I would like to set up 2 firewall rules, one to only allow User (192.168.10.214) to access the NAS box (192.168.10.201) and a 2nd rule to block access to anything else. I tried a forward rule with the source and destination addresses in but this didn’t appear to work, can anybody help?
From what you have posted, it seems that both devices are on the same broadcast domain. Thus, no matter what rules you put on the router, they will not work, because the traffic between the devices does not pass through the router, instead they communicate directly with each other.
Thanks for the quick response, I just thought it was possible as the traffic is technically going through the Router
What do you mean is going through the router?
If you have physically connected the two devices on two different interfaces of the router then the two interfaces must have different IP addresses (but it doesn’t look so). Can you post your router config?
Basically, the router would block access with firewall filter rules as long as the traffic goes through it. For example, if you have a device with IP 1.1.1.1/24 and another one with IP 2.2.2.2/24 and both are connected to the router, then:
/ip firewall filter
add chain=forward src-address=1.1.1.1 dst-address=2.2.2.2 action=drop
add chain=forward src-address=2.2.2.2 dst-address=1.1.1.1 action=drop
They are each connected to a different interface on the router, NAS in port 2, User in Port 3, they are both in the same network 192.168.10.0/24, as the traffic is going through the router (in one interface and out the other) is it possible to restrict traffic to a certain port / IP? If not if I was to put them on different networks 192.16.10.0/24 and 192.168.11.0/24 can it be done then?
If they are on different interfaces of the router, then these two interfaces must be under the switch or under a bridge interface so that they can use the same network. If they are under the switch use the rules in the switch menu, if under a bridge then use the filters in firewall and set the bridge to use firewall.
If you choose to set up with different networks, then what was described in the previous posts should work.