Hi,

I want to block traffic between 192.168.88.254 (eth4) and 192.168.88.249 (eth2).

Kid Control doesn't work - the IP has no internet access but has LAN access.

This doesn't work:

I don't know much about the firewall, but I am assuming that it controls the access between LAN <-> WAN but not inside the LAN, and this is why it doesn't work.

I tried to just block the access between the ports it connects to, still doesn't work:



Any ideas what is going on ? I'd like to do this via Kid Control optimally as all of my other access control rules are there.

All IPs on the same LAN or same bridge are connected at layer2. This means that firewall rules (layer3) will not apply.
Your options are to isolate one of the etherports by putting it on a different LAN (different LANIP structure) or on a different bridge etc.
Then firewall rules will apply.

Alternatively, if you have someway of putting that IP on A VLAN (using a managed switch or if done via wifi, via an vlan capable access point), that is another option.

Finally there may be some way of using other rules, mangle, routing etc to achieve some sort of blocking but I am not aware of them.

^^^^ Anav missed the easy solution. Although correct in that they are essentially in a L2 network, you can force L3 connectivity.

If the interfaces are in the same bridge you can use the bridge settings to use IP firewall or bridge filters and stop them from talking that way.

Sorry Steve, Ip firewall has no effect on interfaces on the same bridge, perhaps bridge filters but I have no idea what those are..........
( of course I am not talking vlans as that is a different story).

Well, the bridge filter rule I shared above doesn't work either.

What is going on ? Perhaps traffic that goes through the hardware switch doesn't actually get processed by the OS ?

Exactly, the OS is not involved in layer two switch traffic, the firewall rules apply to layer3 traffic. Between different subnets on a router or subnets on different bridges or one on a bridge and one not on a bridge. You have to figure out a different way of separating your users............
As I said, you may need a managed switch if the connection is ethernet cable or an Access Point that has vlan capability for example if you want to separate users on your own lan.

The other option is to frig with the PCs in question as I am sure there are some windows settings that may help limit access to other pCs??

The one setting I am not quite sure how it helps or not in this scenario is the IP neighbours discovery (which I have turned off).
https://wiki.mikrotik.com/wiki/Manual:I ... _discovery

But I have a virtually created bridge, and bridge filters work for it. But not for the default bridge. So if it's a software bridge I can use the bridge filters feature and provide some L2 filtering.

hello it turns out that the side has in the blacklist my isp as I do so that the page of a bank leaves by a vpn? I have done this but it does not work

/ ip firewall mangle
add action = mark-routing chain = prerouting content = urldelbanco in-interface = bridge new-routing-mark = "benchmark" passthrough = no

/ ip route
add distance = 1 gateway = pptp-out1 routing-mark = "bank brand"

Thank you

If ports on default bridge are hw offloaded, bridge filtering won't work. Disable hw offload for the ports you want to enable filtering.

Why not secure the device itself?

But I have a virtually created bridge, and bridge filters work for it. But not for the default bridge. So if it's a software bridge I can use the bridge filters feature and provide some L2 filtering.

Remove the hardware offload of the desired bridgeports /ether2 and ether4/ !


If you want to isolate and on second level Bridgeport 2 and 4 - use a split horizon with the same values ​​on the respective ports!