ok this is how i made it work:
1) Allow MS and MR IP and Deny everything as layer 3 policy on firewall
2) Configure MR to be in bridge mode
3) Create a group policy and in that add a layer 3 firewall policy to allow any any
4) Apply the group on a specific device
5) Wait 5 min and it works.