Hello. I would like to block the access from an external ip to one of my customer wich is connected by pppoe. I have tried to add a rule in ip firewall with the ip to block and with action Drop , but it is not working.
Does anyone know how to do it?
Best regards
What chain were you using? The rule should look like this:
/ip firewall filter
add chain=forward src-address=(the IP you are trying to block) action=drop
If that doesn’t work then will need to post the specifics of your configuration.
Hello
I was using the same than you. I tried it again and it keeps allowing the connection.
Please, post your config
Hello it is the ip config:
[admin@MikroTik] > ip
[admin@MikroTik] /ip> export
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] pfs-group=none
/ip neighbor discovery
set ether1 comment=“WAN (50Mbps/50Mbps)” discover=no
set ether3 comment=“ANTENAS TORRE ARMILLA”
set ether5 comment=“;;;CONEXION ARMILLA;;;;”
/ip pool
add name=dhcp_pool1 ranges=154.47.132.1-154.47.132.28
add name=vpn-pool ranges=10.100.1.200-10.100.1.205
/ip address
add address=192.168.88.1/24 comment=administracion interface=ether2 network=
192.168.88.0
add address=148.12.104.5/24 comment=c interface=ether1 network=
149.11.144.0
add address=10.100.1.1/24 comment=“link parapanda” interface=ether3 network=
10.100.1.0
add address=10.100.3.1/24 comment=“link Armilla” interface=ether5 network=
10.100.3.0
/ip arp
add address=10.100.1.95 interface=ether1 mac-address=9C:8E:99:08:E7:A1
/ip dns
set allow-remote-requests=yes servers=66.28.0.45,66.28.0.61
/ip firewall address-list
add list=permitidasParaAccesoARouter
add list=permitidasParaAccesoARouter
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add chain=forward comment=“permite conexiones establecidas” connection-state=
established
add chain=forward comment=“permite conexiones relacionadas” connection-state=
related
add action=drop chain=forward disabled=yes in-interface=ether1 src-address=
46.39.197.19
add action=drop chain=input comment=
“Bloquea Uso de la CCR como proxy DNS a atacantes de Internet.”
connection-state=new dst-port=53 in-interface=ether1 protocol=udp
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=ether1
new-connection-mark=WAN_con
add action=mark-connection chain=postrouting new-connection-mark=WAN_con
out-interface=ether1
add action=mark-packet chain=prerouting connection-mark=WAN_con
new-packet-mark=WAN_paq
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
src-address=154.47.132.0/27
add action=redirect chain=dstnat comment=“todas las solicitudes de DNS al puerto
_53 que se hagan externas se redirigen a las dns del mikrotik para ahorrar
recursos” in-interface=ether1 protocol=udp src-port=53 to-ports=53
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1
nat-traversal=yes secret=test
/ip route
add check-gateway=ping distance=1 gateway=149.11.144.5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
[admin@MikroTik] /ip>
Try two things; first remove the in-interface and second move that rule all the way to the top and let us know if that works. I would also, very highly, recommend upgrading to at least 6.7 if not 6.10. 6.1 was frequently buggy.
Thank you very much, it is working now. I just move the rule to the top of the grid.
Thank you again.
Awesome, glad I could help 