One direction access

RouterOS General
1

Hello
The idea is as follows:

We have a mikrotik x86 machine with 5.2 and configured interfaces
lan1 - internet
lan2 - 192.168.0.1/24
lan2 vlan100 - 192.168.100.1/24

Is it possible to restrict access from vlan100 addresses to 192.168.0.1/24, one direction and i have access to the addresses in vlan100 from 192.168.0.1/24

Block vlan100 not see 192.168.0.1 as:

add action = drop chain = forward disabled = no dst-address = 192.168.0.0/24 src-address = 192.168.100.0/24

In that case, can you tell me what should be the rule 0.0/24 to 100.0/24 sees one direction, because now i cannot access vlan100 from 0.0/24 network

2

add “connection-state=new” to that rule.

3

still not working

add action=drop chain=forward connection-state=new disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24

With connection state = new access is in two ways from 100.0/24 ↔ 0.0/24

4

Post “/ip firewall filter” and “/ip firewall nat”.

Which way do you want to drop? That rule will drop any new connections from 192.168.100.0/24 to 192.168.0.0/24. Established connection packets will not be dropped.

If you want to drop new connections to 192.168.0.1, you may need to add a “chain=input” rule also. That would not be a forward rule if that is assigned to a local interface on the router.

5

Filter Rules

add action=drop chain=forward disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=input disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24

With this filter rules 100.0/24 has no access to 0.0/24, and 0.0/24 no access to 100.0/24. testing with ping command
The idea is access from 0.0/24. Without access from 100.0/24 to this network.

NAT Rules

add action=masquerade chain=srcnat disabled=no out-interface=Internet src-address=192.168.0.0/24
add action=masquerade chain=srcnat disabled=no out-interface=Internet src-address=192.168.100.0/24

NOTE:
192.168.0.0/24 and 192.168.100.0/24 is on one inteface 100.0 is vlan ot that interface. That is because i have only two lan card on my x86 machine. Is that the problem?

6

With those rules, you shouldn’t be able to connect either way. It will block the connection request and the response. You only want to block the request. These should work.

add action=drop chain=forward disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24 connection-state=new
add action=drop chain=input disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24 connection-state=new

Add: These rules will not break an already established connection. If the two devices are connected when you change the rules, that would be a “connection-state=established”, and would not be blocked as long as the connection is maintained.

7

should but doesn’t

add action=drop chain=forward disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24 connection-state=new
add action=drop chain=input disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24 connection-state=new

With this rules access is in two ways 100.0/24 access 0.0/24

8

Maybe the vlan does add a problem to that. I have not tried that with a vlan.

9

If adding a new LAN card that will work with this setup?

10

I’m surprised it doesn’t work on the vlan, so I don’t know what to tell you on that. I use this type rule, and it has always blocked connections in one direction only.

Bear in mind it will not block established connections. I edited my post above to mention that. If the two devices are connected prior to adding that rule, those connections will not be blocked. They would be “connection-state=established”. It only blocks new connection attempts in one direction.

11

Thanks for your support, i will try other ways to do that.