[SOLVED] Prevent connections to IP address

RouterOS Beginner Basics
1

I have my home server at 192.168.1.91. On this server, I’ve installed Home Assistant in a VM, and assigned 192.168.1.40.

Background: Home Assistant runs as http, so I’ve created a reverse proxy to expose the VM through the main system’s https connection. I can now access Home Assistant perfectly through the main system’s https IP address (192.168.1.91). I would now like to close off the insecure http access for the VM (192.168.1.40).

Hence, I would like to:

  1. allow traffic between the server (192.168.1.91) and the VM (192.168.1.40), specifically TCP port 8123.
  2. block any other traffic with the VM (192.168.1.40).

This should be fairly straightforward, so I added two pairs of rules in the firewall. However, these don’t seem to work. I can still access and ping the VM (192.168.1.40) from other IPs. I’ve pasted my config here. The top four rules are the ones I’ve added, and the rest were already present.

> /ip firewall filter export
# 2024-04-10 13:34:27 by RouterOS 7.10.2
# software id = 0PWY-H7QX
#
# model = RB5009UG+S+
# serial number = HEH08JH56F9
/ip firewall filter
add action=accept chain=forward comment="allow HA to qi" disabled=yes dst-address=192.168.1.91 protocol=tcp src-address=192.168.1.40 src-port=8123
add action=accept chain=forward comment="allow HA from qi" disabled=yes dst-address=192.168.1.40 protocol=tcp src-address=192.168.1.91 src-port=8123
add action=drop chain=forward comment="drop all others from HA" src-address=192.168.1.40
add action=drop chain=forward comment="drop all others to qi" dst-address=192.168.1.40
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

How can I prevent access to the VM?

2

Where are you accessing 192.168.1.40:8123 from, the rest of LAN? If that’s so, you can’t block traffic on router because traffic between two LAN devices doesn’t pass router.

3

Yes, I’m accessing it from within the LAN. Oh, I didn’t realise intra-LAN traffic didn’t pass through the router. Thanks for that information.

Presumably I’ll have to just firewall the connection from within the VM then. Thanks again.

EDIT: or create a VLAN

4

That’s one possible solution, if you create VLAN then you can block traffic from one VLAN to another.

5

Thanks @gigabyte091, that sounds like it might be simpler given how minimal the Home Assistant VM is.