As for ping, if you were able to ping 192.168.2.2 from 192.168.2.1, then communication between them is clearly working. Not being able to ping in other direction is probably because laptop's firewall blocks it.
Yeah, apparently it was due to the other firewall. Once I disabled it, I can ping now. How foolish of me.
Last question, I need to allow specific source and destination ports from ether3-lan to those 5 subnet via ether2-p2p, is this config correct?
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=lan-user
add action=masquerade chain=srcnat out-interface=ether2-p2p
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=accept chain=dstnat dst-address=192.168.2.0/24 dst-port=48129-48137 protocol=udp src-port=48129-48137
add action=accept chain=dstnat dst-address=192.168.2.0/24 dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395
add action=accept chain=dstnat dst-address=192.168.2.0/24 dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535
add action=dst-nat chain=dstnat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.0/23
add action=dst-nat chain=dstnat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.0/21
add action=dst-nat chain=dstnat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.0/16
or should I specify dst-address on the port settings with the subnet like this?
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=lan-user
add action=masquerade chain=srcnat out-interface=ether2-p2p
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=dst-nat chain=dstnat dst-port=48129-48137 protocol=udp src-port=48129-48137 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat dst-port=48129-48137 protocol=udp src-port=48129-48137 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat dst-port=48129-48137 protocol=udp src-port=48129-48137 to-addresses=xxx.xxx.xxx.0/23
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395 to-addresses=xxx.xxx.xxx.0/23
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535 to-addresses=xxx.xxx.xxx.0/23
add action=dst-nat chain=dstnat dst-port=48129-48137 protocol=udp src-port=48129-48137 to-addresses=xxx.xxx.xxx.0/21
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395 to-addresses=xxx.xxx.xxx.0/21
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535 to-addresses=xxx.xxx.xxx.0/21
add action=dst-nat chain=dstnat dst-port=48129-48137 protocol=udp src-port=48129-48137 to-addresses=xxx.xxx.xxx.0/16
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395 to-addresses=xxx.xxx.xxx.0/16
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535 to-addresses=xxx.xxx.xxx.0/16
Thank you