I have a CCR with two WAN links, and a LAN link with a few VLANs on it. Everything on the LAN/VLANs is being NAT'd ("masqueraded").
I have an extra /28 routed to one of the WAN links and want to give unfettered access to a piece of that subnet to someone plugged-in to one of the extra LAN ports.
In Cisco world, where I'm generally not doing NAT or firewalling on the router itself, this is a no-brainer.
In Mikrotik world, I'm a bit stumped.
So far I did the following:
- made my NAT rules more specific so they only match traffic from the existing NAT'd LAN/VLAN subnets
- took a /31 from the /28 and assigned it to an unused LAN interface (oops! /31 is a no-go on Mik, make that a /30)
- added two rules above all other rules on the forward chain to allow all traffic from the WAN interface to this new LAN interface and vice-versa (no go)
- added two rules above all other rules on the input chain to allow all traffic to the new /28 on this new LAN interface and vice-versa (works)
Is this correct? Is there a better or more efficient way to achieve this?