Anyone know of an alternative method to blocking internet access for IP/MAC address other than creating a drop rule on the firewall? It seems this isn’t immediate when activating, not sure if i missed something
/ip fi n add chain=srcnat place-before=0 src-address=XXX.XXX.XXX.XXX
You have missed that the default firewall is stateful, which in brief (and for several good reasons) means that if the first packet of a connection is accepted, all the rest of that connection is accepted too.
To make sure that the internet access will be cut also for already existing connections, the drop rule for that respective IP address has to be added before (above) the “accept related, established with no other conditions” one.
Also bear in mind that youtube and other video services usually buffer the data, so the whole clip may be already downloaded at the moment you cut the connection.
Hmm, I dont seem to have that, only “defconf: accept established,related,untracked”
That’s the one I had in mind. This rule accepts packets belonging to any already ongoing connection. So you need to place a selective action=drop one before it to break existing connections to/from the IP you want to prevent from accessing internet.
I see, there are 2 incidents with it, 1 of the chains being input and the other being forward, which one would it be before? Also what would the chain be on the block rule itself? It does work when its active and i want to refresh a webpage but for gaming etc the connection still stands
The forward chain deals with everything that passes through the router; chain input deals with traffic to the router itself. So the block rule must be in the forward chain.
I see, it still doesn’t block active connections, is there another block i could attempt?