Main Router - RB4011 → Connected to ONT (bypass mode)
eth1/eth2 - part of BRIDGEWAN - WAN IP is DHCP from ATT (45.x.x.x, gateway 45.x.x.x)
eth3-eth9 part of BRIDGELAN dhcp serves LAN 192.168.88.0/24
NAT masquerade set for BRIDGEWAN by Mikrotik
Clients in 192.168.88.x can access internet
eth10 - Static WAN IP from ATT (subnet routed by ATT) (107.x.x.x gateway eth10)
eth10 is connected to secondary router ( PFSense Virtual router running as a VM under Proxmox )
PFSense WAN gets another static IP fro the block and feeds another LAN 192.168.100.x
Nat masquerade set for Eth10 by PfSense virtual router
Clients in 192.168.100.x can access internet
/ip route
4 routes
0.0.0.0 to 45.x.x.x.x gateway
45.x.x.0/22 via bridgewan
107.x.x.x/29 via eth10
192.168.88.0/24 via 192.168.88.1
Basically my question is how to allow only certain hosts in 192.168.88.0 lan to see a certain host in 192.168.100.x lan
At present since Rule 11 below is disabled I can ping hosts from 192.168.100.x to 192.168.88x but NOT from 192.168.88.x to 192.168.100.x (which is what I want to do)
I can confirm that the Pfsense firewall is not seeing the ICMP from 192.168.88.x and neither is the Mikrotik log showing a drop
Yeah, I did notice that and earlier tried to add a static route
dst-address=192.168.100.0/32 via gateway 107.x.x.94 (WAN IP of eth10) and this did not work. I wonder if the route 0 takes priority and sends everything out via the main WAN interface (eth0)
ok, the traffic from 192.168.88.x to 192.168.100.x is hitting the bridgelan and bridgewan but not eth10 even though I added a static route to 192.168.100.x via ether10
You can’t have interface as gateway, it must be the address on the other router.
If I understand it correctly and you have routed subnet, where RB has 107.x.x.X/29 on ether10 and the other router has 107.x.x.Y/29 on its WAN interface, then the gateway is 107.x.x.Y. And route’s dst-address must have correct mask, most likely /24, definitely not /32.