I can't recreate your issue even with a Hotspot added to the scenario.
Similar setup to yesterday. I changed the inside 192.168.1.1/24 network to 192.168.2.1/24 as this is at home where I'm putting the 433 on my network that already is 192.168.1.0/24. Add a DHCP client to ether2 as the WAN interface, enable the caching DNS resolver for the Hotspot to work.
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ether1 ether 1500 1526
1 R ether2 ether 1500 1522
2 ether3 ether 1500 1522
3 X wlan1 wlan 1500
[admin@MikroTik] > /ip dhcp-client print
Flags: X - disabled, I - invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ether2 yes yes bound 192.168.1.251/24
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.2.1/24 192.168.2.0 ether1
1 192.168.5.1/24 192.168.5.0 ether1
2 D 192.168.1.251/24 192.168.1.0 ether2
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.1.1 1
1 ADC 192.168.1.0/24 192.168.1.251 ether2 0
2 ADC 192.168.2.0/24 192.168.2.1 ether1 0
3 ADC 192.168.5.0/24 192.168.5.1 ether1 0
[admin@MikroTik] > /ip dns print
servers: 8.8.8.8,8.8.4.4
allow-remote-requests: yes
max-udp-packet-size: 512
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 33KiB
[admin@MikroTik] >
And a minimalist Hotspot with a test user:
[admin@MikroTik] > /ip hotspot export
# jan/01/2002 01:10:16 by RouterOS 5.0rc9
# software id = 17IE-V2WQ
#
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=\
default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot
add disabled=no idle-timeout=5m interface=ether1 keepalive-timeout=none name=hotspot1 \
profile=default
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=\
unlimited status-autorefresh=1m transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add disabled=no name=test password=test profile=default
[admin@MikroTik] >
And some basic NAT out the ether2 interface, plus showing there are no firewall filters other than the dynamics:
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 chain=srcnat action=masquerade out-interface=ether2
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
[admin@MikroTik] >
The users are logged in:
[admin@MikroTik] >/ip hotspot active print
Flags: R - radius, B - blocked
# USER ADDRESS UPTIME SESSION-TIME-LEFT IDLE-TIMEOUT
0 test 192.168.2.2 4m11s
1 test 192.168.5.2 2m47s
[admin@MikroTik] >
And ping works between them. Here a tcpdump from the .2.2 machine. Redirects, but as discussed above you'll have to filter those manually or ignore them as they are expected.
sh-3.2# tcpdump -c 8 -n -i en0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:35:43.259587 IP 192.168.5.2 > 192.168.2.2: ICMP echo request, id 1, seq 12, length 40
19:35:43.259646 IP 192.168.2.2 > 192.168.5.2: ICMP echo reply, id 1, seq 12, length 40
19:35:43.259998 IP 192.168.2.1 > 192.168.2.2: ICMP redirect 192.168.5.2 to host 192.168.5.2, length 68
19:35:44.271145 IP 192.168.5.2 > 192.168.2.2: ICMP echo request, id 1, seq 13, length 40
19:35:44.271218 IP 192.168.2.2 > 192.168.5.2: ICMP echo reply, id 1, seq 13, length 40
19:35:44.271549 IP 192.168.2.1 > 192.168.2.2: ICMP redirect 192.168.5.2 to host 192.168.5.2, length 68
19:35:45.285556 IP 192.168.5.2 > 192.168.2.2: ICMP echo request, id 1, seq 14, length 40
19:35:45.285625 IP 192.168.2.2 > 192.168.5.2: ICMP echo reply, id 1, seq 14, length 40
8 packets captured
19 packets received by filter
0 packets dropped by kernel
sh-3.2# ifconfig en0 | grep "inet[^6]"
inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
sh-3.2#
You have something explicitly blocking this if it isn't working, because it works out of the box. Post your config, I guess.