Hi. I have IP POOL range x.x.88.1/24, DHCP x.x.88.25-254. Can I set the firewall to block access to the addresses x.x.88.1-24 from the DHCP range? Or is there another solution? Thank you.
hmmm… 24 is not a nice binary number like 16 or 32 (110000 vs 10000/100000). Using a subnet mask is out then.
You can add those addresses in an address list and use that one in your firewall rule, I would think ?
Address list SERVER_RANGE (or whatever), add all addresses from 192.168.88.1 to 192.168.88.24
And then forward rule to drop everything from 192.168.88.0/24 to dst_address_list SERVER_RANGE
Move on top of forward rule block.
Or … you can even put it as a RAW prerouting rule, should go faster and goes before any normal firewall rule.
If however you can change the range to 32 addresses, you could use 192.168.88.0/27 as criterium in the rule.
Forward drop src_address = 192.168.88.0/24, dst-address = 192.168.88.0/27
Or RAW rule. Same remark, goes before any normal firewall rule and is processed a lot faster.
Maybe easier ?
Make sure your PC has a lower range address before implementing this or you will block yourself !
I’m sure others will come in with more logical and/or brilliant ideas 
Strange ask but I guess you dont want anyone with access to be able to manually set 1-24
Assuming your IP address is set to 192.168.88.254 interface=bridge network=192.168.88.0
I would create a firewall address list of 192.168.88.25-192.168.88.253 list=ALLOWED
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“Allow all LAN” in-interface-list=LAN src-address-list=ALLOWED
add action=drop chain=input comment="drop all else
AND
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN src-address-list=ALLOWED out-interface-list=WAN
**** add additional allow rules here, admin to all vlans, or all users to shared printer etc. *********
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
In this way only, only .25 to .243 will get DNS or internet, in effect blocking any of the other non DHCP pool IPs.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dont know if this is better or not than raw rules which I tend to avoid if possible probably something like this to be doubly sure!!
I would create a second firewall address list of 192.168.88.1-192.168.88.24 list=VERBOTEN
/ip firewall raw
add chain=raw action=drop src-address-list=VERBOTEN
add chain=raw action=drop dst-address-list=VERBOTEN
If however you can change the range to 32 addresses, you could use 192.168.88.0/27 as criterium in the rule.
Forward drop src_address = 192.168.88.0/24, dst-address = 192.168.88.0/27
That sounds good, I was thinking about this option, I’ll try it.
Thank you.
But with this rule I won’t see from addresses 1-32 to any address 1-32. It will be better to create a list of addresses 33-254 and drop using the rule “forward drop src address list, dst address /27”.
It doesn’t matter if someone wants to manually set IP 1-32 (that can’t happen), only I can do that anyway 
.
You got a point.
You can check for src_address!=192.168.88.0/27, dst_address=192.168.88.0/27
Briliant!
You got a point!