Block local IP's fails

RouterOS Beginner Basics
1

Hello,

I’m trying to make my system more secure. Wanted to block one ip from talking to other devices in the local network. Tried first to block just two ip’s:

/ip firewall filter add  chain=forward action=drop src-address=192.168.88.87 dst-address=192.168.88.86  
/ip firewall filter add  chain=forward action=drop src-address=192.168.88.86 dst-address=192.168.88.87

Still, when executing a ping from 192.168.88.86 to .192.168.88.87 it goes through. Is there any reason that the rule does not work? (Tried it in safe mode)

Here is my full configuration just in case (without the two rules above).

# sep/29/2021 13:05:01 by RouterOS 6.47.10
# software id = RKPD-G2FL
#
# model = RB4011iGS+
# serial number = F0380E36CDBF
/interface bridge
add admin-mac=2C:C8:1B:46:39:96 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=xxxxxxx@xxx.com
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip arp
add address=192.168.88.103 interface=bridge mac-address=3C:78:0E:59:5C:BA
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.111 client-id=1:a0:8c:fd:d8:c:1f mac-address=\
    A0:8C:FD:D8:0C:1F server=defconf
add address=dhcp mac-address=2C:41:78:4F:BB:6D server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-address=192.168.88.102 protocol=rdp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=774 in-interface=pppoe-out1 \
    protocol=tcp src-port="" to-addresses=192.168.88.102 to-ports=3389
add action=dst-nat chain=dstnat dst-port=776 protocol=tcp to-addresses=\
    192.168.88.102 to-ports=776
add action=dst-nat chain=dstnat dst-port=775 protocol=tcp to-addresses=\
    192.168.88.249 to-ports=5601
add action=masquerade chain=srcnat src-address=192.168.88.102
add action=masquerade chain=srcnat src-address=192.168.88.249
add action=dst-nat chain=dstnat dst-port=774 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.88.102 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.88.87 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.88.87 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.88.87 to-ports=444
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks for Any hint!

2

Such firewall rules are not going to work within one network.
You need to split your network e.g. by having different network on some physical ports, or using VLANs.
Then you can move some device(s) to the other network and use such rules to filter the traffic.
E.g. on a 4011 it makes sense to have a separate network on ports 1-5 and 6-10.

3

Both IPs are in same IP subnet, so basically they’ll try to talk to each other directly, without involving their gateway.

If traffic between the two devices is forced to pass router (i.e. they are connected to different ports of your mikrotik), then you can do something by using bridge filters … and make sure at least one of involved ports is exempt from HW offload.

4

Got it! Thanks a lot for the clarification. Is there some easy rule in my case?
So basically the device I want to block has the IP 192.168.88.87 and runs on ether port 6. Already tried to set up VLANs but am kind of new to Mikrotik and networking, so somehow it didn’t worked.

PS: Basically forbid some ports to talk to other ether ports would be ideal.

5

When you have no other switch connected or the particular device is not on another switch you can do it without VLANs.
You can either make a new network for that port and use a firewall rule as you did, or you can use switch/bridge tricks like bridge filter or port isolation.

6

Go on one of the two device settings and block the other device on firewall, without make all traffic go trough CPU for apply some rules…

7

Having a good network map/diagram will help you plan and state clear requirements
If you have enough ports and Wireless ports if a wifi router, to separate groups of users by ports, then your golden.
If you have to send traffic to a switch which then connects to different users then most likely you will need vlans.

So the first thing is to identify,
a. how many groups you have (of users that are distinct and devices that are distinct).
For example it could be
spouses work, kids comptuers, house lan, house wifi, guest wifi, iot devices (thermostats, cameras

b. how are they connected or will be connected or could be connected by devices (ports, ethernet switch, wifi)

c. then you have to figure out who or what can talk to who or what, and who or what needs internet etc..

d. now you the start of a plan, which may or may not entail buying more networking equipment and a plan on which one can start to build a config.

8

Paste this on terminal for fix some errors:

/interface bridge
set bridge protocol-mode=none
/ip address
set [find where address="192.168.88.1/24"] interface=bridge
/ip firewall nat
set [find where src-port=""] !src-port
/interface ethernet switch port
set [find] default-vlan-id=auto

And if you are connected to internet by pppoe-client only also this:

/ip dhcp-client
remove [find]
9

For be clear, you wanted every device completly isolated from eachother?
If you have only one single device per port is doable,
but as already wrote from @anav, is impossible to understand how is your network maded,
without provide detailed network diagram.

10

With understanding comes knowledge and information from which advice and configs can then be responsibly offered. :stuck_out_tongue_winking_eye:

11

Thanks a lot for all the hints !!! I finally ended up with bridge filtering using the UI. Here are the two rules that worked for me:
In this case, ether8 should not be reachable from other ether ports.

/interface bridge filter
add action=drop chain=forward in-interface=!ether8 out-interface=ether8
add action=drop chain=forward in-interface=ether8 out-interface=!ether8
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether8

Maybe it is not the most performant solution, but very easy and the CPU load seems to be really low. I hope it will work well.

12

Awesome glad it works…
Great work MKX :stuck_out_tongue_winking_eye: