Hi,

i have a question about allowing resp disallowing one certain IP address from the subnet to access nothing else but internet.

So, i have a office subnet 192.168.0.x... i allowed one laptop to access this network .. but.. now it can see all network.

How can i setup FW so that this IP has ONLY connection to the internet and not to the rest of the local network?

/ip firewall filter
add action=drop chain=forward comment="drop connection from IP address to the Local Network" dst-address=192.168.0.22 src-address=192.168.0.0/24

tx

korg

Hey. Just set src-address as your laptop and set dst-address as a prohibited network.

or you can set firewall rule like this:

/ip firewall filter
add action=accept chain=forward dst-address=!192.168.0.0/24 src-address=192.168.0.22

P.S.: don't forget to lift this rule up above common forward rule.

Tx a lot... I'll use your tipp

korg

And... how can i Limit only this one particular MAC address to connect to the WLAN network?

korg

And... how can i Limit only this one particular MAC address to connect to the WLAN network?

korg

For WLAN you have wireless access list which allowes to connect only macs you want.

OK....

sure... you're right...

tx

Korg

Hey. Just set src-address as your laptop and set dst-address as a prohibited network.

or you can set firewall rule like this:

/ip firewall filter
add action=accept chain=forward dst-address=!192.168.0.0/24 src-address=192.168.0.22

P.S.: don't forget to lift this rule up above common forward rule.

Be aware if IP address is in the same subnet as your network LAN traffic will NOT pass through the router (same L2 domain), of course if you are using some switch behind your router

Hey. Just set src-address as your laptop and set dst-address as a prohibited network.

or you can set firewall rule like this:

/ip firewall filter
add action=accept chain=forward dst-address=!192.168.0.0/24 src-address=192.168.0.22

P.S.: don't forget to lift this rule up above common forward rule.

Be aware if IP address is in the same subnet as your network LAN traffic will NOT pass through the router (same L2 domain), of course if you are using some switch behind your router

It will. Beacause destination address won't be router's IP. It will be router's mac, but not IP.

It will. Beacause destination address won't be router's IP. It will be router's mac, but not IP.

It won't. And the router's MAC is not in the game at all.
This will only work if the laptop in question is connected to the router directly (w/o a switch in between) and if "Use IP firewall" is active under bridge settings.
-Chris

It will. Beacause destination address won't be router's IP. It will be router's mac, but not IP.

It won't. And the router's MAC is not in the game at all.
This will only work if the laptop in question is connected to the router directly (w/o a switch in between) and if "Use IP firewall" is active under bridge settings.
-Chris

Do we talking about ARP or some unicast traffic? With ARP it can be a problem I think... So TS have to create drop rule with all IP in his net except his gateway. That would be better

P.S.: didn't get you about switch, because we talked about layer 3.

Well, it was talked about L3 communication in the same subnet on the same L2 domain. Which technically makes it L2 communication.
So link-local traffic (i.e. in the same subnet) will not hit the router L3-wise. And L2-wise only if the router is used as a bridge that has to be passed for this communication.
-Chris

Well, it was talked about L3 communication in the same subnet on the same L2 domain. Which technically makes it L2 communication.
So link-local traffic (i.e. in the same subnet) will not hit the router L3-wise. And L2-wise only if the router is used as a bridge that has to be passed for this communication.
-Chris

Oh, I see. Just didn't imagine that he bridged with other users. Then yeah, he could enable split horizon rule in a bridge to isolate Tik's ports between each other or make l2 filtering in a switch, if he has some. But more wise decision is segmenting net to subnets

THe information provided is to sparse for me to understand.
Trying to keep it basic:
If the laptop is part of the same lan network 192.168.0.0 then no firewall rules will have any effect as there is direct L2 connectivity.
If the laptop is on a different LAN, then unless the LANs are bridged there should only be connectivity through the router if allowed by rules and thus the laptop can be firewalled off the 192.168.0.0 network.
For instance, one could have a drop forward rule as the last rule in the Forward Chain, and if one didnt explicity allow LANA to LANB traffic etc, it aint going to be allowed.

In other words, without seeing the ops setup (Ip rules) it would be hard to comment further.

If what OP wrote is read verbatim, then:

laptop with IP address 192.168.0.22
should not see the rest of network 192.168.0.0/24

And that is not possible except in one particular case: that laptop is directly connected to a wired port of RB (and no other device is sharing that port). In this case bridge can be set-up to use FW rules and FW could prohibit said connectivity. But that case would come also with some bad side effects and I wouldn't recommend doing it.

There are other ways of doing it, but I'm not going to suggest any of them. I suggest to @korg to study a few basics about IP addressing, subnetting, routing, etc.

As earlier stated: set "Use IP firewall" in the bridge setting, then traffice within bridge will go through Firewall.
Then you can filter it with rules etc.

Or you can do differently :
You can do also "default forward" uncheck (in bridge settings as well), then nobody will be able to talk to each other by default and can get
only internet. You will need to add accept rules if you want to have local traffic (that then should not include that one IP/MAC address you want to isolate).