Solved. The issue was the LAN client configuration. The client connected to a Wireguard VPN with AllowedIPs = 0.0.0.0/0, and the routing tables were not updated for 192.168.89.0/24 (WLAN subnet). All packets thus went through the VPN, leading to my mistaken belief of a firewall misconfiguration.
Seriously recommend you modify your firewall rules as follows........
I took the default configuration and extended it with
https://help.mikrotik.com/docs/display/ ... t+Firewall. The proposed modifications to the default look a bit easier to extend, but otherwise equivalent. The NetBIOS rules also block any outgoing traffic from LAN clients forwarded to WAN. I like to have the not_in_internet rules in /ip filter, because unlike /ip route it allows logging.
I say this because it appears to me you copied stuff not knowing what it really does for example in your list of bogons you include subnets which
covers your own private subnets so that is a big error in the config!!!
Traffic between clients in the same subnet isn't forwarded:
$ ip route
default via 192.168.88.1 dev eno1 proto dhcp metric 100
169.254.0.0/16 dev eno1 scope link metric 1000
192.168.88.0/24 dev eno1 proto kernel scope link src 192.168.88.254 metric 100
Furthermore, traffic between different subnets configured on the hap AC3 does not have WAN as destination. The non_in_internet rules then apply to traffic to unknown subnets. Demonstration on the LAN client (now with VPN disabled):
$ traceroute 192.168.89.252 # rejected (matched rule: /ip firewall add action=reject chain=forward in-interface=bridge log=yes out-interface=bridge-ap reject-with=icmp-network-unreachable)
traceroute to 192.168.89.252 (192.168.89.252), 30 hops max, 60 byte packets
1 router.lan (192.168.88.1) 0.927 ms 0.875 ms 0.832 ms
2 router.lan (192.168.88.1) 0.790 ms !N 0.747 ms !N 0.705 ms !N
$ traceroute 192.168.1.1 # dropped (matched rule: /ip firewall add action=drop chain=forward dst-address-list=not_in_internet log=yes out-interface-list=WAN)
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
1 router.lan (192.168.88.1) 0.932 ms 0.880 ms 0.838 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
One place I noticed this were programs making requests to 192.168.1.1 (presumably for UPnP), which were subsequently dropped.