Hello,
I have two servers: one located locally and one hosted on the internet. I want users on my LAN to have access to both servers. However, during peak periods, enabling internet access causes the local server to become very slow and sometimes unreachable.
Is there a way to restrict internet access for my users so that they can only access my internet server and the local server, without having full access to the entire internet?
Thank you for your assistance.
Both “Yes” and “Not really”, because you need to define first “without access to the entire internet”
Sure you can allow LOCAL users to be allowed to 1 specific (your) SERVER on Internet and BLOCK everything else (=NO Internet)
Within Mikrotik there is no concept of eg. “let’s allow Social Media” but not “Video Streaming” => You’re gonna need to have a slightly more expensive box to have these capabilities.
So if your goal is to really allow just access to several, well-defined public IP’s of your servers it can be done very easily with a “forward” rule and an access-list containing your public servers and then deny everything else.
Thanks jvanhambelgium…i want users to only be able to have access to my server on the internet and the one one the intranet, nothing more. can you post config exmple please?
Just ensure the last rule is
add chain=forward action=drop comment=“drop all else”
Now ONLY traffic you explicitly allow before this rule will flow.
Thus make a firewall address list of allowed IPs
The standard firewall ruleset of
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
Can fit your purpose by:
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN dst-address-list=Servers
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
Thank you anav
Now how does this allow traffic to my server on the internet?
Pla note that i do not have any firewall on the router.