Config is as follows
Main Router - RB4011 -> Connected to ONT (bypass mode)
eth1/eth2 - part of BRIDGEWAN - WAN IP is DHCP from ATT (45.x.x.x, gateway 45.x.x.x)
eth3-eth9 part of BRIDGELAN dhcp serves LAN 192.168.88.0/24
NAT masquerade set for BRIDGEWAN by Mikrotik
Clients in 192.168.88.x can access internet
eth10 - Static WAN IP from ATT (subnet routed by ATT) (107.x.x.x gateway eth10)
eth10 is connected to secondary router ( PFSense Virtual router running as a VM under Proxmox )
PFSense WAN gets another static IP fro the block and feeds another LAN 192.168.100.x
Nat masquerade set for Eth10 by PfSense virtual router
Clients in 192.168.100.x can access internet
0.0.0.0 to 45.x.x.x.x gateway
45.x.x.0/22 via bridgewan
107.x.x.x/29 via eth10
192.168.88.0/24 via 192.168.88.1
Basically my question is how to allow only certain hosts in 192.168.88.0 lan to see a certain host in 192.168.100.x lan
At present since Rule 11 below is disabled I can ping hosts from 192.168.100.x to 192.168.88x but NOT from 192.168.88.x to 192.168.100.x (which is what I want to do)
I can confirm that the Pfsense firewall is not seeing the ICMP from 192.168.88.x and neither is the Mikrotik log showing a drop
ip/firewall filter on Mikrotik
0 D ;;; special dummy rule to show fasttrack counters
1 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
2 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
3 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=yes log-prefix="DROP INVALID"
4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=yes log-prefix="NOTFROMLAN"
6 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
7 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=yes log-prefix="DROPINVALID2"
8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=yes log-prefix="DROP!DSTNAT"
11 X ;;; Drop tries to reach not public addresses from LAN
chain=forward action=drop dst-address-list=not_in_internet in-interface-list=LAN out-interface-list=!LAN log=yes
12 ;;; Drop incoming from internet which is not public IP
chain=forward action=drop src-address-list=not_in_internet in-interface-list=WAN log=yes log-prefix="!public"
13 ;;; Drop packets from LAN that do not have LAN IP
chain=forward action=drop src-address=!192.168.88.0/24 in-interface-list=LAN log=yes log-prefix="LAN_!LAN"
14 ;;; Drop incoming packets that are not NATted
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=yes log-prefix="!NAT"