IP restriction

mahmoudxp · April 26, 2015, 3:03pm

Hello guys
I have this scenario & hope you can help me figure it out

1 printer Xerox AIO : 192.168.1.20 \ is available for all users and has a web interface enabled (to configure accounts , & advanced settings, etc..)
2 printer HP color : 192.168.1.21 \ is available only for CEO and has a web interface enabled (to configure settings, & has no accounts)
3 my pc 192.168.1.10

need
1- only me can access Xerox AIO web page for administration because non admin users can still use the web page for critical operation (eg. restart the machine or even create users) & off course all users still have access to it’s ip to print to it

2- only me & the CEO can have access to his printer we don’t need any user to find it on the network and print to it even by mistake

is this possible? if yes please provide detaild steps/codes
any help is appreciated

hasanakgoz · April 26, 2015, 8:12pm

this is not on the same broadcast network. You have to give to device ip adress on different subnet network block. so passed through the firewall packages.

hossain2004a · April 28, 2015, 6:23am

It’s easy Mahmood.
just in Firewall–> Filter
drop all packets to your Xerox AIO except those with your src-address and dst-port of 80. These way client can’t access your web config and still can print.
And for your HP color create rule in your firewall which drop everything except yourself and your CEO.

mahmoudxp · April 28, 2015, 11:30am

thank you mr hossain2004a
tried with no luck please write me the code so i can modify it with my addresses & past it in my terminal

ZeroByte · April 29, 2015, 3:37pm

This is correct. You cannot block traffic which will not pass through the Mikrotik.

When users are on the network 192.168.1.x , their computers will communicate directly with the printers because their IP addresses are in the same network. They will just use ARP to find the MAC address of the printers, and happily communicate directly with each other via MAC address only.

Either you need to configure the printers to only allow management from certain addresses, or else you need to create a new printers network (192.168.2.x) and change the IP addresses of the printers. Once you do that, you can create filter rules - for instance, to block web access to printer 192.168.2.20:
/ip firewall filter add chain=forward protocol=tcp dst-port=80 dst-address=192.168.2.20 src-address=!192.168.1.10 action=drop

mahmoudxp · May 4, 2015, 3:17pm

I know this info that all devices on same network can communicate without a router & I was searching if there a man-in-the middle solution to save the day. but it seems that I have to reconfigure all printers (10) to be connected to another network & accordingly reconfigure all users (70) & input all IPs manually so they can discover their printers

but now many thanks to you & mr: Zerobyte the problem should be solved & will post this on the forum

ZeroByte · May 4, 2015, 4:05pm

You should use hostnames while doing this, so you never have to visit all computers ever again.

Configure some internal DNS names for the printers, and configure the workstations to use those names.