Hello i have RB1100 hx4 dude edition
I have the wan port: 192.168.1.1
I have the lan port: 10.0.0.1
How do I disable access to ip from lan to wan?
example: i’m connected on the lan if i type in the 192.168.1.1 browser it brings me on the wan and i want this not to happen!
please help me
The exact and useless answer to your question is
/ip firewall filter add chain=input action=drop src-address=10.0.0.0/24 dst-address=192.168.1.1 place-before=1
(the /24 may not be correct as you haven’t stated the network mask of your LAN subnet).
But I think you actually want to do something else because it doesn’t matter whether you connect to 192.168.1.1 or to 10.0.0.1 from a device in 10.0.0.0/m, the web interface of the Mikrotik responds at all own addresses of the Mikrotik.
So what do really want to obtain? To protect the Mikrotik itself from access to management interfaces from unauthorized sources, to protect anything in 192.168.x.y/z from being accessed from 10.0.0.0/m, or both?
(remember - the best companies do not deliver what the customer asks for but what he actually wants).
I want computers connected to the LAN network to not have access to the wan network
not to have access only to the WAN subnet of the Mikrotik or also anywhere else than to the LAN, including the internet? Do you want to protect the Mikrotik from them or not? Brevity is golden but not when you express what you actually want 
I want computers connected to the LAN network to not have access to computer the wan network access only internet
/ip firewall filter add chain=forward action=drop src-address=10.0.0.0/X dst-address=192.168.1.0/Y place-before=1
Set X and Y properly, i. e. same like they are set at Mikrotik’s own addresses 10.0.0.1 and 192.168.1.1. If you want to block access to Mikrotik’s own configuration interfaces, you’d have to add more rules, to chain “input”.
OK thanks, I try and let you know
I tried but anyway from the LAN network I can access the devices of the wan network this does not have to happen
So the rule is not where it should be. Paste here the result of “/export hide-sensitive”.
The “hide-sensitive” prevents any passwords from being exported.
If there are any public IP addresses you want to anonymize, replace each of them systematically with the same a.b.c.d pattern (different pattern for each individual address) using Ctrl-H in a text editor.
i want to bloc access wan client pppoe
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether5 ] name=ether5-PPPOE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=10.182.0.1 html-directory=hotspot1 login-by=http-chap,trial
name=hpMYWIFI1 trial-uptime-limit=2m trial-uptime-reset=1m use-radius=yes
/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=1h shared-users=unlimited
/ip pool
add name=hs-pool-MYWIFI1 ranges=10.0.0.1-10.0.0.254
add name=ppp-MYWIFI-Expired ranges=10.64.0.100-10.64.254.254
add name=ppp-MYWIFI ranges=10.128.0.100-10.128.254.254
/ip dhcp-server
add address-pool=ppp-MYWIFI disabled=no interface=ether5-PPPOE name=server1
/ip hotspot
add address-pool=hs-pool-MYWIFI1 disabled=no idle-timeout=none interface=ether3
name=MYWIFI1 profile=hpMYWIFI1
/ppp profile
add comment=MYWIFI dns-server=8.8.8.8 local-address=10.0.0.1 name=
MYWIFI-Profile on-up=“if ([:pick $"remote-address" 0 6]="10.64.") do {
\r
\n/ip proxy access\r
\nremove [find src-address="$"remote-address""]\r
\nadd action=deny redirect-to="cp.mywifiservice.com/login/pppko\?nasid=20
576&login=$"user"&ip=$"remote-address"&mac=$"caller-id"" src-addre
ss="$"remote-address""\r
\n}” remote-address=ppp-MYWIFI
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=“nuovo utente 1 minut” name-for-users=“” override-shared-users=off
owner=admin price=0 starts-at=now validity=1m
add name=“ricarica 1 mese” name-for-users=“” override-shared-users=1 owner=
admin price=0 starts-at=now validity=4w2d
add name=“nuovo 1mese” name-for-users=“” override-shared-users=1 owner=admin
price=15 starts-at=now validity=4w2d
/tool user-manager profile limitation
add address-list=“” download-limit=10485760B group-name=“” ip-pool=“” name=10MB
owner=admin transfer-limit=0B upload-limit=1048576B uptime-limit=0s
/interface pppoe-server server
add authentication=pap default-profile=MYWIFI-Profile disabled=no interface=
ether5-PPPOE max-mru=1488 max-mtu=1488 mrru=1600 one-session-per-host=yes
service-name=Service-MyWiFi
/ip address
