Mikrotik Firewall Issue

Hi guys!

I have an issue.
I would like to block internet access for a PC by MAC-Address and only allow the SMTP ports (993.465) for sending and recieveing emails.

I have the following firewall configuration:

0 ;;; Only 993,465
chain=forward action=accept connection-state=established,related
protocol=tcp dst-address=0.0.0.0/0 src-port=993,465
src-mac-address=A4:1F:72:7B:34:18 log=no log-prefix=“”

1 ;;;Ping
chain=forward action=accept protocol=icmp dst-address=0.0.0.0/0
src-mac-address=A4:1F:72:7B:34:18 log=no log-prefix=“”

2 ;;; Drop all for A4:1F:72:7B:34:18
chain=forward action=drop dst-address=0.0.0.0/0
src-mac-address=A4:1F:72:7B:34:18 log=no log-prefix=“”

Ping works but the mail doesn’t.

What am i missing?

Thanks!

You want dst-port=993,465, not src-port. And also drop connection-state from the first rule.

Very well done apprentice SOB , I noticed the src vice dest error but drats I missed the connection state error!!

You’re slipping, master anav. You also forgot to mention that this is very nice example where a jump can be used to make things more clear and efficient.

Instead of repeated checks for MAC address, where packets from other devices have to be checked against all three rules:

/ip firewall filter
add chain=forward src-mac-address=A4:1F:72:7B:34:18 protocol=tcp dst-port=993,465 action=accept 
add chain=forward src-mac-address=A4:1F:72:7B:34:18 protocol=icmp action=accept
add chain=forward src-mac-address=A4:1F:72:7B:34:18 action=drop

You can do:

/ip firewall filter
add chain=forward src-mac-address=A4:1F:72:7B:34:18 action=jump jump-target=pc-out
add chain=pc-out protocol=tcp dst-port=993,465 action=accept 
add chain=pc-out protocol=icmp action=accept
add chain=pc-out action=drop

So basically (sob for short)

When a packet arrives at the jump rule and its not associated with that particular MAC address it skips the container with jumped mac rules, and goes straight to the next filter rule.
Kewlios!!!

Thank you guys!