Hi.
I have two IP address:
- 10.0.0.163
- 10.0.0.245
I do not want to access from 1. to 2.
I think it is possible by the firewall…
How can I do this?
Thanx.
This should get you going in the right direction:
add action=drop chain=forward dst-address=10.0.0.245 src-address=10.0.0.163
Be sure to test it thoroughly from both directions and to any other LAN segments that you may want ensure that they have access to.
And be sure that both devices are connected directly to your firewall. If there is switch between firewall and devices, traffic never comes to firewall.
And also if a bridge is configured on the mikrotik configure
/interface bridge settings
set use-ip-firewall=yesIf you are using master-port configuration, it will not work since the traffic never reaches the CPU of the Routerboard.
How do I not use a master-port configuration, so that all this traffic goes thru the CPU?
Master port configuration has been gone since years, currently the instruction would say you have to disable hardware forwarding - in each row of /interface bridge port, set hw=no. It’s the same feature controlled in a different way.
As for use-ip-firewall=yes, it has some unpleasant side effects, so I’d recommend to use /interface bridge filter rules instead. They can match on IP addresses, protocols and protocol ports, except that the MAC protocol matching suffers from a bug which means that on some architectures you have to configure the MAC protocols using swapped byte order. And bridge filter rules are not stateful, so no connection-state matching is possible.
Thank you