Computer networks

Accessing internal resources from an isolated subnet?

The situation is as follows:
1. Equipment: Mikrotik
2. Main network: 10.10.10.0/24 gtw: 10.10.10.1
3. Backbone network: 10.10.22.0/24 gtw: 10.10.22.1
4. There is a web in the main subnet at the address 10.10.10.10 a service to which you need to provide access from the guest subnet through the external address: 192.168.100.2.
5. The guest network has access to the global network. Guest network is isolated from the main network: ip route rule add src-address=10.10.22.0/24 dst-address=10.10.10.0/24 action=unreachable
6. Added dst-nat rule: ip firewall nat add chain=dstnat dst-address= 192.168.100.2 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.10.10
7. Added src-nat rule: ip firewall nat add chain=srcnat src-address=10.10.22.0/24 out-interface=bridge_10.10.10.0 action=src-nat to-addresses=10.10.10.1
8. As a result, no passing packets from subnet 10.10.22.0/24 to host 10.10.10.10. When the routing rule is disabled, the packets pass through when dumping on the host 10.10.10.10 as src. address is 10.10.10.1. That is, they work out both dst-nat and src-nat.

It is necessary to provide access to this web service from the guest subnet through an external ip address. The guest network must be isolated without exception.