Hi,

I must be missing something very basic. I want to block all traffic on my RB750 except traffic with a specific src or dst address. In order to verify this I am first trying to block all traffic and I cannot block traffic. Setup is:

[admin@MikroTik] > /int print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2MTU MAX-L2MTU

0 ether1-gateway ether 1500 1600 4076
1 R ether2-master-local ether 1500 1598 2028
2 ether3-slave-local ether 1500 1598 2028
3 R ether4-slave-local ether 1500 1598 2028
4 R ether5-slave-local ether 1500 1598 2028
[admin@MikroTik] >

I am plugged as follows
RB750
port 0: unconnected
port 1: Laptop1 eth0 ip:192.168.88.2 for management access to router
port 2: unconnected
port 3: Laptop1 eth1 ip: 10.4.29.58
port 4: Laptop2 eth0 ip: 10.4.29.57

I have a rule to drop everything as shown below but can still ping:
Pinging 10.4.29.57 with 32 bytes of data:
Reply from 10.4.29.57: bytes=32 time<1ms TTL=128
Reply from 10.4.29.57: bytes=32 time<1ms TTL=128
Reply from 10.4.29.57: bytes=32 time<1ms TTL=128
Reply from 10.4.29.57: bytes=32 time<1ms TTL=128
Reply from 10.4.29.57: bytes=32 time<1ms TTL=128

Network on laptop1, what I am pinging FROM.
Ethernet adapter Local Area Connection:
[...]
IPv4 Address. . . . . . . . . . . : 10.4.29.58(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 0.0.0.0

Firewall rules - Default chain=input temporarily disabled:
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; drop everything
chain=forward action=drop

1 X ;;; default configuration
chain=input action=accept protocol=icmp

2 X ;;; default configuration
chain=input action=accept connection-state=established

3 X ;;; default configuration
chain=input action=accept connection-state=related

4 X ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
[admin@MikroTik] >

It seems that first one, rule zero, should prevent me from pinging the other system but it's not. I think I'm missing something here... Any help would be appreciated. Once I can block then I would add a firewall rule before this that accepts anything with a src or dst address of the end device 10.4.29.57 and I think that would block all traffic except for that specific IP. Once I get this working it needs to go into an actual environment but now I'm just trying to get the setup figured out.

Thanks,
Jim

Quite simply, you are pinging a local address to your laptop and the RouterBoard is in switch mode. The router is not involved and thus your DROP rule does not matter. FORWARD chain is only for packets going through the router CPU (i.e. to another network or if Bridge Firewall is enabled).

Laptop1 does not even have a default gateway, so it can only communicate with connected networks or those defined in static routes. If you are trying to give each device access to the internet without access to each other, you will need the devices to be in separate subnets. Only then can you block traffic between the subnets at the router level and still have them go out the single Internet interface. Alternately, turn off the switch mode features, create a bridge and enable firewall filtering on bridge mode to create your rules.

Thanks, your information worked out. All I wanted to do was isolate an end device from the rest of the network. I ended up doing this:

Create a bridge with ether4 and ether5 and these rules:
[admin@MikroTik] /interface bridge filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept mac-protocol=arp
1 chain=forward action=accept src-mac-address=00:1C:23:11:CC:59/FF:FF:FF:FF:FF:FF
2 chain=forward action=accept dst-mac-address=00:1C:23:11:CC:59/FF:FF:FF:FF:FF:FF
3 chain=forward action=drop

In this case it’s OK if the ARPs get through - in fact without it the ARP table on my laptop (or another switch, etc) doesn’t get the MAC address unless communication is initiated from the end device. This seems to be doing the trick, traffic to and from the device is good. I didn’t realize that when the manual says the “forward” chain is for traffic through the router it meant through its CPU, I thought since I was in two ports in switch mode the traffic was going “through the router”. Thanks for clearing that up. I don’t think the CPU will be a bottleneck as this is primarily for a low traffic application.

Thanks much for the help.
Jim

I doubt the CPU would ever give you problems in your situation. We passed hundreds of Mbps through RouterBOARD devices long before switch chips were introduced into the products (also before the higher powered CPUs of today).