Simple ip firewall rules for bandwidth in/out accounting for address lists

smn · November 8, 2025, 5:35pm

I’m using an hAP AX3 to funnel my wifi users onto the network using a bridge. I have traffic passing fine, but I’d like to add simple firewall rules to view bandwidth used by devices in an address list.

What I have is something like this:

add action=accept chain=input comment="TV Bandwidth In" dst-address-list=TVs in-interface=bridge1
add action=accept chain=output comment="TV Bandwidth Out" out-interface=bridge1 src-address-list=TVs

I don’t see the byte count increasing when viewing in winbox, but is there a better way to do this?

pe1chl · November 8, 2025, 5:54pm

Input and output are only for traffic to/from your router. You probably want to see traffic to internet, and that is passed through the “forward” chain.

When you want counters you also need to have those actions ahead of the “accept esablished/related” rule or else that will pickup everything. But of course you need to add the “connection-state=established,related” to your rules as well.

jaclaz · November 8, 2025, 6:08pm

Possibly useful to better understand chains:

smn · November 8, 2025, 6:12pm

Ah, yes, connection states and using the forward chain!

add action=accept chain=forward comment="TV Bandwidth In" connection-state=established,related,new dst-address-list=TVs in-interface=bridge1
add action=accept chain=forward comment="TV Bandwidth Out" connection-state=established,related,new out-interface=bridge1 src-address-list=TVs

This is now producing nice byte counts.

pe1chl · November 9, 2025, 10:17am

I would not put “new” in that filter, but it is your own choice. When having NAT anyway, it probably does not matter.