add address=10.182.0.1/16 comment=MYWIFI interface=ether3 network=10.182.0.0
add address=10.0.0.1/24 interface=ether5-PPPOE network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
/ip dhcp-server network
add address=10.182.0.0/16 comment=MYWIFI dns-server=8.8.8.8 gateway=10.182.0.1
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=213.199.136.20 list=DontProxy
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=
10.0.0.0/24
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here”
disabled=yes
add action=reject chain=forward comment=MYWIFI dst-port=!80,8080 protocol=tcp
reject-with=icmp-network-unreachable src-address=10.64.0.0/16
src-address-list=!tempLogin
/ip firewall mangle
add action=add-dst-to-address-list address-list=tempLogin address-list-timeout=
3m chain=forward comment=MYWIFI content=
4ffga95Hm8afki12657dNASPlafs4by5220576 dst-address=10.64.0.0/16 protocol=
tcp src-port=80
add action=add-src-to-address-list address-list=ipToDisconnect chain=forward
comment=MYWIFI content=dummyforpppipdisconnect dst-port=80 protocol=tcp
src-address=10.64.0.0/16
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here”
disabled=yes
add action=masquerade chain=srcnat comment=MYWIFI src-address=10.182.0.0/16
add action=redirect chain=dstnat comment=MYWIFI dst-address-list=!DontProxy
dst-port=80 protocol=tcp src-address=10.64.0.0/16 src-address-list=
!tempLogin to-ports=8080
add action=masquerade chain=srcnat comment=MYWIFI src-address=10.64.0.0/16
add action=masquerade chain=srcnat comment=MYWIFI src-address=10.128.0.0/16
add action=masquerade chain=srcnat out-interface=all-ethernet
/ip hotspot walled-garden
add comment=“place hotspot rules here” disabled=yes
add comment=“place hotspot rules here” disabled=yes
add comment=MYWIFI dst-host=*.mywifiservice.com server=MYWIFI1
/ip hotspot walled-garden ip
add action=accept comment=MYWIFI disabled=no dst-address=213.199.136.20 server=
MYWIFI1
/ip proxy
set enabled=yes max-cache-size=none
/ip proxy access
add action=deny redirect-to=“cp.mywifiservice.com/login/pppko?nasid=20576&login
=wiritaly02&ip=10.64.254.253&mac=78:8A:20:34:25:48” src-address=
10.64.254.253
add action=deny redirect-to=“cp.mywifiservice.com/login/pppko?nasid=20576&login
=wiritaly02&ip=10.64.254.254&mac=78:8A:20:34:25:48” src-address=
10.64.254.254
add action=deny redirect-to=“cp.mywifiservice.com/login/pppko?nasid=20576&login
=wiritaly02&ip=10.64.0.100&mac=F8:A9:63:4E:C6:98” src-address=10.64.0.100
/ip service
set www port=8088
/ppp aaa
set interim-update=10m use-radius=yes
/radius
add address=213.199.136.20 comment=MYWIFI service=ppp,hotspot timeout=3s
/radius incoming
set accept=yes port=3779
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=20576
/system ntp client
set enabled=yes primary-ntp=83.162.149.224 secondary-ntp=5.79.108.34
/system routerboard settings
set silent-boot=no
/system scheduler
add interval=30m name=UpdateRadiusServer on-event=
“/system script run RadiusServer” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add interval=2m name=UpdateAlive on-event=“/system script run Alive” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add interval=30m name=UpdateCaptivePortalIP on-event=
“/system script run CaptivePortalIP” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add name=RunAliveBoot on-event=“/system script run Alive” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add interval=5s name=UpdateCPUmonitor on-event=“/system script run CPUmonitor”
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add interval=15s name=checkPaymentCompleted on-event=
“/system script run PaymentCompleted” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add interval=30m name=UpdateDontProxyList on-event=
“/system script run DontProxyList” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
/system script
add name=RadiusServer owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:lo
cal radiusname "radius1.mywifiservice.com" \r
\n:local newradiusip [:resolve $"radiusname"]\r
\n:local currentradiusip [/radius get [find comment="MYWIFI"] address]\r
\n:if ($"currentradiusip" != $"newradiusip") do={ /radius set [find co
mment="MYWIFI"] address=$"newradiusip"}”
add name=CaptivePortalIP owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:lo
cal cpname "cp.mywifiservice.com"
\n:local newcpip [:resolve $"cpname"]\r
\n:local currentcpip [/ip hotspot walled-garden ip get [find comment="MYWIF
I"] dst-address]\r
