Block internet access on specific physical port

Syptic · June 5, 2017, 8:27am

Hello,

I recently got myself a MikroTik router, but its a bit to advanced for me so I’m here asking if you know how to do this. What I want to do is block a port on the router from accessing the internet (one of the physical ports). Lets say port 4 as an example. So anything I plug into port 4 would get LAN access but would be unable to access the internet. Would that be possible?

Regards,
Syptic

gustavomam · June 5, 2017, 8:56am

You can try this

/ip firewall filter add action=drop chain=forward dst-port=80,443 in-interface=ether4 protocol=tcp

Syptic · June 5, 2017, 10:19am

Hmm but that will only block http/https access right? So all other ports would be open to the internet? Basically you would not be able to surf using a browser but things like SMTP/FTP/Torrents and other things not requiring port 80/443 would still work?

BartoszP · June 5, 2017, 10:34am

Remove dst-port and protocol and then it SHOULD work regardless traffic type but …
If port 4 is a part of hardware switch (has master interface set ) then this rule will not work as this port (eth4) is treated as master-interface. It inherits master MAC. You can see that if you plug cable into such port then it’s led switches on and the led of master interface is also on even if the master-interface has no cable connected..
You need to remove that port from switch and bridge it with LAN ports. Look at this, it should explain what is bridge and what is switch in the world of Mikrotik: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
If you manage to to bridge your eth4 with the rest of LAN ports then you can use gustavomam’s rule as eth4 will be recognizable as separate interface
Having eth4 bridged you can take advantage of bridge firewalling which is similar to “normal” one but works on the bridge level so bridge is self-firewalled then. https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge

Syptic · June 5, 2017, 11:44am

I will read the links and give it a go tonight when I get home. Thanks for the help!

gustavomam · June 5, 2017, 11:47am

If you want to block other programs, and not internet typical ports for internet browsers (80/443). You should complete with other ports, or permit all traffic in forward from your LAN ports and ether4, then the block all the traffic between ether4 and internet port ( this is more drastic solution, but it’ll works)

vasilaos · June 5, 2017, 2:17pm

you can block communication to wan interface for example if your wan inteface is ether1 then:

/ip firewall filter add action=drop in-interface=ether4 out-interface=ether1

or you can block traffc other than your lan network for example if your lan network is 192.168.0.0/24 then:

/ip firewall filter add action=drop in-interface=ether4 dst-address=!192.168.0.0/24

koperfield · October 11, 2017, 8:46pm

No, I can’t (‘chain=forward’ added):
Untitled1.png

vasilaos:

or you can block traffc other than your lan network for example if your lan network is 192.168.0.0/24 then:
/ip firewall filter add action=drop in-interface=ether4 dst-address=!192.168.0.0/24

Same, no, I can’t (‘chain=forward’ added):
Untitled.png

ZeroByte · October 11, 2017, 9:37pm

Earlier in the thread, it was explained that you must un-slave interfaces such as ether4 that you’ve posted screenshots about.

Furthermore, you will need to add ether4 to the LAN bridge, and then enable “use IP firewall” on the bridge.

koperfield · October 12, 2017, 2:38pm

Interface ether4: Master port → none?

add ether4 to main LAN bridge1? Or I need to create another one, like bridge2? Do I need to add other interfaces to bridge2 like ether2, ether3, ether5? Thanks.

ZeroByte · October 12, 2017, 2:40pm

Yes on the master=none…

If you want ether4 to be in the same network as the rest of the LAN, then yes, add it to the same bridge.

If you want ether4 to be a completely different network, then you don’t need to add it to any bridge. Just un-slave it and then put an IP address onto the interface and configure DHCP, etc.

koperfield · October 12, 2017, 3:40pm

Yes, I want ether4 to be in the same network as ether2, ether3, ether5.
1.png
But after adding un-slaved ether4 to bridge1, ether4 become slave! And the rule does not work
2.png
3.png
‘Use IP Firewall’ on bridge1 → enabled.

ZeroByte · October 12, 2017, 5:47pm

Okay - so this means that even using IP firewall for the bridge won’t allow you to filter on a specific bridge port.
It’s correct for the interface to become slave when you add to a bridge. Slave means that the interface cannot be used directly as an IP interface because it’s acting as a component of some other feature - bridging in this case.

Anyway, you can achieve your goal with a layer 2 bridge filter as mentioned earlier in the thread.

/interface bridge filter
add action=drop chain=forward in-bridge=bridge1 in-interface=ether4
add action=drop chain=forward in-bridge=bridge1 out-interface=ether4

This will cause the bridge not to forward any traffic to/from the interface ether4. Traffic to/from the Internet will not go into the bridge forward filter, but the bridge input / output filters.

One thing to note - if you want to make a bridge which has ALL interfaces isolated from each other but not the Internet, then you can do this easily using the split horizon feature - go into each bridge port and set horizon=1. All ports on the same horizon cannot communicate with each other, but they can communicate with all other ports. So if you want NO “east/west” communication, but ONLY “north/south” then adding all ports to the same horizon is easier than making a set of filter rules for every interface - and probably runs faster too.

koperfield · October 12, 2017, 8:32pm

/interface bridge filter print

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=drop in-interface=ether4 in-bridge=bridge1 log=no log-prefix="" 

 1   chain=forward action=drop in-bridge=bridge1 out-interface=ether4 log=no log-prefix=""

Devices connected to physical port ether4 still have internet access.

I use default RouterBOARD 750UP r2 (hEX PoE Lite) configuration. All I want and need is device that connected to physical port ether4 have full local network access but would be unable to access the internet through any protocol (http(s),ssh,telnet,unknown or proprietary protocols,etc). No more or less. Is this possible?

ZeroByte · October 12, 2017, 9:42pm

Oh wait - I got it backwards. You want LAN<>LAN but no Internet. Whoops.

Delete the forward chain filter rules and use these rules instead:
action=drop chain=input in-bridge=bridge1 in-interface=ether4 mac-protocol=ip dst-address=!192.168.0.0/24
action=drop chain=output out-bridge=bridge1 out-interface=ether4 mac-protocol=ip src-address=!192.168.0.0/24

or you could use a slightly more sophisticated mechanism that won’t need to be changed if you ever re-number your LAN.

/interface bridge filter
add chain=input action=mark-packet new-packet-mark=nointernet in-bridge=bridge1 in-interface=ether4

/ip firewall filter
add action=drop chain=forward packet-mark=nointernet out-interface=MyWanInterface
.. place this rule immediately after your first few “accept established,related” type rules.

You really don’t have to worry too much about blocking packets going the other way because if the LAN host(s) on ether4 cannot send anything to the internet, then the Internet won’t have any reply packets to send your way.

bajodel · October 12, 2017, 11:38pm

.. or maybe use the in “in-bridge-port=” matcher in previous zerobyte configuration schema (std forward filter)?

CZFan · October 13, 2017, 3:43pm

I did similar to ZeroByte, but used Mangle rule, tested and worked 100%

/ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
8 chain=forward action=mark-connection new-connection-mark=DropWLanInternet passthrough=no
out-interface=ether1 in-bridge-port=wlan1 log=no log-prefix=“”

/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
1 chain=forward action=drop connection-mark=DropWLanInternet log=no log-prefix=“”