Hi! I’m trying to block a device at home from accessing the internet, without blocking it localy.
I’ve tried theese lines, but somehow it doesnt block all the traffic.
add action=drop chain=forward comment=“Block PS3” out-interface=
ether1-gateway src-address=192.168.88.210
Any ideas?
//Johan
That rule will work 100% if the src-address is correct and the out-interface is correct (not using ppp) and if you do NOT use webproxy… and if there are no allow rules above this one.
Sorry. It did work. My bad.
(Thank god I asked tough. I recently reset my router and didn’t back it up, and where looking for clues about my old conf.)
Any idea?
About what?
A simple firewall rule solved this issue easily.
Ip address of device you wish to block.
Firewall chain forwarding devices IP action = drop.
Anything beyond the switch level would get dumped.
Silly things to consider:
Did you make the PS3 into a static lease in the DHCP server? If not, then the PS3 might get a different IP address from time to time. (go into the dhcp server > leases tab, double-click the entry for the PS3, and there is a “make static” button)
Assuming that the IP address is right, then the most likely issue is that there’s another rule earlier in your filter’s forward chain that allows the traffic.
The order of the rules is important. The Mikrotik starts at the top of the list and goes rule by rule until the first match, at which point the packet will follow the action of that rule and no more rules will be checked.
If you have a rule that says to accept out-interface=ether1-gateway and it comes before your ‘block the PS3’ rule, then move the block rule just before the accept rule. Don’t worry about any fasttrack rule or rule which says to allow “connection-state=established,related” because whenever the PS3 tries to go on the internet, each connection it tries to make will be state=new on the first packet and these rules won’t match.
Do you need to block input and output too?
Well if you want the full proof solution…
a. put IP on its own vlan or bridge or separate ethernet subnet.(disables any connectivity at layer 2)
b. allow vlan/bridge/ethernet subnet to and fro home subnet (use firewall to allow connectivity at Layer 3 but only internally)
c. DONE.
c. assumes drop all else at end of forward chain.
Firewall Filter Forward Rules
standard fastrack
standard accept established related
standard drop invalid
standard ipsec
+++++++++ All the flow you WANT TO ALLOW ++++++++++
drop all else
++++++++++++ examples of flow you wish to allow++++++++++
home LAN to WAN
home LAN to special subnet for problem devices/people 
special subnet to home LAN
allow port forwarding if required (WAN to home lan)
+++++++++++++++++++++++++++++++++++++++++++++++++
The other method keeps layer 2 connectivity between all LAN IPs (keep existing LAN structure no changes required)
Create a firewall address list - ‘bannedWAN’ ( a source address list) of the IP or multiple IPs that you wish to block from the internet.
The key here as noted is that you are relying upon that IP not changing, so it has to be statically assigned.
In this case above the LAN to WAN rule could be modified or you could make two rules.
One rule option
add action=accept chain=forward in-interface-List=LAN source-address-list=!bannedWAN out-interface-list=WAN
Two rule option (ORDER IS IMPORTANT)
add action=drop chain=forward in-interface-list=LAN source-address-list=bannedWAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
Hello,
This rule (post#6) is working fine for me, even though I’ve put it last.
However, it is working only for locally connected machines.
How to block an IP, that is connected to another router, which is connected to this mikrotik?
The second router is for wireless access with LAN network 192.168.1.0/24.
I would like to block only one user from this network, address is static.
Thanks a lot in advance!
Edit: added reference post 6
By MAC address?
Well, the device to be blocked is connected to another router, in chain with Mikrotik. So the device MAC address is not known to Mikrotik, I believe.