IP Access List Rule

RouterOS Beginner Basics
1

Hi,

I am using RB750 for my lease line router with 192.168.1.1/24

I want to create internet access list for only IP Range 192.168.1.1-19

Please Help!

2

There are tons of ways to do that depending on your config… you could set your masq rule to only allow from specific computers… you could setup a forward rule to drop from specific computers, etc… Without seeing what your config is its hard to tell you what to do. Post your config.

3

Please see below my config, did not use firewall and mangle…
config.PNG

4

Post the export instead of a screenshot. I’ll look when I get home

Sent from my SCH-I545 using Tapatalk

5

[operator@Lisence] > export

jan/02/1970 05:33:16 by RouterOS 4.3

software id = 1VP0-Z0NV

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes
comment=“” disabled=no forward-delay=15s l2mtu=1524 max-message-age=20s
mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none
transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment=“” disabled=no full-duplex=yes
l2mtu=1526 mac-address=00:0C:42:A1:E9:3A mtu=1500 name=FE0/1 speed=
100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:A1:E9:3B
master-port=none mtu=1500 name=FE0/2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:A1:E9:3C
master-port=none mtu=1500 name=FE0/3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:A1:E9:3D
master-port=none mtu=1500 name=FE0/4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:A1:E9:3E
master-port=none mtu=1500 name=FE0/5 speed=100Mbps
/interface ipip
add comment=“” disabled=no local-address=10.20.0.100 mtu=1514 name=Tunnel100
remote-address=10.20.0.1
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1
/ip ipsec proposal
set default auth-algorithms=sha1 comment=“” disabled=no enc-algorithms=3des
lifetime=30m name=default pfs-group=modp1024
/ppp profile
set default change-tcp-mss=yes comment=“” name=default only-one=default
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment=“” name=default-encryption
only-one=default use-compression=default use-encryption=yes
use-vj-compression=default
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=
5
set default-small kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes comment=“” disabled=no
ignore-as-path-len=no name=default out-filter=“” redistribute-connected=
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no
redistribute-static=no router-id=0.0.0.0 routing-table=“”
/routing ospf instance
set default comment=“” disabled=no distribute-default=never in-filter=ospf-in
metric-bgp=auto metric-connected=20 metric-default=1 metric-other-ospf=
auto metric-rip=20 metric-static=20 name=default out-filter=ospf-out
redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no
redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing ospf area
set backbone area-id=0.0.0.0 comment=“” disabled=no instance=default name=
backbone type=default
/snmp
set contact=“” enabled=no engine-boots=0 engine-id=“” location=“”
time-window=15 trap-sink=0.0.0.0 trap-version=1
/snmp community
set public address=0.0.0.0/0 authentication-password=“”
authentication-protocol=MD5 encryption-password=“” encryption-protocol=
DES name=public read-access=yes security=none write-access=no
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100
disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=no name=remote remote=0.0.0.0:514 src-address=0.0.0.0
syslog-facility=daemon syslog-severity=auto target=remote
/system routerboard settings
set boot-protocol=bootp cpu-frequency=400MHz force-backup-booter=no
set boot-protocol=bootp cpu-frequency=400MHz force-backup-booter=no
/user group
add comment=“” name=read policy=“local,telnet,ssh,reboot,read,test,winbox,pass
word,web,sniff,sensitive,!ftp,!write,!policy”
add comment=“” name=write policy=“local,telnet,ssh,reboot,read,write,test,winb
ox,password,web,sniff,sensitive,!ftp,!policy”
add comment=“” name=full policy=“local,telnet,ssh,ftp,reboot,read,write,policy
,test,winbox,password,web,sniff,sensitive”
/interface bridge port
add bridge=bridge1 comment=“” disabled=no edge=auto external-fdb=auto
horizon=none interface=FE0/1 path-cost=10 point-to-point=auto priority=
0x80
add bridge=bridge1 comment=“” disabled=no edge=auto external-fdb=auto
horizon=none interface=FE0/2 path-cost=10 point-to-point=auto priority=
0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=
no
/interface ethernet switch port
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=
default enabled=no keepalive-timeout=60 mac-address=FE:FD:37:AF:CD:AE
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.20.0.100/16 broadcast=10.20.255.255 comment=WAN_interface
disabled=no interface=FE0/1 network=10.20.0.0
add address=192.168.100.1/24 broadcast=192.168.100.255 comment=LAN disabled=
no interface=FE0/2 network=192.168.100.0
add address=172.16.100.2/30 broadcast=172.16.100.3 comment=“Tunnel address”
disabled=no interface=Tunnel100 network=172.16.100.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB
max-udp-packet-size=512 primary-dns=0.0.0.0 secondary-dns=0.0.0.0
/ip firewall address-list
add address=192.168.100.0/24 comment=“” disabled=no list=drop_traffic
add address=192.168.0.0/24 comment=“” disabled=no list=drop_traffic
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip neighbor discovery
set FE0/1 discover=yes
set FE0/2 discover=yes
set FE0/3 discover=yes
set FE0/4 discover=yes
set FE0/5 discover=yes
set Tunnel100 discover=no
set bridge1 discover=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0
parent-proxy-port=0 port=8080 serialize-connections=no src-address=
0.0.0.0
/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.20.0.1
scope=30 target-scope=10
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=yes port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
add comment=“” disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0
use-explicit-null=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set FE0/1 queue=ethernet-default
set FE0/2 queue=ethernet-default
set FE0/3 queue=ethernet-default
set FE0/4 queue=ethernet-default
set FE0/5 queue=ethernet-default
set Tunnel100 queue=default
set bridge1 queue=default
/radius incoming
set accept=no port=3799
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m
gateway-selection=no-gateway origination-interval=5s preferred-gateway=
0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no
redistribute-connected=no redistribute-ospf=no redistribute-static=no
routing-table=main timeout-timer=3m update-timer=30s
/store
add comment=“” disabled=no disk=system name=web-proxy1 type=web-proxy
/system clock
set time-zone-name=Asia/Kolkata
/system clock manual
set dst-delta=+00:00 dst-end=“jan/01/1970 00:00:00” dst-start=
“jan/01/1970 00:00:00” time-zone=+00:00
/system console
add disabled=no term=vt102
/system health
set
/system identity
set name=Lisence
/system logging
add action=memory disabled=no prefix=“” topics=info
add action=memory disabled=no prefix=“” topics=error
add action=memory disabled=no prefix=“” topics=warning
add action=echo disabled=no prefix=“” topics=critical
/system note
set note=“” show-at-login=yes
/system ntp client
set enabled=no mode=broadcast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=
0.0.0.0 user=“”
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=
100
/tool e-mail
set from=<> password=“” server=0.0.0.0:25 username=“”
/tool graphing
set page-refresh=300 store-every=5min
/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=no
/tool mac-server
add disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number=“” channel=0 keep-max-sms=0 receive-enabled=no secret=“”
/tool sniffer
set file-limit=10 file-name=“” filter-address1=0.0.0.0/0:0-65535
filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=
yes interface=all memory-limit=10 memory-scroll=no only-headers=no
streaming-enabled=no streaming-server=0.0.0.0
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no
[operator@Lisence] > print

6

Does your configuration work? I’m not sure how you have any Internet access with that configuration since there is no nat and those are private IP’s.

Sent from my SCH-I545 using Tapatalk

7

yes working fine…

I want to allow 192.168.100.1-20/24 only to access internet and the rest not to.

I there anyway to block the rest LAN IPs not to have access internet