Hello.
I want to block access to some IP for my computers.
I don’t want any computer on my LAN to be able to access this public IP-range.
146.66.156.0-146.66.156.255
146.66.157.0-146.66.157.255
185.25.180.0-185.25.180.255
185.25.181.0-185.25.181.255
How could this be made?
Hi,
You have to make an address list like “Block addresses” with all the addresses you want to block.
Then you block forward chain for that address list
/ip firewall address-list
add address=146.66.156.0/24 list=Block addresses
add address=146.66.157.0/24 list=Block addresses
add address=185.25.180.0/24 list=Block addresses
add address=185.25.181.0/24 list=Block addresses
/ip firewall filter
add action=drop chain=forward dst-address-list=Block addresses
Firewall Address list with summarized routes, and block forwarding from LAN to WAN for that address list
/ip firewall address-list
add address=146.66.156.0/23 list=Valve
add address=185.25.180.0/23 list=Valve
/ip firewall filter
add action=drop chain=forward dst-address-list=Valve in-interface=bridge src-address=10.0.0.0/24
Thanks it worked very well.
hi I am new on mikrotik I have routerboard 1100 AH x2
I need a script to block app (netshare).
some people use it to share free internet on my network this app us port 8282 and range ip 192.168.49.1
please I need a script to block it
ip firewall filter add chain=input src-port=8282 action=drop
ip firewall filter add chain=forward src-port=8282 action=drop
ip firewall filter add chain=input dst-port=8282 action=drop
ip firewall filter add chain=forward dst-port=8282 action=drop
with those roles no one can communicate in your network through this port!
You could use “ip firewall raw” in the prerouting chain instead of “ip firewall filter”. In this case packets are not processed by connection tracking and then unwanted traffic would consume less CPU.
And instead of creating 2 rules for src and dst port, you can use Any port and only single rule. And in case it’s related to internet traffic, most probably you don’t need to care about input rule.
Concur using RAW perhaps for both instances…
For the original OP, one could make the rules in RAW and thus block any communication input, forward etc…
/ip raw
add chain=prerouting source-address-list=Block Addresses action=drop log yes logprefix=“Stopped the SOB COLD again”
For the follow-on query… I dont think one can actually state a port without a protocol??
Also i am not sure what you mean by range?? Do you mean an LAN IP on your network, or a WAN IP that people connect to.
Seeing as its a 192.168 type of private address I suspect the former as I do not think that is a legitimate WAN IP.
The problem with that is what is to stop the offending person from attempting to get another private IP on your LAN to conduct this ugly affair.
/ip raw
add chain=prerouting protocol tcp dest-port 8292 action=drop logyes logprefix=“Not on my Watch Sucker”
add chain=prerouting protocol udp dest-port 8292 action=drop logyes logprefix=“Not on my Watch Sucker”
Be aware that this stops any traffic to or from the router and LANS by anyone using that port as a destination.
If you wanted to isolate it to the the LAN, include in-interface-list=LAN
What I am not sure is if this approach is valid at stopping layer 2 traffic between two IPs on the same LAN???
As stated what if the program allows the person to change the port used for this purpose.
It may be best to find a way to separate this user silently from the rest of the network.
Doing this at layer 3, firewall rule is easy, BUT doing it at layer 2 means somehow you have to push him to a different layer 2 container, like a lan on a bridge or a VLAN..
I will let the gurus chime in if thats a feasible approach?
thank you for repliing post. I don’t know which way better but to be sure you can see that app on google store (netshare) and see how it work for more help I need a correct way to block this app, thanks