I have PC siting on ether5 I want to cut from the internet access.
It seems straightforward enough.
action=drop chain=forward in-interface=ether1-WAN out-interface=ether5
action=drop chain=forward in-interface=ether5 out-interface=ether1-WAN
And it has no effect at all. What I did wrong?
Is ether5 a part of a bridge ?
If it is your rules will not work, because the bridge is the master interface and the traffic goes through it.
The same applies if it is a part of a switch group. The firewall rules will work on the master interface.
Thank you for your answer. Ethernet5 is part of the same switch as the Ethernet1-Wan gateway.
You mean, no firewall rule will have any effect on the interface, that is part of the same switch as my WAN?
Eth1 is WAN. Eth3, Eth4 and Eth5 are the slaves to the Eth2.
In these conditions, is there a way to filter off the traffic between WAN and Eth5?
I am using Mikrotik RB2011UiAS-RM
In your case ether5 is slave to ether2. The cpu and the firewall rules see all traffic as ether2.
You can remove ether5 from the switch or make a vlan.
I see. But filtering by IP or MAC should work, right?