\n:if ($"currentcpip" != $"newcpip") do={ /ip hotspot walled-garden ip
_set [find comment="MYWIFI"] dst-address=$"newcpip"}”
add name=CPUmonitor owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:lo
cal maxsamples 20 \r
\n:global cpuarray \r
\n:set cpuarray ([/system resource get cpu-load] , [:pick $cpuarray 0 ($ma
xsamples - 1)]) \r
\n:local arraytot 0 \r
\n:foreach o in=$cpuarray do={:set arraytot ($arraytot + $o)}; \r
\n:local arraysize [:len $cpuarray] \r
\n:global avgcpuload ($arraytot / $arraysize)”
add name=Alive owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:lo
cal bootPar \r
\n:global avgcpuload \r
\n:global alivecounter \r
\n:if ($alivecounter>0) do={ :set bootPar ""} else={ :set bootPar "-b";
_:delay 10 } \r
\n:set alivecounter ($alivecounter+1) \r
\n:local nproc [/system resource get cpu-count] \r
\n:local model [/system resource get board-name] \r
\n:local memtot [/system resource get total-memory] \r
\n:local mac [/interface get [/interface find default-name=ether1] mac-addre
ss] \r
\n:local memfree [/system resource get free-memory] \r
\n:local hsusers [:len [/ip hotspot active find]] \r
\n:local hsips [:len [/ip hotspot host find]] \r
\n:local pppusers [:len [/ppp active find [:pick $address 0 6]="10.128"]]
_\r
\n:local pppips [:len [/ppp active find]] \r
\n:local upbytes [/interface get ether3 rx-byte] \r
\n:local dwnbytes [/interface get ether3 tx-byte] \r
\n:local url "http://app.mywifiservice.com/script/alive/20576?par=$bootPa
r&mac=$mac&nproc=$nproc&memtot=$memtot&model=$model&cpuload=$avgcpuload
&memfree=$memfree&users=$($hsusers+$pppusers)&ips=$($hsips+$pppips)&d
wnbytes=$dwnbytes&upbytes=$upbytes" \r
\n:local encurl "" \r
\n:for i from=0 to=([:len $url] - 1) do={ :local char [:pick $url $i]; :i
f ($char = " ") do={ :set $char "%20" }; :if ($char = "-") do={ :se
t $char "%2D" }; :set $encurl ($encurl . $char) } \r
\n:if ([:len [/file find name=aliveres.rsc]] > 0) do={ /file remove aliveres
.rsc } \r
\n/tool fetch keep-result=yes dst-path=aliveres.rsc mode=http url="$encurl
";/import aliveres.rsc”
add name=PaymentCompleted owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:fo
reach i in=[/ip firewall address-list find list=ipToDisconnect] do={\r
\n :local iptd [/ip firewall address-list get $i address]\r
\n /ppp active remove [find address=$iptd]\r
\n /ip firewall address-list remove [find address=$iptd]\r
\n}”
add name=DontProxyList owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“/ip
_firewall address\r
\n remove [find list=DontProxy]\r
\n add address=[:resolve cp.mywifiservice.com] list=DontProxy\r
\n”
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=10MB till-time=23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=10MB till-time=23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=10MB profile=“nuovo 1mese” till-time=23h59m59s
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=10.0.0.250 log=
auth-ok,auth-fail,acct-ok,acct-fail name=pppoe-server shared-secret=123456
use-coa=yes
[admin@20576] >
Have you tried to access 192.168.1.1 or some other address in 192.168.1.0/24? Because the rule in chain “forward” does not handle Mikrotik’s own addresses, and because I cannot see anything wrong - the PPPoE clients get addresses from
/ip pool
add name=hs-pool-MYWIFI1 ranges=10.0.0.1-10.0.0.254
and the rule is where it should be and matches the addresses it should match:
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=10.0.0.0/24
What do “/ip dhcp-client print” and “/ip address print” say?
I noticed that I can access the wan only if I connect pppoe
[admin@20576] > /ip dhcp-client print
Flags: X - disabled, I - invalid, D - dynamic
0 ether1-WAN yes yes bound 19
[admin@20576] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; MYWIFI
10.182.0.1/16 10.182.0.0 ether3
1 10.0.0.1/24 10.0.0.0 ether5-PPPOE
2 D 192.168.1.2/24 192.168.1.0 ether1-WAN
3 D 10.0.0.1/32 10.128.254.254
If 10.128.254.254 is the address from which you can access WAN, it is no surprise because it doesn’t fit to the firewall rule which matches on 10.0.0.0/24.
Change the src-address in the rule to 10.0.0.0/8 and all the 10.whatever addresses won’t be able to acess 192.168.1.0/24, with the exception of 192.168.1.2 which is Mikrotik’s own address so the rule won’t be even checked for it.
I’ve got lost in your pool names all including MYWIFI and missed that the pool actually used for PPPoE clients doesn’t match 10.0.0.0/24.