Community discussions

MikroTik App
 
Syptic
just joined
Topic Author
Posts: 3
Joined: Mon Jun 05, 2017 11:20 am

Block internet access on specific physical port

Mon Jun 05, 2017 11:27 am

Hello,

I recently got myself a MikroTik router, but its a bit to advanced for me so I'm here asking if you know how to do this. What I want to do is block a port on the router from accessing the internet (one of the physical ports). Lets say port 4 as an example. So anything I plug into port 4 would get LAN access but would be unable to access the internet. Would that be possible?

Regards,
Syptic
 
gustavomam
Trainer
Trainer
Posts: 287
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:

Re: Block internet access on specific physical port

Mon Jun 05, 2017 11:56 am

You can try this
/ip firewall filter add action=drop chain=forward dst-port=80,443 in-interface=ether4 protocol=tcp
 
Syptic
just joined
Topic Author
Posts: 3
Joined: Mon Jun 05, 2017 11:20 am

Re: Block internet access on specific physical port

Mon Jun 05, 2017 1:19 pm

Hmm but that will only block http/https access right? So all other ports would be open to the internet? Basically you would not be able to surf using a browser but things like SMTP/FTP/Torrents and other things not requiring port 80/443 would still work?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2867
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block internet access on specific physical port

Mon Jun 05, 2017 1:34 pm

  • Remove dst-port and protocol and then it SHOULD work regardless traffic type but .....
  • If port 4 is a part of hardware switch (has master interface set ) then this rule will not work as this port (eth4) is treated as master-interface. It inherits master MAC. You can see that if you plug cable into such port then it's led switches on and the led of master interface is also on even if the master-interface has no cable connected..
  • You need to remove that port from switch and bridge it with LAN ports. Look at this, it should explain what is bridge and what is switch in the world of Mikrotik: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features
  • If you manage to to bridge your eth4 with the rest of LAN ports then you can use gustavomam's rule as eth4 will be recognizable as separate interface
  • Having eth4 bridged you can take advantage of bridge firewalling which is similar to "normal" one but works on the bridge level so bridge is self-firewalled then. https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
 
Syptic
just joined
Topic Author
Posts: 3
Joined: Mon Jun 05, 2017 11:20 am

Re: Block internet access on specific physical port

Mon Jun 05, 2017 2:44 pm

I will read the links and give it a go tonight when I get home. Thanks for the help!
 
gustavomam
Trainer
Trainer
Posts: 287
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:

Re: Block internet access on specific physical port

Mon Jun 05, 2017 2:47 pm

Hmm but that will only block http/https access right? So all other ports would be open to the internet? Basically you would not be able to surf using a browser but things like SMTP/FTP/Torrents and other things not requiring port 80/443 would still work?
If you want to block other programs, and not internet typical ports for internet browsers (80/443). You should complete with other ports, or permit all traffic in forward from your LAN ports and ether4, then the block all the traffic between ether4 and internet port ( this is more drastic solution, but it'll works)
 
vasilaos
Member Candidate
Member Candidate
Posts: 120
Joined: Tue Aug 04, 2009 9:50 am

Re: Block internet access on specific physical port

Mon Jun 05, 2017 5:17 pm

you can block communication to wan interface for example if your wan inteface is ether1 then:
/ip firewall filter add action=drop in-interface=ether4 out-interface=ether1
or you can block traffc other than your lan network for example if your lan network is 192.168.0.0/24 then:
/ip firewall filter add action=drop in-interface=ether4 dst-address=!192.168.0.0/24
 
koperfield
just joined
Posts: 4
Joined: Wed Oct 11, 2017 11:36 pm

Re: Block internet access on specific physical port

Wed Oct 11, 2017 11:46 pm

you can block communication to wan interface for example if your wan inteface is ether1 then:
/ip firewall filter add action=drop in-interface=ether4 out-interface=ether1
No, I can't ('chain=forward' added):
Untitled1.png
or you can block traffc other than your lan network for example if your lan network is 192.168.0.0/24 then:
/ip firewall filter add action=drop in-interface=ether4 dst-address=!192.168.0.0/24

Same, no, I can't ('chain=forward' added):
Untitled.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Block internet access on specific physical port

Thu Oct 12, 2017 12:37 am

Earlier in the thread, it was explained that you must un-slave interfaces such as ether4 that you've posted screenshots about.

Furthermore, you will need to add ether4 to the LAN bridge, and then enable "use IP firewall" on the bridge.
 
koperfield
just joined
Posts: 4
Joined: Wed Oct 11, 2017 11:36 pm

Re: Block internet access on specific physical port

Thu Oct 12, 2017 5:38 pm

you must un-slave interfaces such as ether4
Interface ether4: Master port -> none?
you will need to add ether4 to the LAN bridge, and then enable "use IP firewall" on the bridge.
add ether4 to main LAN bridge1? Or I need to create another one, like bridge2? Do I need to add other interfaces to bridge2 like ether2, ether3, ether5? Thanks.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Block internet access on specific physical port

Thu Oct 12, 2017 5:40 pm

Yes on the master=none.....
add ether4 to main LAN bridge1? Or I need to create another one, like bridge2? Do I need to add other interfaces to bridge2 like ether2, ether3, ether5? Thanks.
If you want ether4 to be in the same network as the rest of the LAN, then yes, add it to the same bridge.

