Since I am not very wrought in this one, do I need someone to write an example of how to do it on Mikrotik AP in bridge mode? basically I just need the range IP 192.168.20.110-114 not to reach 192.168.20.4-100 but vice versa from the whole range 192.168.20.0/24 to IP 192.168.20.110-114 range yes.
Thank you for your help.
Make a second SSID (create a VAP interface), and make the insecure devices use the second AP, and put that on a different IP range (don’t bridge the VAP - put a new IP address directly on it and configure a new DHCP service on this network). Then use the IP Firewall filter to block in-interface=VAP out-interfae=LAN.
Blocking things in the way you’re attempting is not actually secure at all because any device that decides to spoof its IP address or MAC address can do so and easily bypass your security.
This Wifi is only for those 5 clients and they do not know SSIDs or their wifi passwords, I add them to myself, they do it if they scanned the network to not find my printers, satellites, etc. from my range 192.168.20.4-100, otherwise I do not mind.
what is devices 192.168.20.110-192.168.20.114 ?
May be you block in that side ?
These are simple routers and blocking is not going well. Better it would be on my MikroTik, which is also Wifi AP and is in bridge mode, but I do not know how to isolate the network range 192.168.20.4-100 just for these 5 routers 110-114, no extra secure locks I do not need.
Why don’t u use Vlan?
It is realy more secure.
Because I just need what I have already written - clients need to get to the range 192.168.20.1-3 for some reason. I do not want to isolate from network 192.168.20.0 just the extent as I already wrote. Then I would have to work hard to put more rules on the main router to get my services on the internal network that are at 20.1-3 addresses.
Simply simply, on Mikrotik Ap in the bridge simply say the requests from addresses 192.168.20.110-114 to addresses 192.168.20.4-100 drop.
Nothing more and I need to help if and how to do it on Bridgi by a filter.
The easiest thing to do would be to enable the “use IP firewall” option on your bridge so that you can make forwarding filter rules that block the traffic you want.
Make an IP address list called “LimitedClients” and list the IP addresses 192.168.20.110-114
Make another IP address list called “ProtectedHosts” and list the IP addresses 192.168.20.4-100
Then your forward chain can have a rule that says:
chain=forward src-address-list=LimitedClients" dst-address-list=“ProtectedHosts” action=drop
Make sure this rule comes before any other rule that would accept such packets, and you’re set.
Thanks to this, but if I apply this rule, I can not get myself out of range 192.168.20.4-100 to administer clients to addresses 192.168.20.110-114
Dude - you really need to learn what you’re doing if you’re going to get this picky about stuff and not just expect people to do everything for you.
Look at this rule: it only matches (and drops) traffic if it is FROM the LimitedHosts and going TO the ProtectedHosts. Packets that get accepted before they reach this rule will not be dropped… Okay - so if you want the ProtectedHosts to have access to the LimitedHosts, then what you do is you place the above rule AFTER a rule which allows established,related connections, and then your requirement will be met. This is because the initial packet from Protected->Limited will NOT match this drop rule. The reply from the Limited->Protected host will get accepted by the established,related rule before it can reach the drop rule, so that will work. If a Limited host tries to make a new connection to the Protected hosts, the first (SYN) packet will NOT be established or related state - it will be in NEW state, so the “accept established,related” rule will not accept the packet - it will continue down the chain until reaching this rule which says to drop the packet. Thus no new connection will ever reach the established state.
I made the rule: chain=forward src-address-list=“ProtectedHosts” dst-address-list=“LimitedClients” action=accept
which I have dropped before the drop rule and I can not get to the address 192.168.20.110 or even ping if the drop rule
ok - go into your router and run this command in a terminal:
/ip firewall filter export compact
copy and paste the results here.
I assume that you did add the IP addresses of the Protected and Limited hosts into the appropriate address lists, and that you did enable “use IP firewall” on your bridge.
add action=accept chain=forward dst-address-list=klienti src-address-list=domov
add action=drop chain=forward dst-address-list=domov log=yes log-prefix=Klienti src-address-list=klienti
Yes, the firewall is turned on and the addresses are as follows:
klienti - 192.168.20.110-192.168.20.114
domov - 192.168.20.4-192.168.20.100
Once I enable the drop rule, I will not get to the client IP and stop pinging.
Everything works as he does with these rules:
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward dst-address-list=domov log=yes log-prefix=Klienti src-address-list=klienti