IP Firewall

julianhaines · August 13, 2018, 12:57pm

Hi,

I am trying to block 192.168.207.0/24 on ether6 from accessing eth1 on a Mikrotik for security,

I have tried adding firewall rules to drop from a source address 192.168.207.0 going to the address I want to block but this is not working see attached image.

What I want is any 192.168.207.0/24 address coming from ether6 to not be able to get to anything on ether1

Thanks for your help, I am new to Mikrotik.

Julian

Anumrak · August 13, 2018, 1:13pm

You should set drop rule in input chain to exacly interface:

ip firewall filter add
action=drop chain=input in-interface=ether1 src-address=192.168.207.0/24

or ether6, as you want.

julianhaines · August 13, 2018, 1:19pm

Hi,

Tried but get the error in the attached image.

Julian

szt · August 13, 2018, 6:48pm

You should use “forward” chain instead of “input” chain.

“Input” chain is linked only to packets which are terminated on your Mikrotik.
“Forward” chain is linked to packets which goes through your Mikrotik.

Or, from a different point of view, your intention is to filter packets which are forwarded from ether6 to ether1.

julianhaines · August 14, 2018, 9:47am

Hi,

Thanks, I have created a firewall rule to drop any traffic coming in from ether6 src address 192.168.207.0/24 and going to ether1 but it’s not working.

From a test laptop on ether6, I can still ping devices on ether1
What am I doing wrong?

Julian

julianhaines · August 14, 2018, 9:56am

Hi,

I think I have found the problem, the gateway for the clients is 192.168.204.0 if I block this it’s working.

How do I block based on the device IP 192.168.207.0/24, not the gateway?

Julian

mkx · August 14, 2018, 1:31pm

Settings on PC shown are weird: PC’s address is 192.168.207.210 with network mask 255.255.255.0 … generally it can not directly connect to any host which IP falls out of range 192.168.207.1-192.168.207.254 and should use gateway (default if a more specific is not defined) to reach other hosts. Now comes the weird part: gateway set on your PC has IP address 192.168.204.4 which is outside of directly connectable IP addresses (according to network mask).
Makes me wonder how can it work at all.

You need to fix your IP (sub)network. Either adjust subnet mask to cover both PCs IP address and gateway address or set proper gateway address (as served by DHCP server 192.168.207.254). My guess is that DHCP server is supposed to act as gateway for that particular subnet. But then it’s just a wild guess as you never showed us any network chart nor settings.