Community discussions

MikroTik App
 
julianhaines
just joined
Topic Author
Posts: 16
Joined: Mon Jul 06, 2015 2:09 pm
Location: Brighton
Contact:

IP Firewall

Mon Aug 13, 2018 3:57 pm

Hi,

I am trying to block 192.168.207.0/24 on ether6 from accessing eth1 on a Mikrotik for security,

I have tried adding firewall rules to drop from a source address 192.168.207.0 going to the address I want to block but this is not working see attached image.

What I want is any 192.168.207.0/24 address coming from ether6 to not be able to get to anything on ether1

Thanks for your help, I am new to Mikrotik.

Julian
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: IP Firewall

Mon Aug 13, 2018 4:13 pm

You should set drop rule in input chain to exacly interface:

ip firewall filter add
action=drop chain=input in-interface=ether1 src-address=192.168.207.0/24

or ether6, as you want.
 
julianhaines
just joined
Topic Author
Posts: 16
Joined: Mon Jul 06, 2015 2:09 pm
Location: Brighton
Contact:

Re: IP Firewall

Mon Aug 13, 2018 4:19 pm

Hi,

Tried but get the error in the attached image.

Julian
You do not have the required permissions to view the files attached to this post.
 
szt
just joined
Posts: 19
Joined: Mon Aug 06, 2018 9:43 pm
Location: Olomouc, Czech Republic
Contact:

Re: IP Firewall

Mon Aug 13, 2018 9:48 pm

You should use "forward" chain instead of "input" chain.

"Input" chain is linked only to packets which are terminated on your Mikrotik.
"Forward" chain is linked to packets which goes through your Mikrotik.

Or, from a different point of view, your intention is to filter packets which are _forwarded_ from ether6 to ether1.
 
julianhaines
just joined
Topic Author
Posts: 16
Joined: Mon Jul 06, 2015 2:09 pm
Location: Brighton
Contact:

Re: IP Firewall

Tue Aug 14, 2018 12:47 pm

Hi,

Thanks, I have created a firewall rule to drop any traffic coming in from ether6 src address 192.168.207.0/24 and going to ether1 but it's not working.

From a test laptop on ether6, I can still ping devices on ether1
What am I doing wrong?

Julian
You do not have the required permissions to view the files attached to this post.
 
julianhaines
just joined
Topic Author
Posts: 16
Joined: Mon Jul 06, 2015 2:09 pm
Location: Brighton
Contact:

Re: IP Firewall

Tue Aug 14, 2018 12:56 pm

Hi,

I think I have found the problem, the gateway for the clients is 192.168.204.0 if I block this it's working.

How do I block based on the device IP 192.168.207.0/24, not the gateway?

Julian
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 3911
Joined: Thu Mar 03, 2016 10:23 pm

Re: IP Firewall

Tue Aug 14, 2018 4:31 pm

Settings on PC shown are weird: PC's address is 192.168.207.210 with network mask 255.255.255.0 ... generally it can not directly connect to any host which IP falls out of range 192.168.207.1-192.168.207.254 and should use gateway (default if a more specific is not defined) to reach other hosts. Now comes the weird part: gateway set on your PC has IP address 192.168.204.4 which is outside of directly connectable IP addresses (according to network mask).
Makes me wonder how can it work at all.

You need to fix your IP (sub)network. Either adjust subnet mask to cover both PCs IP address and gateway address or set proper gateway address (as served by DHCP server 192.168.207.254). My guess is that DHCP server is supposed to act as gateway for that particular subnet. But then it's just a wild guess as you never showed us any network chart nor settings.
BR,
Metod

Who is online

Users browsing this forum: No registered users and 88 guests