MikroTik

Okay lets see if I have this right.

A. Guest Network
i. wifi camera is in guest network
ii. neighbours are also on guest network so they can view the cameras
iii. guest network only has access to the internet

B. Home Network.
i. has access to the internet only
ii You wish to access the wifi camera for viewing or setup etc..........

This is dirt simple
Firewall filter Forward Chain rule,
Allow your IP(sourceip) access to destinationIP(WIFI camera).

Thats it in general concepts. However without posting your config here its only a concept.
How to best do this or to do it safely depends on how your router is configured.

Please post it............
/export hide-sensitive file=yourconfig

..., i thought that my question was clear.

Ok, so the idea is to have guest LAN. But not the usual boring one which is completely separated (independent interface or bridge with own subnet). Rather make it part of main LAN bridge, let it use the same DHCP server and everything. Except it should be separate, so let's cut if off with bridge filters. Yep, it's creative.

My suggestion is to switch normal guest LAN. Make another bridge, put wlan3 and wlan4 there, give it own IP subnet and DHCP server, use IP firewall to manage access. It's simple and manageable. Or is there any reason for what you have now that I'm missing?

If you'd like to keep what you have, you'd need some exception from current bridge filters. You'd need to allow access between wlan3/4 and device(s) in main LAN. It should work too, but you'd need to allow more stuff, because bridge filters are stateless and don't see connections as IP firewall does. So you'd need to allow arp first, then traffic from guest to device(s) and also traffic from device(s) to guests.

Other possible solution could be bridge's use-ip-firewall option, but I'd avoid it, that thing is strange.

Hey

* don't use wpa, it's broken

To do what you want you need to have the notion of connection tracking: allow connection from lan to guest (and related responses, so conn tracking needed) but don't allow connections (new) from guest to lan.

Bridge firewall doesn't have that capability. You could try "use-ip-firewall" (which will further burden the cpu)... BUT


Why not isolate guest to different ip range, then it becomes much more straight-forward: guest = "dmz", allow outbound to dmz, not inbound. -> simple firewall config?

Ok i'll take a look at that, but i think i foud a solution, with the Hairpin Nat i can access the camera on the port 88 !

Great minds ... (Selfish, yes )

Ok i'll take a look at that, but i think i foud a solution, with the Hairpin Nat i can access the camera on the port 88 !

That will do the trick too but only for one destination?
Getting a bit complex ?

Yes, even dstnat & haipin is possible. It will allow traffic from wlan3/4 to main LAN, which is not possible with your bridge filters, but the trick is that it's routing and not bridging. Again a little unusual for this, so it didn't even occur to me to suggest it. But hey, if it works for you, why not. It just shows how many options RouterOS offers.