firewall filter

b2k · November 24, 2009, 5:19am

please help.. i am newbie here..
hehehe

how to make rules like:

Client A. 192.168.1.2 can not ping to client B. 192.168.2.2 but
client B. 192.168.2.2 can ping to client A. 192.168.1.2

please help.. guys..

normis · November 24, 2009, 7:16am

how are these clients connected to the router? are they wireless users, or lan users connected through a switch?

b2k · November 24, 2009, 9:15am

lan users connected throungh a switch

i have 2 lan card in my router, A. 192.168.1.1 and B. 192.168.2.1

normis · November 24, 2009, 9:29am

in that case, their connections are not going through the router at all, you can’t control them.

b2k · November 24, 2009, 9:42am

if the connections are going through on the router.., how i can control them..?

normis · November 24, 2009, 9:44am

but they are not

if they would be connected directly to the router, instead of a switch, you would make simple filter rules like:

Client A. 192.168.1.2 can not ping to client B. 192.168.2.2 but
client B. 192.168.2.2 can ping to client A. 192.168.1.2

/ip firewall filter add chain=forward src-address=192.168.2.2/32 dst-address=192.168.1.2/32 action=accept
/ip firewall filter add chain=forward src-address=192.168.1.2/32 dst-address=192.168.2.2/32 action=drop

sudiptakp · November 24, 2009, 9:52am

Hi,

If your topology is as following then you may try the configuration as below.

Switch1(192.168.1.0/24)------------(RouterOS)------------Switch2(192.168.2.0/24)

/ip firewall filter
add action=drop chain=forward comment=“ping block” disabled=yes icmp-options=8:0-255
protocol=icmp src-address=192.168.1.0/24

thanks,

Sudipta

sudiptakp · November 24, 2009, 9:58am

Sorry for typo…in the above config put disabled=no

Thanks,

Sudipta

b2k · November 24, 2009, 10:07am

thanks all.. my problem solve..!

Chupaka · November 24, 2009, 10:43am

normis:

/ip firewall filter add chain=forward src-address=192.168.2.2/32 dst-address=192.168.1.2/32 action=accept
/ip firewall filter add chain=forward src-address=192.168.1.2/32 dst-address=192.168.2.2/32 action=drop

is it working?!? I would add ‘connection-state=new’, because if you simply accept one direction and drop opposite direction - ping won’t work in both directions, no?..

b2k · November 25, 2009, 1:45am

Chupaka:

normis:
/ip firewall filter add chain=forward src-address=192.168.2.2/32 dst-address=192.168.1.2/32 action=accept
/ip firewall filter add chain=forward src-address=192.168.1.2/32 dst-address=192.168.2.2/32 action=drop
is it working?!? I would add ‘connection-state=new’, because if you simply accept one direction and drop opposite direction - ping won’t work in both directions, no?..

yups it is working, i am use the sudiptakp solution..

thankss…

by the way guys, how i can block connection between Client A. 192.168.1.2 and client B. 192.168.2.2, but client B. can connect to client A.

need your help guys..

Chupaka · November 25, 2009, 1:57am

omg!.. http://forum.mikrotik.com/t/firewall-filter/33305/10

b2k · November 25, 2009, 2:37am

i mean, client A. 192.168.1.2 can not see shared folder in client B. 192.168.2.2 but
client B. 192.168.2.2 can see shared folder in client A 192.168.1.2

if i used this code :

/ip firewall filter add chain=forward src-address=192.168.2.2/32 dst-address=192.168.1.2/32 action=accept
/ip firewall filter add chain=forward src-address=192.168.1.2/32 dst-address=192.168.2.2/32 action=drop

client A and B totally can not connect

b2k · November 25, 2009, 3:01am

thanks bro.. i am release must used “connection-state=new”

thanks bro…

by the way, can mikrotik block mac address ?

Chupaka · November 25, 2009, 10:37am

/ip firewall filter add src-mac-address=