i want block a IP address for all interfaces or ether2 (ether2 is connect to switch)
i have a mikrotik with bridge connection (connect to datacenter)
in ether1 is the network
ether2 going to switch
IN action i have select DROP, but that rule don’t block that test ip address because from the ip address i can access to website, and the website is in a server in switch (from ether2)
That rule blocks that interface from connecting to the router (chain=input), but does not block forward chain. Add another rule like that, except use “chain=forward”. That will block connections from the ether2 localnet and out any other interface.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Chains
There are three predefined chains, which cannot be deleted:
input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router’s addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
If you’re trying to block traffic THROUGH the router (instead of traffic directly TO the router, for administrative purposes) you have to use the forward chain, not the input chain.
HI,
thanks both for helpme and for your time.
i put that but don’t block 
i am some frustrated
Check your bridge settings, probably you have ‘use-ip-firewall=no’.
Run terminal and run this command
/interface bridge settings
set use-ip-firewall=yes
or set it via Winbox.
HTH,
You have changed the image from your first. The rule is bad probably because of the src-address. Is that subnet assigned to ether2? That is a public address. Maybe you should post “/ip address”.
That rule says: “Any packets coming in ether2 AND has the source ip address 200.1.2.3 will be blocked from going out any other interface.”
Does your internal computer have 200.1.2.3/24 assigned?
HI man
IP FIREWALL is enabled, but keep dont block
Surfer,
that is the diagram:
SERVER1 and SERVER2 is a webhosting server.
i want block ip address because a lot of ip is a SPAM.
because i want block a lot of a ip address, 200.1.2.3 is a example.
If 200.1.2.3 is spamming, that needs to be blocked on your email server, not the email client.
Is your email server on the ether2 localnet? Do you have a dstnat for port 25 to that server? If so, then:
/ip firewall filter
add chain=forward src-address=200.1.2.3 action=drop
i dont wanna block in the firewall of two server (in a time will be a lot of servers), i must put the ip address in any firewall manually, the idea is block in the mikrotik and that block to all server in the sametime.
only i want block the connections from x.x.x.x ip address to all servers, how?
i dont have any dst nat, only i make the bridge to two ports (ether 1 and 2), enable ip firewall in the bridge settings and then make the rule in firewall
i have this
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop src-address=200.1.2.3
but dont block
NOW IS FINEEE
NOW IS WORK !!!
YEAH!!!
thanks for all