I just tried a chain-forward source-ip-adress-list action-drop in my ip->firewall section at the WebFig, to block internet to a few ip addresses (.100 until .200).
But nothing happens.
My network is like this:
Modem ↔ MikroTik RB760iGS ↔ Unify Wifi AP
I also tried to add this same rule in the Bridge section in the WebFig, but it gave me an error that i only can choose ip addresses in the ethernet ports.
My MikroTik is in Bridge Mode and everything is connected to it before the modem.
I just created an address-list with the desired ip range. And then added the rule forward-drop to that list. But it doesn’t work.
I think it is because my MikroTik is in bridge mode but i am not sure.
Sorry, cannot condone setting up a router without at least the default firewall rules before connecting to the internet, ESPECIALLY if you are new to routerOS and/or have little experience.
Put these in…
Then state your requirements in terms of what the users should or should not be able to do, without using any words that talk about the config or router etc…
From there then we can assist or guide you in the right direction.
Default rules:
/ip firewall filter
Input chain:
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
Forward chain:
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
DONT FORGET your default source nat rule as well and for port forwarding any destination nat rules.
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
Which you will have to modify for pppoe / static wanip.
add action=drop chain=forward src-address-list=deny_internet out-interface=your_wan_interface comment="Deny access to internet for ..."
. And then move the rule below the first forward rule (this one: add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\ established,related,untracked)
I tried to add those commands through Terminal. It doesn’t allow copy/paste, so i had to type everything down.
I have a problem now: right after the last command of the input chain, my connection became veryyyyy slow and eventually lost connection with the MikroTik. I can’t access it now at the IP it was.
If those commands are mandatory, shouldn’t they come pre-configured?
Thanks again for the help, i will write down what i need in that terms:
I have a cctv in my home connected to a switch.
I want to block those cameras and NVR from connecting to the internet. I dont want anyone to access them. I want to completly isolate them in a vlan. No acces from the LAN or from the internet in every way.
And after this, i want to create a VPN just to access them.
My goal is to completly block internet to/from these cameras to prevent hacking or some back-door in this chinese NVR. The only access point in through the VPN.
At this moment i added this switch to my network and now it is like this:
Modem ⟷ MikroTik ⟷ Switch:
Conneted to Switch:
Ports 1-5: Cameras and NVR
Port6: Access Point
Port7: MikroTik
Port8-: Desktops/laptops/etc
Do i need another cable between the MikroTik and Switch? One cable for each vlan? One for cctv vlan and another for the other general vlan.
Hello again, the firewall that anav suggested is a stateful firewall which means that only connections initiated from your LAN are able to come back, so unless the cameras themselves initiate connection to the internet (just use the address list I posted above to deny this) there is no way for anyone to access your cameras or anything in your LAN from the internet.
And if you want to use VLANs for the cameras you just need one physical connection between switch and MikroTik router and then just make virtual vlan interfaces under /interface /vlan for each VLAN.
Thank you again MikeKoll. Really appreciate your help, you are very kind.
At this moment, i lost connection to my MikroTik after i submit the last input-chain command.
I don’t know if this has anything to do with having a switch between my pc and the MikroTik.
Should i connect my pc directly to a fisical port of the MikroTik?
If you cant connect to the router anymore then you probably put rule with drop action before all other input rules. We forgot to tell you that when the firewall processes a chain, rules are taken from the chain in the order they are listed there from top to bottom so if you put the drop rule above other input rules then it processes this rule first and it drops everything destinated to the router and just ignores other rules. So now you probably need to reset the router to default configuration and do everything again The rules should be approximately in this order https://imgur.com/F2C225a Remember not to move the drop rule above other input rules !
I added the rules in the order of the post.
When i am adding the rules to the filter list, they are added to the top of it?
How can i add it to the bottom? Because if it goes automatically to the top, it will always drop my connection when i am adding it.
I didnt move any rule. I just added them in that order. And i think that rule only drops connections not coming from LAN and i am in the LAN.
Did the reset now and still cant access it!
Internet works, everything works but i cant access it in its ip!
Did the 30-30-30 reset.
Hmmmm
Edit: I can’t access it. I already did all types of resets i found online. Nothing gives me back access to it.
I tried the original IP and the one my DHCP server (modem) gave to it. Nothing works. Don’t know what to do from here.
I am sorry but what do you mean with config?
I have a default one. I never added any config.
I bought this hEX S and tried to add the rule in the first post, nothing more.
I only changed it to Bridge Mode in the Quick Set page, at first, because i have an ISP Modem that works as a Router too.
But at this moment, after this reset, i have the MiktoKit in Router Mode. I don’t know if this can generate some kind of problem, having two Routers with DHCP in the same LAN.
Sadly, i can’t remove the ISP Modem/Router nor put it in Bridge Mode.
So the Mikrotik does not get a public IP then???
Do you not think this would be important information!!! LOL.
You had me thinking you had a modem ONLY?? “My network is like this:
Modem ↔ MikroTik RB760iGS ↔ Unify Wifi AP”
In this case if you are not doing any port forwarding on the Mikortik, I suppose its not to difficult.
You should simply port forward everything on the router/modem to the LANIP of the routermodem associated with the Mikrotik Router.
THis LANIP would be the static fixed WANIP on the mikrotik.
The DHCP service on the Mikrotik is still fine and all the rules etc…
You may need a few tweaks here and there.
For example the Basic default NAT Rule would change from
/ip firewall nat
add chain=srcnat action=masquerade comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN.
TO
add chain=srcnat action=src-nat out-interface=ether1 to-address=fixedwanipofrouter
In the out-interface, should i put the mikrotik port where the ISP modem is connected to?
In my case is the “ether2” because the switch is connected to “ether1” to give PoE to the MikroTik.
It should work with many options.
(1) out-interface-list=wan OR
(2) out-interface=ether2 (assuming that goes to your modem/router) OR
(3) dst address=WANIP of mikrotik
