I am sorry, this will be something basic, I am sure. I have some experience with nftables (via iptables, but still), and almost none with mikrotik. Fantastic machines!
Anyhow, I have a weird setup that has worked so far.
I have a hAP ac3 which connects to the internet through a bridged GPON device (i.e. the hAP gets the fixed, public IP address). hAP handles all the configuration in the network, VLANs etc.
A second router, a hEX (RB750Gr3) connects through ether1 into ether3 of the hAP. The hEX is configured as a Bridge, where all interfaces can access the internet. DHCP servers are disabled on the hEX, and ether1 on the hEX gets a fixed IP from the hAP (.88.2). Clients connected to hEX get all connection information from hAP. There are only 4 devices connect to it hEX (1 PC (.88.33), a server (.88.5), a NAS (.88.6) and a network printer (.88.7).
The role of the hEX used to be filled by a gigabit switch, I created a bridge in the hEX by disabling the DHCP server,assigning an address to the default bridge and added ether1 to the bridge. The rest, is the default configuration that came with the router, including firewall rules.
The network "looks" like this
internet <--> (184..) hAP (.88.1)
- (.88.2) hEX
- * |--> PC (.88.33)
* |--> NAS (.88.6)
* |--> server (.88.5)
* |--> printer (.88.7)
- * |--> PC (.88.33)
I want to take advantage of the additional capabilities provided by the hEX. In particular, I want to isolate the NAS from the internet, while still allowing all devices in the local network to access it. I think the best way to do it would be through firewall rules.
So, I added a rule to the forward chain, dropping all packages destined for outside LAN from the IP of the NAS (i.e. .88.6 to !LAN). I have sshd into the NAS to ping google, but nothing gets dropped, nothing gets logged. I have tried several variations of this rule, to no avail. This works from from the hAP, just not from the hEX.
So far, the only thing I have not yet tried is to disable hardware offloading, but I am hesitant to do this as it makes no sense. Am I missing something?