Separate filter rule for separate port
How can I create separate filter rule for a separate port? I want to create a separate filter rule so that the user on other ports cannot access this individual port.
Re: Separate filter rule for separate port
Simplest way I think:
Firewall rule, forwarding chain, drop all with connection state = new towards that out-interface.
Place rule before first accept rule on forward chain.
Make sure you still have another way to get to that device connected on that port or you will lock yourself out.
Firewall rule, forwarding chain, drop all with connection state = new towards that out-interface.
Place rule before first accept rule on forward chain.
Make sure you still have another way to get to that device connected on that port or you will lock yourself out.
Re: Separate filter rule for separate port
Without understanding how your rules are currently setup, it would be presumptive to come up with any solution as it would be guessing.
One should realize that rules are integrated and can affect other rules and thus the flow of traffic.
Others waste all our time by such frivolous attempts and quite frankly I am getting tired of it.
Get the facts.
Please post your config
/export file=anynameyouwish ( minus router serial number, any public WANIPs, keys, long dhcp lease lists etc.. )
Thanks for your patience.
One should realize that rules are integrated and can affect other rules and thus the flow of traffic.
Others waste all our time by such frivolous attempts and quite frankly I am getting tired of it.
Get the facts.
Please post your config
/export file=anynameyouwish ( minus router serial number, any public WANIPs, keys, long dhcp lease lists etc.. )
Thanks for your patience.
Re: Separate filter rule for separate port
Here is the configuration file.Without understanding how your rules are currently setup, it would be presumptive to come up with any solution as it would be guessing.
One should realize that rules are integrated and can affect other rules and thus the flow of traffic.
Others waste all our time by such frivolous attempts and quite frankly I am getting tired of it.
Get the facts.
Please post your config
/export file=anynameyouwish ( minus router serial number, any public WANIPs, keys, long dhcp lease lists etc.. )
Thanks for your patience.
You do not have the required permissions to view the files attached to this post.
Re: Separate filter rule for separate port
I already have filter rule that allows only specific users to port 2 and 3, so I want another rule that does not allow the users to access port 4. I want to create a guest network using a single port so that existing users do not connect port 4.Simplest way I think:
Firewall rule, forwarding chain, drop all with connection state = new towards that out-interface.
Place rule before first accept rule on forward chain.
Make sure you still have another way to get to that device connected on that port or you will lock yourself out.
Re: Separate filter rule for separate port
(1) I am not a queue user but there must be an easier way to do queues than what your config shows................. It would seem like you manually attributed queues on a per IP basis??
(2) Set this to none, as this setting has been known to cause weird issues and is not really needed.
/interface detect-internet
set detect-interface-list=all
(3) You should include both bridges on LAN interface list.
/interface list member
add interface=pppoe-out1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=camera_device_bridge list=LAN
(4) Not sure what you are trying to do but all I see is futile attempts to block youtube and facebooks which should all be removed as its impossible to block them using MT routers successfully. You need a router that can do DPI $$$ and then pay for the DPI subscriptions, more $$$. Firewall rules are for L3 traffic, so attempting mac address based rules make little sense.
Better if you explain what traffic you need, and then configure the design appropriately. It very well may be that you are better with separate vlans to handle different use cases.
I highly suspect this is the case and besides it would be more efficient to use ONE bridge and separate vlans for camera network and other networks......
(5) There is need to think of sourcenat rules as routing or firewall rules. Only one rule is required.
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
(6) Provide a network diagram of what you wish to accomplish along with clearer requirements for users/devices and needed traffic flow.
Then we can come up with firewall rules that make sense .........
(2) Set this to none, as this setting has been known to cause weird issues and is not really needed.
/interface detect-internet
set detect-interface-list=all
(3) You should include both bridges on LAN interface list.
/interface list member
add interface=pppoe-out1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=camera_device_bridge list=LAN
(4) Not sure what you are trying to do but all I see is futile attempts to block youtube and facebooks which should all be removed as its impossible to block them using MT routers successfully. You need a router that can do DPI $$$ and then pay for the DPI subscriptions, more $$$. Firewall rules are for L3 traffic, so attempting mac address based rules make little sense.
Better if you explain what traffic you need, and then configure the design appropriately. It very well may be that you are better with separate vlans to handle different use cases.
I highly suspect this is the case and besides it would be more efficient to use ONE bridge and separate vlans for camera network and other networks......
(5) There is need to think of sourcenat rules as routing or firewall rules. Only one rule is required.
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
(6) Provide a network diagram of what you wish to accomplish along with clearer requirements for users/devices and needed traffic flow.
Then we can come up with firewall rules that make sense .........