Block traffic from bridge-public to bridge-terminal

TobiaDK · December 19, 2014, 1:17pm

HI

I have 2 bridges: bridge-public (simple clients) and bridge-terminal (all admins and servers). They both have a dedicated ethernet port and subnet.

I want to block traffic comming from bridge-public to bridge-terminal (e.g. pinging/web) but bridge-terminal should be allowed to access the clients in the bridge-public network.

I tried this solution: http://forum.mikrotik.com/t/firewall-rule-to-block-traffic-between-subnets/23249/1 However all traffic between the two bridges are blocked in both directions.

Is there a way to achieve this?

Thanks in advance

rmmccann · December 19, 2014, 2:20pm

This topic was linked (by another user) in a previous topic I commented on and should cover it: http://forum.mikrotik.com/t/how-to-isolate-vlan/55848/1

You allow “new” connections from the terminal to public and allow “related” and “established” from public to terminal. You should then be able to block the rest.

TobiaDK · December 19, 2014, 2:35pm

Thanks it works!
I used the following commands:

/ip firewall filter
add chain=forward connection-state=related connection-type="" dst-address=\
    192.168.88.0/24 src-address=10.30.1.0/24
add chain=forward connection-state=established dst-address=192.168.88.0/24 \
    src-address=10.30.1.0/24
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=\
    10.30.1.0/24