Open WAN tunnels from inside local.mesh

Hi Old Men.
We have (here in Scandicci FI JN53OS) a hill-top repeater station rack with VHF and UHF FM repeaters. We plan to make UHF repeater a C4FM or DSTAR repeater using a RPi as gateway. The repeater station have a AREDN node (MikroTik RouterBOARD SXT 5HPnD SXT 5 High Power) called IQ5BL-VALICAIA connected to another one  called IZ5FSA-5-140 connected D2D to my hAP WAN capable node called IZ5FSA-HOME.

I have to connect the RPi gateway to the local node IQ5BL-VALICAIA and "route" all external link (for C4FM/DSTAR internet gateway location) thru the local.mesh to reach the WAN capable node. I don't want to use "Allow MESH nodes to use my WAN" because:
1) I don't know well how it works;
2) I hope the AREDN local.mesh will be used from other people/stations and I don't want to share Internet access to every node connected to my local.mesh.

So I need to setup local firewall rules in IQ5BL-VALICAIA node and in IZ5FSA-HOME also... but how???? The standard port forwarding setup node page seems not to be usable for this purpose and every "personalized setup" must be well documented and saved to be restored after a firmware upgrade.

I haven't found a specific topic in the forum... but I'm not a "professional topic hunter"!!!

73 de Leo IZ5FSA