Isolate specific LAN user, possible or not?

Artec · December 22, 2015, 11:01am

Hello there,

I will try to explain situation, best I can.
I am no expert, so I am writing here in hope that someone can actually help me with this.

In my setup I have “main” Mikrotik router with static(WAN) IP address.
Around ten remote Mikrotik routers are connected to main one with EOIP tunnel and OVPN.
All this EOIP connections are bridged together in one big LAN network.

Behind each Mikrotik router is a linux server, and I use techniques described above to connect them all together in LAN network.

However I have PPTP connection from user which needs to access one server inside LAN network and I need to isolate him from others.

LAN network : 10.1.1.1/8
Pptp user uses static local IP address : 10.30.0.1.
Servers IP he needs to have communication is on ip : 10.1.70.1

I need to allow pptp user to access IP address of this single server (10.1.70.1) and isolate him from all other IP addresses within LAN network…

How can I achieve that?

Thank you!

galaxynet · December 28, 2015, 4:29pm

Artec -
I would probably use the /IP Firewall NAT feature, specifically dst-nat. Simply dst-nat, action=dst-nat chain=dstnat to-addresses=10.1.70.1 src-addr=10.30.0.1 This rule will only allow him to access 10.1.70.1, no matter what IP address he puts in…

Now if this user also accesses the Internet through your main router you will have to do a little more, like this rule first to get him on to the Internet but not your internal network…
action=masquerade chain=src-nat src-add=10.30.0.1 dst-addr!=10.0.0.0/8 out-interface=(your Internet interface).

This should get you going in the right direction anyway.

Thom