolate guest to different ip range, then it becomes much more straight-forward: guest = “dmz”, allow outbound to dmz, not inbound. → simple firewall config?
Ok, so the idea is to have guest LAN. But not the usual boring one which is completely separated (independent interface or bridge with own subnet). Rather make it part of main LAN bridge, let it use the same DHCP server and everything. Except it should be separate, so let’s cut if off with bridge filters. Yep, it’s creative.
My suggestion is to switch normal guest LAN. Make another bridge, put wlan3 and wlan4 there, give it own IP subnet and DHCP server, use IP firewall to manage access. It’s simple and manageable. Or is there any reason for what you have now that I’m missing?
If you’d like to keep what you have, you’d need some exception from current bridge filters. You’d need to allow access between wlan3/4 and device(s) in main LAN. It should work too, but you’d need to allow more stuff, because bridge filters are stateless and don’t see connections as IP firewall does. So you’d need to allow arp first, then traffic from guest to device(s) and also traffic from device(s) to guests.
Other possible solution could be bridge’s use-ip-firewall option, but I’d avoid it, that thing is strange.
Ok i’ll take a look at that, but i think i foud a solution, with the Hairpin Nat i can access the camera on the port 88 !
Great minds … 
(Selfish, yes )
Ok i’ll take a look at that, but i think i foud a solution, with the Hairpin Nat i can access the camera on the port 88 !
That will do the trick too but only for one destination?
Getting a bit complex ?
