Hello guys, I have RB750GR3 Router, What I have is Master network on ETH2 (as ETH1 is WAN) where all the devices is connected, but I would like to make the DMZ on ETH5 or any other port, so that ETH2 network could connect to ETH5 but not vice versa. Tried to achieve it with firewall rules, but it just wont work (also Im testing my rules just simply trying to ping to device from different ETH). Here is my configuration. Could anyone help me what Im doing wrong?
[******@MikroTik] > export compact
# jan/29/2018 14:38:08 by RouterOS 6.41
# software id = SR15-93BP
#
# model = RouterBOARD 750G r3
# serial number = *************
/interface bridge
add fast-forward=no name=DMZ
add admin-mac=XX:XX:XX:XX auto-mac=no comment="created from master port" \
name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=WAN
set [ find default-name=ether2 ] name=ether2-master
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/ip pool
add name=dhcp ranges=192.168.2.20-192.168.2.98
add name=vpn_pool ranges=192.168.2.150-192.168.2.160
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge1 lease-time=8h name="DHCP office"
/interface bridge port
add bridge=bridge1 interface=ether3
add interface=ether4
add bridge=DMZ interface=ether5
add bridge=bridge1 interface=ether2-master
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=l2tp-vpn list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge1 network=\
192.168.2.0
add address=**.**.**.**/24 interface=WAN network=**.**.**.**
add address=172.16.8.1/28 interface=DMZ network=172.16.8.0
add address=172.16.8.1/28 disabled=yes network=172.16.8.0
/ip firewall filter
add action=accept chain=forward comment="Accept one way connection" disabled=\
yes
add action=return chain=forward disabled=yes in-interface=bridge1 \
out-interface=DMZ
add action=drop chain=forward comment="Isolate DMZ form bridge1" \
connection-state="" disabled=yes in-interface=DMZ out-interface=bridge1
add action=accept chain=input dst-port=2102 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=forward dst-port=8291 in-interface=WAN protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=input comment="allow l2tp" in-interface=WAN protocol=\
udp
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
/ip firewall mangle
add action=mark-connection chain=forward dst-port=5060-5080 \
new-connection-mark=sip-connection passthrough=yes protocol=tcp \
src-address=External IP/24
add action=mark-packet chain=forward connection-mark=sip-connection \
new-packet-mark=SIP passthrough=yes
add action=mark-connection chain=forward connection-state=new \
new-connection-mark=sip-connection passthrough=yes port=1024-65535 \
protocol=udp src-address=External IP/24
add action=mark-packet chain=forward connection-mark=sip-connection \
connection-state=new new-packet-mark=RTP passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=src-nat chain=srcnat src-address=!192.168.2.1 to-addresses=\
External IP
add action=dst-nat chain=dstnat dst-port=8080 in-interface=WAN protocol=tcp \
to-addresses=192.168.2.234 to-ports=8080
add action=dst-nat chain=dstnat dst-port=37777 protocol=tcp to-addresses=\
192.168.2.245 to-ports=37777
add action=dst-nat chain=dstnat dst-port=37778 protocol=tcp to-addresses=\
192.168.2.245 to-ports=37778
add action=dst-nat chain=dstnat dst-port=8083 protocol=tcp to-addresses=\
192.168.2.234 to-ports=8083
add action=dst-nat chain=dstnat dst-port=554 protocol=tcp to-addresses=\
192.168.2.245 to-ports=554
add action=dst-nat chain=dstnat dst-port=8083 protocol=tcp to-addresses=\
192.168.2.234 to-ports=8083
add action=dst-nat chain=dstnat dst-port=8082 protocol=tcp to-addresses=\
192.168.2.234 to-ports=443
add action=dst-nat chain=dstnat dst-port=8245 protocol=tcp to-addresses=\
192.168.2.245 to-ports=80
add action=dst-nat chain=dstnat dst-port=5500 in-interface=WAN protocol=tcp \
to-addresses=192.168.2.158 to-ports=5500
/ip firewall service-port
set sip disabled=yes ports=5060,5061,5080
/ip route
add distance=1 gateway=82
[admin@MikroTik] >