Hi I would like to know how to block everything on my network except a specific ip adresses (192.168.88.10 to 192.168.88-20), I'm a real beginner on a network and I bought a RB2011UiAS-IN, and using winbox os thanks for help!!!!

Hi,

You can do it like this,

Create a address list with all the allowed addresses.

Then create a Accept rule with the address list.
Then add a block rule
Make sure that the accept rule is on the top.

All the ip's in the addr list wil be accepted and the rest will be dropped

Thanks for info but where I put this info with winbox

Can I add my address list like 192.168.88.10-192.168.88.20 or I need to write each ip address one by one, thanks

For an address list, I'd say add them one by one - I don't think Mikrotik's implementation supports ranges.

If you really want to keep things tight, you could define your range as a CIDR range - e.g.
192.168.88.32/28
This means 192.168.88.32-47
(remember that round numbers to humans and round numbers to routers aren't the same thing)

However, if you're new to routing, I'd recommend just adding the 11 IPs of your range as individual entries in an address list as recommended by p3rad0x. The address-list is designed for fast lookups so it shouldn't hurt your performance to have 11 IP addresses in the list.

Ok thanks, but where in winbox I can add this list, and to make it easier for me could you do me a screenshot, very appreciate

Ok thanks, but where in winbox I can add this list, and to make it easier for me could you do me a screenshot, very appreciate

OK Thanks really appreciate but where I can add the code sent by p3radox in the first post, need or not? thanks again.

OK Thanks really appreciate but where I can add the code sent by p3radox in the first post, need or not? thanks again.

You definitely need p3radox's code. The address list by itself is just a list that sits there and does nothing.

Just switch the firewall window over to the filter tab and add rules, setting the fields from p3radox's suggestions.
You can make the filter rules window filter the view to show only the 'forward' chain by clicking the drop-down selector at the top-right corner of the window. This makes it easier to view just one chain at a time and focus on that chain's rules and behavior.

As he stated, be sure that your new rules come in the suggested order, and if there is a default "Drop everything" rule in the forward chain, you can move it after your two new rules by dragging it down to the bottom and dropping it there.

Thanks for your help and time, tomorrow I'll try and I'll give a follow up, bye

I did everything you said but now I am blocking to the p3radox instructions. I understand the explanations to create the rule: I go to the Firewall tab, and then the filter tab rules, that's ok, but in the src address I can write only one ip address, I have to repeat this procedure for all my address ip, should I do it as many times to drop or only once, thanks again.

There are already rules that were added by the router, what do I do with?

For an address list, I'd say add them one by one - I don't think Mikrotik's implementation supports ranges.

If you really want to keep things tight, you could define your range as a CIDR range - e.g.
192.168.88.32/28
This means 192.168.88.32-47
(remember that round numbers to humans and round numbers to routers aren't the same thing)

However, if you're new to routing, I'd recommend just adding the 11 IPs of your range as individual entries in an address list as recommended by p3rad0x. The address-list is designed for fast lookups so it shouldn't hurt your performance to have 11 IP addresses in the list.

I have some doubts about your recommendation... Using allow rule with default firewall configuration. If packet outside of his prefered range hits the allow rule and it does not match it will go down and eventualy hit the default allow new connections forward rule that will pass the packet. I think he needs the first rule to be deny forward if not from that address list. When packet hits deny rule it will be no longer processed by other rules. Im i right?

Sent from my LG-H960 using Tapatalk

Ampm57 - please visit my blog at blog.codexploit.si there reead some basics. I was new to mikrotik and it was confusing even with my background. Load Winbox for config. Im a bit busy now so i will come back to help as soon as i can.

Sent from my LG-H960 using Tapatalk

I have some doubts about your recommendation... Using allow rule with default firewall configuration.

But I didn't recommend that. I merely commented on the address list behavior and how it works, and gave a screenshot of how to create an address list....

There are already rules that were added by the router, what do I do with?

Your new rule to allow the address list should come right before the current rule 7.

The address-list is in the Advanced tab of the rule's configuration. If you use the source address field in the general tab, this requires you to specify a signle address / address prefix only. The address list you created from my previous example is used in the Advanced tab "source address list"

It's easiest to manipulate rule order in Winbox, as CodeXploit suggested. In Winbox, after you add the rule to allow source-address-list=ADDRESS_LIST (whatever you named it), then simply drag it up above the final "drop everything" rule in the firewall forward filter chain.

There are already rules that were added by the router itself, what do I do with? See pic! Erase or not? Thanks

There are already rules that were added by the router itself, what do I do with? See pic! Erase or not? Thanks

When I say this:

Your new rule to allow the address list should come right before the current rule 7.

That means to leave everything in place and add one more rule, and insert it right before the one that your screenshot shows as rule #7.
(so the new rule becomes #7 and the one that's now 7 should become #8)

Ok i had time to play with one router so i did your config.
What i don't know here is if you would like to just block internet access for all other IP adresses other then 192.168.88.10-192.168.88.20 or would you like to disable all cumunication on the network except the 192.168.88.10-192.168.88.20. Please provide this answer.

If you would just like to block internet access for that range just create the address list as sugested before

If you have not did that here is the code you need to paste in terminal in WINBOX:

/ip firewall address-list
add address=192.168.88.10 list=ALLOW
add address=192.168.88.11 list=ALLOW
add address=192.168.88.12 list=ALLOW
add address=192.168.88.13 list=ALLOW
add address=192.168.88.14 list=ALLOW
add address=192.168.88.14 list=ALLOW
add address=192.168.88.15 list=ALLOW
add address=192.168.88.16 list=ALLOW
add address=192.168.88.17 list=ALLOW
add address=192.168.88.18 list=ALLOW
add address=192.168.88.19 list=ALLOW
add address=192.168.88.20 list=ALLOW

This will create the address list with the name of ALLOW.

