Hi!
I think you are approaching this the wrong way. Restricting communication between physical ports at port level ( ex: ETH1 blocked to ETH2 or ETH5 to LTE ) is weird and not sure it can be achieved. You should focus on doing the restrictions at IP level. Without further information on what your setup is (Subnets, vlans) you will not get a straight answer.
You can, however, try the following but I do not know if it will work, it is just in an idea:
in IP → Firewall-> NAT create 2 rules:
Rule 1:
chain: srcnat, out-interface WAN1, action masquerade → this rule will basically allow Internet on WAN1 for all sources, regardless of the incoming interface
Rule2:
chain:srcnat, out-interface WAN2, in-interface: ETH9 and ETH10, action masquerade → this rule will allow Internet only on IPs coming from ETH9 and ETH10
Here is why am I saying it might not work:
The NAT rule2 has in-interface as a restriction. Here is how Mikrotik defines “in interface” in the wiki:
“Interface the packet has entered the router”
It does not specify if the interface is the physical one or the logical one. In my case, they are different, meaning a packet will enter the router on ETH8 but ETH8 is not a Layer 3 interface so the logical “in” interface is “Bridge”. Which one does Mikrotik evaluate? physical? Logical? both? who knows…
Thank you for the reply and suggestion. I got it to work:
Primary connection on WAN1
Backup connection on WAN2
Linking both to WAN
Adding fallback rules in Routes
Adding filter rule in Firewall only accepting traffic originating from specific MAC to use WAN2
Adding filter rules in Firewall: blocking all traffic from using WAN2
Rules must be in this order. Result is that only approved devices (MAC known) can use WAN2 in case failover is activated, independent of physical port. All other MACs are blocked. When WAN1 becomes available again, all traffic is handled via WAN1 which has no MAC filter.
.