Newbee RB2011UiAS-IN

ampm57 · February 21, 2016, 8:25pm

Hi I would like to know how to block everything on my network except a specific ip adresses (192.168.88.10 to 192.168.88-20), I’m a real beginner on a network and I bought a RB2011UiAS-IN, and using winbox os thanks for help!!!

p3rad0x · February 22, 2016, 11:39am

Hi,

You can do it like this,

Create a address list with all the allowed addresses.

Then create a Accept rule with the address list.

 /ip firewall filter add chain=forward src-address-list=[YourList] action=accept

Then add a block rule

 /ip firewall filter add chain=forward action=drop

Make sure that the accept rule is on the top.

All the ip’s in the addr list wil be accepted and the rest will be dropped

ampm57 · February 22, 2016, 3:02pm

Thanks for info but where I put this info with winbox

ampm57 · February 22, 2016, 3:05pm

Can I add my address list like 192.168.88.10-192.168.88.20 or I need to write each ip address one by one, thanks

ZeroByte · February 22, 2016, 3:09pm

For an address list, I’d say add them one by one - I don’t think Mikrotik’s implementation supports ranges.

If you really want to keep things tight, you could define your range as a CIDR range - e.g.
192.168.88.32/28
This means 192.168.88.32-47
(remember that round numbers to humans and round numbers to routers aren’t the same thing)

However, if you’re new to routing, I’d recommend just adding the 11 IPs of your range as individual entries in an address list as recommended by p3rad0x. The address-list is designed for fast lookups so it shouldn’t hurt your performance to have 11 IP addresses in the list.

ampm57 · February 22, 2016, 3:14pm

Ok thanks, but where in winbox I can add this list, and to make it easier for me could you do me a screenshot, very appreciate

ZeroByte · February 22, 2016, 3:27pm

al.png

ampm57 · February 22, 2016, 3:56pm

OK Thanks really appreciate but where I can add the code sent by p3radox in the first post, need or not? thanks again.

ZeroByte · February 22, 2016, 4:03pm

You definitely need p3radox’s code. The address list by itself is just a list that sits there and does nothing.

Just switch the firewall window over to the filter tab and add rules, setting the fields from p3radox’s suggestions.
You can make the filter rules window filter the view to show only the ‘forward’ chain by clicking the drop-down selector at the top-right corner of the window. This makes it easier to view just one chain at a time and focus on that chain’s rules and behavior.

As he stated, be sure that your new rules come in the suggested order, and if there is a default “Drop everything” rule in the forward chain, you can move it after your two new rules by dragging it down to the bottom and dropping it there.

ampm57 · February 22, 2016, 4:21pm

Thanks for your help and time, tomorrow I’ll try and I’ll give a follow up, bye

ampm57 · February 24, 2016, 1:59am

I did everything you said but now I am blocking to the p3radox instructions. I understand the explanations to create the rule: I go to the Firewall tab, and then the filter tab rules, that’s ok, but in the src address I can write only one ip address, I have to repeat this procedure for all my address ip, should I do it as many times to drop or only once, thanks again.

ampm57 · February 24, 2016, 12:15pm

There are already rules that were added by the router, what do I do with?

CodeXploit · February 24, 2016, 5:30pm

I have some doubts about your recommendation… Using allow rule with default firewall configuration. If packet outside of his prefered range hits the allow rule and it does not match it will go down and eventualy hit the default allow new connections forward rule that will pass the packet. I think he needs the first rule to be deny forward if not from that address list. When packet hits deny rule it will be no longer processed by other rules. Im i right?

Sent from my LG-H960 using Tapatalk

CodeXploit · February 24, 2016, 6:19pm

Ampm57 - please visit my blog at blog.codexploit.si there reead some basics. I was new to mikrotik and it was confusing even with my background. Load Winbox for config. Im a bit busy now so i will come back to help as soon as i can.

Sent from my LG-H960 using Tapatalk

ZeroByte · February 24, 2016, 8:08pm

But I didn’t recommend that. I merely commented on the address list behavior and how it works, and gave a screenshot of how to create an address list…

Your new rule to allow the address list should come right before the current rule 7.

The address-list is in the Advanced tab of the rule’s configuration. If you use the source address field in the general tab, this requires you to specify a signle address / address prefix only. The address list you created from my previous example is used in the Advanced tab “source address list”

It’s easiest to manipulate rule order in Winbox, as CodeXploit suggested. In Winbox, after you add the rule to allow source-address-list=ADDRESS_LIST (whatever you named it), then simply drag it up above the final “drop everything” rule in the firewall forward filter chain.

ampm57 · February 24, 2016, 9:24pm

There are already rules that were added by the router itself, what do I do with? See pic! Erase or not? Thanks

ZeroByte · February 24, 2016, 9:33pm

When I say this:

That means to leave everything in place and add one more rule, and insert it right before the one that your screenshot shows as rule #7.
(so the new rule becomes #7 and the one that’s now 7 should become #8)

CodeXploit · February 25, 2016, 9:16am

Ok i had time to play with one router so i did your config.
What i don’t know here is if you would like to just block internet access for all other IP adresses other then 192.168.88.10-192.168.88.20 or would you like to disable all cumunication on the network except the 192.168.88.10-192.168.88.20. Please provide this answer.

If you would just like to block internet access for that range just create the address list as sugested before

If you have not did that here is the code you need to paste in terminal in WINBOX:

/ip firewall address-list
add address=192.168.88.10 list=ALLOW
add address=192.168.88.11 list=ALLOW
add address=192.168.88.12 list=ALLOW
add address=192.168.88.13 list=ALLOW
add address=192.168.88.14 list=ALLOW
add address=192.168.88.14 list=ALLOW
add address=192.168.88.15 list=ALLOW
add address=192.168.88.16 list=ALLOW
add address=192.168.88.17 list=ALLOW
add address=192.168.88.18 list=ALLOW
add address=192.168.88.19 list=ALLOW
add address=192.168.88.20 list=ALLOW

This will create the address list with the name of ALLOW.

All you need to do next is to go to the NAT tab in IP/Firewall and edit the default rule for masquerade and on the Advanced tab add the ALLOW list in the Src.Address List field and Apply.

This will prohibit network address translation for all other clients other then those specified on address list thus disabling their internet access.

This is one of the solutions if you need just to limit internet access if you need other stuff please provide detailed instructions of what are you trying to achieve wit this configuration.

ampm57 · February 25, 2016, 3:51pm

Yes I want to disable all communication on the network except the 192.168.88.10-192.168.88.20. Thanks again for your help, and can you explain for terminal rules sorry I’m very nullllllll

ZeroByte · February 25, 2016, 5:56pm

Assume you’ve built the address list as in earlier posts, with the address list name is AllowedHosts
Assume the LAN interface is bridge-local (whichever interface has 192.168.88.X on it)

Make the following rules in IP firewall filter:

+new
(GENERAL TAB)
chain=forward
in-interface=bridge-local
(ADVANCED TAB)
Src. Address List = AllowedHosts
(ACTION TAB)
Action = Accept
[OK]

+new
(GENERAL TAB)
chain=forward
in-interface=bridge-local
(ADVANCED TAB)
Action = drop
[OK]

These two rules will give the behavior you want.