How to allow a user access to only 1 ip address and block

marklodge · December 26, 2010, 10:13am

hi
i’m running a mikrotik rb 600 with a nanostation on client side. Authentication from client side is done over pppoe. i have a server behind the mikrotik that i want come clients to access, but these clients should not have internet access.

in other words

i want to restrict certain users from internet access. they should just be able access the network. by the local network i mean like restricting it to 1 ip address and blocking all others.

i’m looking for a config to do this, would someone point me in the right direction please

twana222 · December 26, 2010, 11:49am

you can put another router board like RB/750 or any other Mikrotik routerboard behind the RB/600. then, install hotpspot on the RB/600 and remove its DHCP Server. after that go to RB/750 install DHCP Server in there . the clients will recieve IPs from RB/750 and they will have local network but when they want to access the internet. the hotpost page will appear for them. if you don’t give them username and password they can’t access the internet.

marklodge · December 26, 2010, 12:15pm

thanks for the reply, but is there a way i can accomplish this without using another routerboard?
i was thinking something on the lines of specific deny and allow rules for a specific user. on the same rb

fewi · December 26, 2010, 4:17pm

Write appropriate firewall filter rules to permit traffic to that one server and then drop everything else. What those rules specifically look like is impossible to say given how little details you have given.

marklodge · December 26, 2010, 9:13pm

thanks fewi. i have done what you suggest in your sig, here are the details, could you give me some more detailed tips as to what rules should be added specifically for that certain pppoe user.
details.txt (16.1 KB)

fewi · December 26, 2010, 9:24pm

That’s a good start, but who are you trying to lock down, and what are you trying to give them access to?

Assuming you have a user with IP 1.1.1.1 and want him to only be able to access a server at 2.2.2.2:

/ip firewall
add chain=forward src-address=1.1.1.1 dst-address=2.2.2.2 action=accept
add chain=forward src-address=2.2.2.2 dst-address=1.1.1.1 action=accept
add chain=forward src-address=1.1.1.1 action=drop
add chain=forward dst-address=1.1.1.1 action=drop

Of course make sure that’s in a sensible position in your firewall rule set.

marklodge · December 26, 2010, 9:39pm

ok, let me explain exactly what i want to do and about my setup
i have a server set up on my high site. i want to make this server accessible to friends to download/upload files from / to this server. this server is a local file repository. I want a username, say for eg: joelocal to have access only to this repository, not to the internet. for the internet clients i am fine with the current setup
i hope i made myself clear, ask me if you need more explanation

fewi · December 26, 2010, 10:04pm

The easiest option would be to give him a static remote address and adapt the firewall rules I posted above.