Hello
Is there anyway to block communication between connected networks via routing (not from firewall filter).
For example, network 192.168.10.0/24 on eth3 and 192.168.20.0/24 on eth4.
Thank you
Your question is very confusing, ROUTING, L3, and the forward filter are really one and the same.
So the way to block subnets talking is by preventing the router from attempting to route the packets between them and this is done by the forward filter chain.
Perhaps you are thinking of blocking them at layer 2, so they dont just communicate without the routers knowledge. I believe the easy way to do this is (for sob, mkx, solar77 etc..) is by putting one of the subnets on a bridge and the other not. (of course one could always use vlans LOL)
Thank you anav.
I don’t see why the question is confusing. Two networks on two interfaces should not communicate with each other. Anyway, I found how to do it. Instead of:
/ip firewall filter
add chain=forward src-address=192.168.10.0/24 dst-address=192.168.20.0/24 action=drop
add chain=forward src-address=192.168.20.0/24 dst-address=192.168.10.0/24 action=drop
I used:
/ip route rule
add src-address=192.168.10.0/24 dst-address=192.168.20.0/24 action=drop
That is tres kewl, eel, I would not have thought of doing it that way.
Hopefully someone smarter than I (most posters) can discuss the pros and cons of both methods (good teaching point)!
Honest opinion, do it in firewall rules rather than your route rule. The reason is that one of these days, you are going to want to allow something to get between LANs. For example you may want that one PC on one network to be able to communicate with one device on the other network. Much easier to poke a hole in the firewall to allow those two devices to communicate than re-write your routing table.
As for your statement that
Two networks on two interfaces should not communicate with each other
Routing between networks is what a router is supposed to do. Firewall rules are there to allow or disallow that communication. Different manufacturers (and their firmware) do some things different, but in Mikrotik routers, everything is allowed unless specifically disallowed. The way most of us handle that is to specifically allow what you want, and then at the end of the forward chain, add this rule:
add action=drop chain=forward comment=\
"Drop any forward packets that get this far"
That way, only the stuff you have specifically allowed will be routed - everything else will get dropped. The advantage is that if you forget (or don’t realize that you need to) to drop some particular packet, the drop everything rule will kill everything except what YOU have specifically allowed. Missed stuff gets dropped rather than allowed. I have a similar rule at the end of the input chain as well.
@k6ccc
What you quoted me, was more a continuation of my first post, rather than a statement. I know networks are connected by the router. But reading it now I understand the confusion, english not being my first language 
I had heard of a way to block networks via routes so I was more experimenting with it for the purpose of learning how to. For example how to forward one public IP belonging to one router to another device sitting on another router, but doing it via routes instead of nat and firewall. Also, doing it via route I believe should faster although not as flexible.
Thank you both for the input.
But I think this is not enough yet. You need also this:
add src-address=192.168.20.0/24 dst-address=192.168.10.0/24 action=drop
Especially with UDP which is connectionless…