I have a client and he has two services with me. One is Internet Access and the other is data between 4 offices. For internet access he uses public IPs and for data between offices he will use private IPs I would like to block the private IPs of that client from internet access. How would I do that.

Make an address-list containing the IPs of clients not permitted internet access, then drop packets from those clients out the WAN interface.
Edit: this is assuming that there's an interface for internet only. If you have a setup where some of those clients are behind the WAN interface, this won't work. If that's the case, post details of your network layout.

Make an address-list containing the IPs of clients not permitted internet access, then drop packets from those clients out the WAN interface.

Code: Select all

/ip firewall access-list
add list=no_internet address=10.2.0.0/24
add list=no_internet address=10.3.0.0/24
/ip firewall filter
add chain=forward out-interface=[name of WAN interface] src-address-list=no_internet action=drop

Edit: this is assuming that there's an interface for internet only. If you have a setup where some of those clients are behind the WAN interface, this won't work. If that's the case, post details of your network layout.

Thank you fewi!!!

I have an RB1000 as border router and eth1 is dedicated to my dragonwave radio and it only has the IP that my internet access providor gave me. If you need more info please let me know. I will now try the example you just posted!!

Thank you fewi, it worked perfect!!!