All you need to do next is to go to the NAT tab in IP/Firewall and edit the default rule for masquerade and on the Advanced tab add the ALLOW list in the Src.Address List field and Apply.

This will prohibit network address translation for all other clients other then those specified on address list thus disabling their internet access.

This is one of the solutions if you need just to limit internet access if you need other stuff please provide detailed instructions of what are you trying to achieve wit this configuration.

Yes I want to disable all communication on the network except the 192.168.88.10-192.168.88.20. Thanks again for your help, and can you explain for terminal rules sorry I'm very nullllllll

Yes I want to disable all communication on the network except the 192.168.88.10-192.168.88.20. Thanks again for your help, and can you explain for terminal rules sorry I'm very nullllllll

Assume you've built the address list as in earlier posts, with the address list name is AllowedHosts
Assume the LAN interface is bridge-local (whichever interface has 192.168.88.X on it)

Make the following rules in IP firewall filter:

+new
(GENERAL TAB)
chain=forward
in-interface=bridge-local
(ADVANCED TAB)
Src. Address List = AllowedHosts
(ACTION TAB)
Action = Accept
[OK]

+new
(GENERAL TAB)
chain=forward
in-interface=bridge-local
(ADVANCED TAB)
Action = drop
[OK]

These two rules will give the behavior you want.

OK I'll try this and I'll give a follow up soon, thanks again. You are very professional. Bye

Just a headsup.. your firewall has no Input chain firewall rules meaning router itself is wide open.

As far as your other question goes i think you can solve your problem just by editing your rule 5, and add your ALLOW list to advanced Tab / Src. Address list and click Apply.

Let us know if any of our suggestions helped.

Just a headsup.. your firewall has no Input chain firewall rules meaning router itself is wide open.

As far as your other question goes i think you can solve your problem just by editing your rule 5, and add your ALLOW list to advanced Tab / Src. Address list and click Apply.

Let us know if any of our suggestions helped.

I think he had the view filtered to show only the forward chain because the display says that it's showing 5 items out of 8.....

Also, if he puts the src address list on rule 5, it's going to break everything because the reply packets from the Internet would be denied. It's better to leave fasttrack/accept established,related rules alone and focus on blocking/allowing connections in the connection-state=new

Just a headsup.. your firewall has no Input chain firewall rules meaning router itself is wide open.

As far as your other question goes i think you can solve your problem just by editing your rule 5, and add your ALLOW list to advanced Tab / Src. Address list and click Apply.

Let us know if any of our suggestions helped.

I think he had the view filtered to show only the forward chain because the display says that it's showing 5 items out of 8.....

Also, if he puts the src address list on rule 5, it's going to break everything because the reply packets from the Internet would be denied. It's better to leave fasttrack/accept established,related rules alone and focus on blocking/allowing connections in the connection-state=new

I guess you are right...

I have made nothing again, I'm afraid a little bit, I have take a screenshot of all rules, so I'll wait your suggestion, thanks

I have made nothing again, I'm afraid a little bit, I have take a screenshot of all rules, so I'll wait your suggestion, thanks

Make sure that you've put the IP addresses into the AllowedHosts address list as discussed earlier,
and then just add these two rules to the forward chain:

+new
(GENERAL TAB)
chain=forward
in-interface=bridge-local
(ADVANCED TAB)
Src. Address List = AllowedHosts
(ACTION TAB)
Action = Accept
[OK]

+new
(GENERAL TAB)
chain=forward
in-interface=bridge-local
(ADVANCED TAB)
Action = drop
[OK]

These two rules can work just fine at the very end of your existing filter rules... no changes to the order of the existing rules is required.

If things somehow go wrong after adding them, it's easy to disable them - they won't kick you out of the router itself, only block Internet access.

Last question, I dont want to block internet access, my internet have a fixed ip and dns, it is easy for me to block access to the internet. I only want users of the IP addresses list see them and not others users on the rest of the networks. Thanks again.

Last question, I dont want to block internet access, my internet have a fixed ip and dns, it is easy for me to block access to the internet. I only want users of the IP addresses list see them and not others users on the rest of the networks. Thanks again.

I think for you to accomplish that you will need to use vlan's. Are allusers connected to router or so you use a switch behind it.

I have a 24 ports switch, 20 users on invoice software and others 20 users on internet. And I dont want the invoice' users see other users on internet or vice versa. Thanks for help.

I think you mean intranet a.k.a network. You can't solve this problem with router rules you need a switch that can configure vlans. Since all tragic between machines is managed by the switch.

I have a 24 ports switch, 20 users on invoice software and others 20 users on internet. And I dont want the invoice' users see other users on internet or vice versa. Thanks for help.

The other option is to create another subnet on a Mikrotik and phisicaly separate the machines with a secondary switch.

If I connect the server directly on the mikrotik router port and after I connect the router to the switch, it is possible to isolate my 20 machines for accessing the server on mikrotik port? And the other machine no?

If I connect the server directly on the mikrotik router port and after I connect the router to the switch, it is possible to isolate my 20 machines for accessing the server on mikrotik port? And the other machine no?

That I think you can. Just add rule in forward chain for the traffic coming from address list to IP of the server and block that traffic. But if u have a dhcp server on that server, active directory, DNS that might be a problem.

Thanks I can test this option tomorrow night, follow up....

I dont have a dhcp server on this server, fixed ip with dns, this his my config...