Restrict computer access to my local web server ...

Hi,

I have configure a web server in my local network, actually any computer of my local network/wireless clients can quickly access to my web server just typing the server ip address, now I have configured an RB750GL with DHCP and hotspot to the wireless clients, the idea it’s permit access to the webserver to certain clients of my network, actually the most computers that can be allow access to the webserver are outside of the RB750 interface network but I need permit access to some computers that are inside of RB750 interface, also I want to deny the access to the wireless clients to the entire network 192.168.1.1/24, only want to permit access to two computer connected to the same network of the wireless aps that are connected to the RB750 interface.

to explain me more I just attach a network grapich of my local network

Sorry for my bad english..

http://imageshack.us/photo/my-images/515/lanrouter7502.jpg/

write the following firewall filter rule

/ip firewall filter
add action=drop chain=forward disabled=no in-interface=ether3 src-address-list=!IPs_ALLOW

So you can add IPs allowed in address list IPs_ALLOW and all others IPs will be blocked.

Hi, its not workin, I have add

/ip firewall filter
add chain=forward in-interface=ether3 src-address-list=!IPs_ALLOW dst-address=192.168.1.46 action=drop

I can access even my ip are not in IPs_ALLOW list, any idea?

can you post your firewall export rules?

ip firewall export

/ip firewall export

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here”
disabled=yes
add action=accept chain=input comment=“Aceptar conexiones establecidas”
connection-state=established disabled=no
add action=accept chain=input comment=“Aceptar related conexiones”
connection-state=related disabled=no
add action=drop chain=input comment=“Rechazar conexiones invlidas”
connection-state=invalid disabled=no
add action=drop chain=forward disabled=no dst-address=192.168.1.46
in-interface=ether2-local-master src-address-list=!IPs_ALLOW
add action=drop chain=forward disabled=no dst-address=192.168.1.46
in-interface=ether2-local-master src-address-list=!IPs_ALLOW
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here”
disabled=yes
add action=masquerade chain=srcnat disabled=no out-interface=ether1-gateway
add action=accept chain=srcnat comment=“Redireccion DNS cache” disabled=no
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061
set pptp disabled=yes

I don’t see an address list called “IPs_ALLOW” in that export. It should looks something like this:

/ip firewall address-list                                                   
add address=192.168.88.33 comment="John Yaya - Yoyodyne Propulsion Systems" disabled=no list=IPs_ALLOW
add address=192.168.88.45 comment="John BigBoote - Yoyodyne Propulsion Systems" disabled=no list=IPs_ALLOW
add address=192.168.88.73 comment="John Smallberries - Yoyodyne Propulsion Systems" disabled=no list=IPs_ALLOW
add address=192.168.88.99 comment="John Whorfin - Yoyodyne Propulsion Systems" disabled=no list=IPs_ALLOW

I know, but If i have put the next rule:

/ip firewall filter
add action=drop chain=forward disabled=no dst-address=192.168.1.46 in-interface=ether2-local-master src-address-list=!IPs_ALLOW


the firewall should be block any client connected to the interface 3 to 192.168.1.46 and this not happen, any client can access to 192.168.1.46

Finaly work, I did forget clear all default config, I just run the command

/system reset no-defaults=yes

and reconfigure all, and works great!