I have tried multiple ways to accomplish this along with various searching and combing the notes. Here is what I am trying to accomplish.
I have a medium-sized internal network (192.168.0.0/22), I have a small group of contractors that I want to provide an additional network that will utilize our internet connection for them, but deny them any access to internal networking. I have went down the path of attempting VLANs and ideally want to not utilize them here.
The network topology is the following
ISP -> Firewall -> Switch -> Switch -> PtP -> Switch -> Mikrotik hAP AC Lite Router.
What I would like to do is take the dynamic internal IP that the Mikrotik Router is getting on ETH1 but set up rules on the mikrotik to disallow any internal communication (gateway IP of internal router is 192.168.1.1). Is there a rule I can set to accomplish this?
I want them to be able to talk to each other as they will have several computers and a large printer that will be in their little LAN coming from the Mikrotik.