Hi, i am new, and already have a bunch of questions 
So here it is.
How do i isolate two network interfaces, so only one is “admin” interface and other just for the internet. Let’s say i assign ip to eth2 10.8.8.1 and set up dhcp.
Similary, i assign ip to eth3 10.8.7.1 and set up dhcp (so each dhcp with proper pool, network). I connect one computer to eth2 and one to eth3. Right now, both have access to internet, and to each other (router dynamically adds route), if i for example know their ip and perform iperf test .
Now i want, that eth3 is just for the internet.
So i created firewall rule:
chain=forward
in. interface=eth3
out. interface=!eth1_gateway (my wan)
action=drop
So far so good. I have access to internet from eth3. I can’t reach computers to 10.8.8.0 network, BUT i can access webfig (and i don’t want that, because on eth3 will be public internet), which is on 10.8.8.1 AND 10.8.7.1 (btw, why is webfig on every interface?).
So i created another rule (ip/firewall/filter)
chain=input
in. interface=eth3
action=drop
But this also prevent access to internet. I know that webfig can be “controlled” from /ip/services, but i also want to prevent all input traffic - to router, so i can be shure, no one can access not just webfig, but any other “input point”. Yeah, i know how to complicate things
I have ROS 6.11 and RB2011UiAS-2HnD-IN.
Any help would be appreciated!
p.s.: I am sorry, if this sort of question was already addressed. I searched for similar topic but with no luck.