Can you include a network diagram as based on your config, there is no internet connection so its not clear how this device fits in a network. (besides the fact no firewall rules etc…)
Don’t use in-interface-list=all unless you explicitly constructed such interface list by yourself. There are a few implicit interface lists in ROS but using them causes problems more often than not. And if not set, default behaviour is just as one would expect when setting it the way you did.
A thing to keep in mind: firewall filter only works on packets that actually traverse firewall … so packets have to hit IP layer of router - most often this means source and destination are in different IP subnets.
And an advice: unless you have some very old wireless clients that need to connect to your wireless AP, remove wpa-psk and tkip from wireless security-profiles setup - keep only wpa2-psk and aes-ccm.
Yea, it was a try since the rule wasn’t receiving packets even without it.
You may be right, I’ve made some packets capture and there wasn’t any passing from 192.168.1.195 (ip i want to block) to 192.168.1.1 (the router).. So how can I fix or workaround this?
It might be possible to do it, but entirely depends on how things are connected (end to end, including any other active equipment on the way, such as dumb ethernet switches etc.). So do provide us with betwork diagram. Hand sketched on paper and photographed with smart phone will do nicely.
BTW, when connections towards router itself is are question, one has to use firewall chain input. Doesn’t matter which router’s address is targeted (can be address not “native” to ingress interface … e.g. LAN device targeting router’s WAN IP address).
I think you’ve got deeper problem - struck me now, but it’s in the configuration you provided earlier: you have no usable WAN (a.k.a. ether1) config done. You have default route set:
(which is wrong, but later about it) it should be available on LAN IP subnet. The chart says differently, it should be beyond ether1 which doesn’t bear any IP setup.
So what you should do:
move your LAN to another IP subnet, e.g. 192.168.88.0/24 (as is default configuration). Also change DHCP server settings to match
move LAN IP address to proper interface (in your case it’s bridge1 … not ether2 which is bridge member port)
either
remove static route you have and add DHCP client to ether1 (if upstream gateway runs DHCP server) - default route will probably come with DHCP lease
or
set IP address from that subnet on ether1 interface (e.g. 192.168.1.1/24) and leave default route as it is now
Since you don’t seem to have any firewall in place, IMO best would be to reset your device to factory default and start over. Don’t remove everything, only configure WAN (as DHCP client) and wireless (SSID, PSK, …).
The above assumes your network diagram is how things should be done, i.e. completely separate gateway’s LAN (which is most probably controled by ISP) from your LAN. If you actually want router as transparent as it gets (i.e. ISP’s gateway runs DHCP server and what not) and only use your “router” as WiFi AP / ethernet switch and a device that can block certain traffic, then “router” needs to be pretty much reconfigured.
Lets be clear you want to block some users/devices on your single subnet from accessing other users/devices on the same single subnet?
I dont know of an EASY way to do this as they are both in the same L2 subnet.
Suggest you consider vlans or some way to separate users from each other and then automatically at L2, users on different vlans are blocked and one only needs firewall rules to ensure the same is true for routing L3.
