Hello.
I’m would like to set up a small workshop network, where I want some machines kept off the internet. The connection looks like this:

The Mikrotik is a RB750Gr3 hEX. The configuration is the default, except I set the IP to static (192.168.1.88) and entered the gateway (192.168.1.1).

I want to configure the Mikrotik in such a way, that the computers (only 192.168.1.77 atm) on the router can only share files with 192.168.1.16.
Problem is, whatever rule I set on the Mikrotik firewall, it seems to be ignored.
For test example, if I make a rule;
chain=forward action=drop
place it on #1
clear all open connections.
This should drop everything, right?
However on the 192.168.1.77 computer everything goes trough…can surf the internet, ping all devices…

Can somebody give me a hint on what I’m doing wrong?
I’m a newbie in networking. I did watch youtube videos on how to set the Mikrotik firewall, search the web, but I couldn’t find an explanation.

Thanks.

The explanation is that your router most probably acts at the moment as a switch (I assume all ports are bridged together for the computers to get an IP address from the same range as the WAN). If you want your firewall to work properly, you should remove your WAN port from the bridge, create a separate LAN network and assign addresses to the computers from it. To confirm the assumptions I made for myself, export the config and post it here:

/export file=anynameyouwish (minus sensitive info)

Thanks for the reply.
The configuration file:

jul/08/2024 18:45:52 by RouterOS 6.49.11

software id = L3FI-WJYA

model = RB750Gr3

serial number =

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.88/24 comment=defconf interface=bridge network=
192.168.1.0
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.1.88 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.88 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Almost.

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.88/24 comment=defconf interface=bridge network=
192.168.1.0
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0

WAN (ether1) and LAN (bridge) are on the same subnet 192.168.1.0/24, so even if the ether1 is outside the bridge every device sees everything, or if you prefer there is no routing happening.
It seems to me that you have some confusion between 192.168.88.1 (the default address of your Mikrotik) and 192.168.1.88 (that you assigned to the bridge) in dns server.

(1) Yuppers, you need to change everything to .88 network and ONLY have the 192.168.1.X information on the ADDRESS LINE for ether1.
(hint change pool)
(hint change ip dhcp-server network to all .88)

(2) Second mistake is using IP address AND IP DHCP client for your WAN connection its one or the other You Choose!!!
keep the address and disable the ip dhcp client
remove the address and just use ip dhcp client.

Thanks for the replies. I have reset the router to default.
Can I get an outline of the steps I have to take in order to block all traffic between the LAN and WAN, except for file sharing?

Thanks.