Block access from one network to another but allow certain ports

Hi guys,
I need some expert advice.

I’d like to use an RB750r2 / hEX for the following:

I have a fritzbox as my main router.
It allows a guest network (192.168.178.x) which I have IoT devices on so they can’t communicate with my home network (192.168.50.x)

I’d like for the home network to be able to fully access the guest network but not the other way around with one caveat, I’d like 2 camera’s on this guest network to access only one server (192.168.50.5) on the home network only on specific ports (ftp 21, rtsp 554, http 80, rtmp 1935 and onvif 8000) so I can save recordings from the cameras to ftp and also allow live streaming through home assistant on this server.

Currently, the fritzbox is connected to the WAN port on the RB750r2 which is in bridge mode so the RB750r2 is getting an IP of 192.168.178.3, I have the 2 cameras connected to ports ETH2 and ETH3 and these are also receiving DHCP addresses from the fritzbox of 192.168.178.4 and 192.168.178.5 and I will have the home network connected to ETH5.

What’s the best way to achieve what I’d like to do?

Thank you!

Hello.

Add Address List named “Cameras” with 192.168.178.4 and 192.168.178.5 in the firewall.
NOTE: This addresses should be static or reserved for them.
Add firewall rule drop in the forward chain, src. address 192.168.178.0/24, dst. address 192.168.50.0/24.
Above this rule add another one - accept in forward chain, src. address list “Cameras”, dst. address 192.168.50.5, protocol TCP or UDP, port: list of the ports.
NOTE: I’m not sure on which protocol this ports are running, you have to check it in the internet (or maybe someone else knows), maybe you will need two rules like this, one for TCP and one for UDP. You can also add rule accept in forward chain, src. address list “Cameras”, dst. address 192.168.50.5, but this way you fully open communication between cameras and server.
EDIT: Above all this rules you have to add a rule for returning traffic - accept, conn. state established and related. It’s a default MT rule, but it has to be above the drop rule.

Thank you for that.

I’m very new to MT and RouterOS so still have a lot to learn.

Could you give me the exact commands for the rules etc.?
I can then edit these with the static IPs that I set for the cameras.

Will then try this over the weekend.

As I’m using Winbox, I don’t have commands in my head :slight_smile:
I can write it for you, sure, but cannot promise I will do it before the weekend :sunglasses:

No problem.

Whenever you have the time :slight_smile:

In RouterOS 7.6 and based on provided informations:

ip/firewall/address-list/add address=192.168.178.4 list=Cameras
ip/firewall/address-list/add address=192.168.178.5 list=Cameras
ip/firewall/filter/add action=accept chain=forward connection-state=established,related
ip/firewall/filter/add action=accept chain=forward src-address-list=Cameras dst-address=192.168.50.0/24 protocol=tdp dst-port=21,80,554,1935,8000
ip/firewall/filter/add action=accept chain=forward src-address-list=Cameras dst-address=192.168.50.0/24 protocol=udp dst-port=8000
ip/firewall/filter/add action=drop chain=forward src-address=192.168.178.0/24 dst-address=192.168.50.0/24

It adds rules at the bottom of firewall so if you have something which blocks this connections somewhere above - it won’t work until it’ll be higher.

I got these rules in place today, thank you for posting the commands.

So on the fritxbox, LAN ports 1,2 and 3 are in the home network with 192.168.50.0/24 and LAN port 4 is the guest network with 192.168.179.0/24. These ports give out DCHP addresses in their respective ranges.
LAN port 1 is connected to ETH1/Internet port on the Miktotik. LAN port 4 is connected to ETH5 on the Mikrotik and I have 2 cameras also connected to ETH2 and ETH3 respectively.
The mikrotik is in bridge mode so ETH1,2 and 3 have a 192.168.178.xxx IP address. ETH5 seems to get a home network IP (192.168.50.xxx) but looks to be fighting between getting an IP from both the guest and home network DCHP servers

Can I stop the mikrotik from assigning a 192.168.178.xxx IP from the guest network to ETH5 and instead configure ETH5 to route traffic to the home network (192.168.50.xxx)?
What I mean by that is, will the cameras on ETH2 and ETH3 (configured with static IPs) be able to contact (with the rules in place for TCP port 21) the ftp server I have on my home network on fritzbox LAN port 2 through => ETH5.
Maybe ETH5 needs to be set with a static IP from the home network instead but I’m not sure.
I hope I’m explaining that correctly! Apologies, it’s late here and its been a long day :confused:

I didn’t read it carefully, especially the… first sentence… “I have a fritzbox as my main router.” is very important, I just gave you bad advice. The firewall rules should be in that box, not in Mikrotik.
Is there (or would be) something from your main network connected to Mikrotik?
If not the correct and easiest setup should be:
Lan 1 port is connected to ETH1 (the guest network - you kinda mixed in your posts so I don’t know what port is what).
Cameras to ETH2 and ETH3.
No firewall rules, no masquarade, no DHCP server (on Mikrotik), these 3 port in bridge.
One extra static route 0.0.0.0/0 pointing to your main router (or ETH1 interface).
That’s it on Mikrotik + firewall rules on fritzbox.

In this kind of setup the second router is unnecessary, a cheap, “stupid” switch will do the work and no extra configuration would be needed.