If you want ether4 to be a completely different network, then you don't need to add it to any bridge. Just un-slave it and then put an IP address onto the interface and configure DHCP, etc.
 
koperfield
just joined
Posts: 4
Joined: Wed Oct 11, 2017 11:36 pm

Re: Block internet access on specific physical port

Thu Oct 12, 2017 6:40 pm

If you want ether4 to be in the same network as the rest of the LAN, then yes, add it to the same bridge.
Yes, I want ether4 to be in the same network as ether2, ether3, ether5.
1.png
But after adding un-slaved ether4 to bridge1, ether4 become slave! And the rule does not work :(
2.png
3.png
'Use IP Firewall' on bridge1 -> enabled.
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Block internet access on specific physical port

Thu Oct 12, 2017 8:47 pm

Okay - so this means that even using IP firewall for the bridge won't allow you to filter on a specific bridge port.
It's correct for the interface to become slave when you add to a bridge. Slave means that the interface cannot be used directly as an IP interface because it's acting as a component of some other feature - bridging in this case.

Anyway, you can achieve your goal with a layer 2 bridge filter as mentioned earlier in the thread.

/interface bridge filter
add action=drop chain=forward in-bridge=bridge1 in-interface=ether4
add action=drop chain=forward in-bridge=bridge1 out-interface=ether4

This will cause the bridge not to forward any traffic to/from the interface ether4. Traffic to/from the Internet will not go into the bridge forward filter, but the bridge input / output filters.

One thing to note - if you want to make a bridge which has ALL interfaces isolated from each other but not the Internet, then you can do this easily using the split horizon feature - go into each bridge port and set horizon=1. All ports on the same horizon cannot communicate with each other, but they can communicate with all other ports. So if you want NO "east/west" communication, but ONLY "north/south" then adding all ports to the same horizon is easier than making a set of filter rules for every interface - and probably runs faster too.
 
koperfield
just joined
Posts: 4
Joined: Wed Oct 11, 2017 11:36 pm

Re: Block internet access on specific physical port

Thu Oct 12, 2017 11:32 pm

/interface bridge filter
add action=drop chain=forward in-bridge=bridge1 in-interface=ether4
add action=drop chain=forward in-bridge=bridge1 out-interface=ether4
/interface bridge filter print

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=drop in-interface=ether4 in-bridge=bridge1 log=no log-prefix="" 

 1   chain=forward action=drop in-bridge=bridge1 out-interface=ether4 log=no log-prefix="" 

Devices connected to physical port ether4 still have internet access.
if you want to make a bridge which has ALL interfaces isolated from each other but not the Internet
I use default RouterBOARD 750UP r2 (hEX PoE Lite) configuration. All I want and need is device that connected to physical port ether4 have full local network access but would be unable to access the internet through any protocol (http(s),ssh,telnet,unknown or proprietary protocols,etc). No more or less. Is this possible?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Block internet access on specific physical port

Fri Oct 13, 2017 12:42 am

Oh wait - I got it backwards. You want LAN<>LAN but no Internet. Whoops.

Delete the forward chain filter rules and use these rules instead:
action=drop chain=input in-bridge=bridge1 in-interface=ether4 mac-protocol=ip dst-address=!192.168.0.0/24
action=drop chain=output out-bridge=bridge1 out-interface=ether4 mac-protocol=ip src-address=!192.168.0.0/24

or you could use a slightly more sophisticated mechanism that won't need to be changed if you ever re-number your LAN.

/interface bridge filter
add chain=input action=mark-packet new-packet-mark=nointernet in-bridge=bridge1 in-interface=ether4

/ip firewall filter
add action=drop chain=forward packet-mark=nointernet out-interface=MyWanInterface
.. place this rule immediately after your first few "accept established,related" type rules.

You really don't have to worry too much about blocking packets going the other way because if the LAN host(s) on ether4 cannot send anything to the internet, then the Internet won't have any reply packets to send your way.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Block internet access on specific physical port

Fri Oct 13, 2017 2:38 am

.. or maybe use the in "in-bridge-port=" matcher in previous zerobyte configuration schema (std forward filter)?
Last edited by bajodel on Sun Oct 15, 2017 6:24 am, edited 1 time in total.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Block internet access on specific physical port

Fri Oct 13, 2017 6:43 pm

I did similar to ZeroByte, but used Mangle rule, tested and worked 100%

/ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
8 chain=forward action=mark-connection new-connection-mark=DropWLanInternet passthrough=no
out-interface=ether1 in-bridge-port=wlan1 log=no log-prefix=""


/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
1 chain=forward action=drop connection-mark=DropWLanInternet log=no log-prefix=""

Who is online

Users browsing this forum: mszru and 28 guests