I have a device on my LAN that I want to allow out to WAN but only to 1 specific IP address. Otherwise I want to block it from any/all outbound communication. At the bottom of my current rules I have a rule that allows traffic out from LAN to WAN and then the one after it drops all else.
I am thinking that the way to do this would be to create 2 rules:
- A rule that allows the IP (static) of that device to the WAN IP address that I want to allow
- A second rule right under it that blocks all outbound from that device IP to WAN.
And I'm guessing that I would need to put both of these rules before my LAN to WAN allow rule that I already have. Am I right?
Exactly. What you have described will work well.
Two notes.
You could do it with a single drop rule, where the logic would be src-address=device-ip, dst-address=!allowed-target and out-interface-list=WAN. Not saying it's any better - you should use rules that you find logical, not necessarily the minimum number of them. I wrote this mainly to illustrate that there never is one correct way to configure the firewall.
My second suggestion would be to make the allowed destination addresses an address list. With time, there may be more than one, and adding them to an address list is much nicer than adding individual rules. Also, in Mikrotik-land you can add dns names to address lists, and the resolved ips are automatically added and kept up to date.
EDIT: Additionally, you might want to look into whether whatever you're trying to restrict needs any hard-coded external dns or ntp. It isn't unusual to blanket allow udp and tcp port 53 snd udp 123 for this reason.
Also, it'd a good idea to enable logging for your drop rule, at least for a while. In the off chance that this device is a "thing", take care to observe it while booting. Often they need other things when starting up than when just running.