Hello,
i have added a Mikrotik Hap Lite to my network, which after that i want to be a seperate lan for security reasons.
I mean, clients on mikrotik can have access to internet ( from ETH1-WAN - 193.30.80.133 ) but no access to lan of ETH1-WAN (193.30.80.1/24).
What is the setup for this concept?
How can 10.0.0.2/24 have internet but no viewing 193.30.80.1/24 expect 193.30.80.133 which is the router??
Thank you in advance,
Bob
Assuming you left the RB at fairly default config, a pair of simple firewall rules should suffice. A pair for simpler setup, I’m sure a complex single rule would do as well:
/ip firewall filter
add chain=forward action=accept dst-address=193.30.80.133/32
add chain=forward action=drop dst-address=193.30.80.0/24
Both rules can be placed at the end of default firewall rule list (which implicitly allows any packet which skips all the rules).
The first rule above is only needed if you actually want MT clients to have access to the main router itself … when MT clients are connecting internet servers, dst-address will be internet IP, router0s address won’t be specified anywhere. So in this case only second (action=drop) rule would do the trick.
You have right, mkx!!!
It is working perfect with the drop rule only,
although i can’t get how can this working.
DCHP Client has IP 193.30.80.XXX/32
DCHP Server is configured as 10.0.0.0/24
The drop rule is for 193.30.80.0/24
You said “when MT clients are connecting internet servers, dst-address will be internet IP, router0s address won’t be specified anywhere”.
My knowledge luck to understand that…
I hope i don’t bother you.
Thank you in advance
Bob