What is the best way to isolate an IP on wired or wireless network?
The goal is for that IP to be able to connect to the outside world/internet but nothing on the LAN
the easiest (and most consistent) way: isolate it in separate subnet only routed to internet
Specifically here the most basic way.
/ip firewall filter
add action=accept chain=forward src-address={YourIP Here} out-interface={Your Outbound Interface} comment="This allows your isolated IP to talk to the Internet Interface, thereby allowing web traffic.
add action-drop chain=forward src-address{your IP here} dst-address=0.0.0.0/0 comment="This will Drop any other traffic, thereby isolating your device.
As long as the accept rule is first, it will match all internet traffic. But this is a bit of a blunt instrument. It will not catch any unwanted traffic or broadcasts from the same subnet. If you can, subnet your network in such a way that devices you want to isolate can be completely separate.
Thank you for your fast replies!
I’ve tried the exact firewall rules mentioned above but something is still wrong, I can still reach other devices on LAN from the IP I’m trying to isolate.
I’ve tried moving the rules to different positions on the firewall, no affect.
I hope I’ll have some more time in the weekend to try a different subnet as well. However with the new subnet how can I be sure that the specific subnet is not assigned to other devices? (I must use DHCP). Actually I can assign a specific address from that different subnet to the MAC address of the device I want to isolate.
with firewall in forward one can only limit forward traffic => between subnets.
Within one subnet, the traffic will not go though forward table.
This worked, all good.
Thank you for your help!