I have an existing network, 192.168.0.0 and aded a Mikrotik 750gr3 by plugging the WAN into the exisiting LAN. This creates a new network 192.168.88.0. When connected to the Mikrotik LAN, I can still access access the parent devices on 192.168.0.0. How do I restrict the Mikrotik to not access or be accessible from the parent/192.168.0.0 network? I just want the Mikrotik to go to the internet but not talk to the other network.
I know this is a ricicuously NOOB question…thanks for the help.
Hish
Out to in will be no problem.
Default firewall will block that already.
In to out:
Add a drop firewall rule in forward chain for 192.168.0.0/24 BUT FIRST put in accept for the 192.168.0.x address which is the gateway.
Move those 2 rules (accept before drop !!) above the first drop rule in forward chain.
If you put drop before accept, you can not get out at all anymore.
Does this also mean that I can add additional accept rules for any device IP on the network I want to enable access to? Let’s say I want people to be able to send jobs to a network printer?
Thanks again!
Nobody likes chasing a moving story.
Right down all the requirements.
a. identify all the user(s)/device(s) and groups of users/devices
b. identify all the traffic flow they need.
Also, do you control the upstream router or does the ISP.aka and ISP modem router.
The network comes in from the ISP via a cable modem. A main router (10.1.1.x) is connected to the modem that feeds computers, printers and a Mikrotik router (192.168.88.1) that feeds Wifi APs. I’m trying to give folks wifi access to the internet, while not allowing access to other network resources except for printers.
So, I want those connecting to the wifi APs to be able to surf the web and print but nothing else.
My question is can this be accomplished using the method above and add the individial printer IPs to a firewall accept rule above the deny rule.
Just to be clear, the upstream router belongs to house owners and the hex belongs to you a tenant, and they dont have any wifi but would like to use your wifi??
Now yes you can setup your hex router as a router (double nat) and thus have your own subnets/vlans
You can provide guest vlans that they can use and which you will assign to specific SSIDS, and their traffic will go straight out your router to their router and to the internet but wont be able to talk to your other vlans/subnets, so thats not an issue.
The users on their router will not be able to directly access your vlans/subnets going through your router, so that concern is removed.
HOWEVER, ALL your traffic is interceptable as soon as it leaves your router as it will no longer be in a vlan.
Thus if you are concerned about someone looking at your traffic you have no protection once it leaves your router. I dont know how this is done but they can easily read where you are going and perhaps contents as well ( not a hacker so dont know). The only thing not viewable is probably anything HTTPS etc… Which these days is most internet traffic.
Not sure about emails… Is google mail encrypted for example???
The only way around this, and to ensure full privacy is to VPN out of your router for all WAN traffic. Wireguard to a VPS is one option or to another friends MT router that can host Wireguard.
I was able to do it by adding a firewall accept rule for each printer ip address.
Thanks again.