Hi Experts

I have just configured a mikrotik router in bridge mode and trying to apply firewall filter rules but its not working. Details of connectivity and config mentioned below:

Router's Ethernet1 and ethernet 2 interface is running in bridge mode. Both interfaces have public IP. There is another interface ethernet 5 which is LAN interface and there are users connected with this interface to access internet. Ethernet 1 has Public IP address of (203.244.135.171/29) and There is a server connected to ethernet 2 with public IP address (203.244.135.172) which will be accessed by machine located at 83.225.98.42. My task is to allow LAN users to be able to browse internet only and drop everything else .Further server connected to ethernet 2 only accept requests from 83.225.98.42 and drops everything else. filter rule for LAN users is working but it is not working for server. Can anyone help me in resolving this issue.

Thanks & Regards
msusmani

Configuration.

MikroTik RouterOS 6.42.6 (c) 1999-2018 http://www.mikrotik.com/

[admin@MikroTik] > export
# jul/30/2018 22:10:10 by RouterOS 6.42.6
# software id = 6MP5-PTVK
#
# model = RouterBOARD 750 r2
# serial number = 63BD05F385CE
/interface bridge
add name=bridge1_Internet
/interface ethernet
set [ find default-name=ether1 ] name="ether1_WAN (Connected to ISP Router)"
set [ find default-name=ether2 ] name="ether2 (Connected to Server )"
set [ find default-name=ether5 ] name="ether5 (Desktop Users)"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="ether5 (Desktop Users)" lease-time=3d10m name=dhcp1
/interface bridge port
add bridge=bridge1_Internet interface="ether1_WAN (Connected to ISP Router)"
add bridge=bridge1_Internet interface="ether2 (Connected to Server )"
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface="ether1_WAN (Connected to ISP Router)" list=WAN
add interface="ether2 (Connected to Server )" list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface="ether5 (Desktop Users)" list=LAN
/ip address
add address=203.244.135.171/29 interface=bridge1_Internet network=203.244.135.168
add address=192.168.10.1/24 interface="ether5 (Desktop Users)" network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward dst-port=80,443 out-interface=bridge1_Internet protocol=tcp src-address=192.168.10.0/29
add action=drop chain=forward out-interface=bridge1_Internet src-address=192.168.10.0/29
add action=accept chain=forward connection-state=established,related in-interface="ether5 (Desktop Users)"
add action=accept chain=input in-interface=bridge1_Internet protocol=icmp src-address=83.225.98.42
add action=accept chain=input in-interface=bridge1_Internet protocol=tcp src-address=83.225.98.42
add action=drop chain=input in-interface=bridge1_Internet src-address=0.0.0.0/0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1_Internet
/ip route
add distance=1 gateway=203.244.135.169
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Asia/Dubai
/system routerboard settings
[admin
@Mikro
Tik] >
[admin@MikroTik] >

If you are using a bridge then the firewall won't work from default. Why would a firewall filter a LAN bridge?
You need to go into Bridge > Settings and check "use IP firewall" to run the bridge traffic through your filters.

If you are using a bridge then the firewall won't work from default. Why would a firewall filter a LAN bridge?
You need to go into Bridge > Settings and check "use IP firewall" to run the bridge traffic through your filters.

I have already enabled use IP firewall in bridge settings

/interface bridge settings
set use-ip-firewall=yes

I am able to block access of my router from WAN except an specific IP through this config but unable to block access to host connected to bridge interface. Can any one help?

try /interface bridge filter>