Hi, I'm in need of some help.:

I've successfully configured a Mikrotik router to serve internet and act as local DHCP server.

However I have one static IP, used for a wi-fi router, which I want clients connected to it to ONLY be able to access the internet and not be able to access any internal IPs.

I've tried doing this by Firewall Filter, however have not had any luck. Basically, I want the firewall to drop any connections coming from 10.1.1.2 to the local LAN.

Chain: forward
Source Address: 10.1.1.2 (Router's Static IP)
Destination Address: 10.1.0.0/16
Action: Drop

However, when I set up this config the FW has the opposite effect, blocking out internet access for those on wi-fi, yet can continue accessing internal IPs.

Any help would be greatly appreciated!

So to understand better, That Wifi-router is connected with it's WAN port onto the Mikrotik LAN and all Wifi client's are NAT'ted behind the IP-adres of this Wifi router, 10.1.1.2 ???
Basically you only ever see packets from 10.1.1.2 coming from that device with several clients connected ?
And secondly, this Wifi-router is connected directly on a port of Mikrotik, or is there LAN-switches with local hosts in between ?

Some/others will probably tell you : please post you config & a basic schematic please!

Because there might be a couple of reasons why you are not getting the desired behaviour.

Hi jvanhambelgium, thanks for the response :)

So to understand better, That Wifi-router is connected with it's WAN port onto the Mikrotik LAN and all Wifi client's are NAT'ted behind the IP-adres of this Wifi router, 10.1.1.2 ???

Yup

Basically you only ever see packets from 10.1.1.2 coming from that device with several clients connected ?

Also, yes :)

And secondly, this Wifi-router is connected directly on a port of Mikrotik, or is there LAN-switches with local hosts in between ?

The wifi router as well as Mikrotik router are connected to a general purpose switch. The same switch being used by desktops, laptops and wired printers.

Some/others will probably tell you : please post you config & a basic schematic please!
Because there might be a couple of reasons why you are not getting the desired behaviour.

Sure, I'll post a config shortly. Thank you for the suggestion.

Mikrotik router: 10.1.0.1.
Network: 10.1.0.0/16
WiFi Router: 10.1.1.2
Netgear Switch: 10.1.1.1

Modem <-> Mikrotik WAN port <-> Mikrotik Bridge, 10GB SFP <-> Netgear Switch <-> WiFi Router WAN Port.

So basically, 10.1.1.2 should only be able to reach the outside world, presumably via 10.1.0.1. I would think the Firewall should deny all internally except for 10.1.0.1?

Appreciated!

>> The wifi router as well as Mikrotik router are connected to a general purpose switch. The same switch being used by desktops, laptops and wired printers.

Your above sentence caught my attention. Like this, it is impossible to control traffic! No way you can prevent your Wifi users (on that router) from using/approaching these "desktops, laptops & printers"

The only option is to run a direct cable from the Wifi router straight into the Microtik first, and then apply filtering in the interface or bridge or whatever to stop that traffic from reaching any other participants on the 10.1.0.0/16 broadcast domain.

The only option is to run a direct cable from the Wifi router straight into the Microtik first, and then apply filtering in the interface or bridge or whatever to stop that traffic from reaching any other participants on the 10.1.0.0/16 broadcast domain.

Thanks! Unfortunately the router I'm working on (CCR2004-1G-12S+2XS) only has one available Ethernet port, the other being a reserved console port. I've read that there are SFP<->Ethernet adapters available. Never tried using one though, but might give it a try.

You've given me an idea however. Both the Mikrotik & Wifi-routers are connected to a managed switch. Worth seeing if a firewall can be configured from within the switch as opposed to the Mikrotik router.

If the switch supports some VLAN's you can also get the Wifi-router traffic across a dedicated VLAN to the Mikrotik. From there on, you can filter all you want and your scenario will work.
However the "WAN" IP of the Wifi-router must change, you cannot use 10.1.1.2 with a mask 255.255.0.0 as it falls in the same broadcast domain as your internal network.

Another scenario could be some form of "router-on-stick" , but it all depends on your technical knowledge.

1) Adapt the WAN-port of the Wifi-router and make it 192.168.1.1/24 (if the WAN is now set to "DHCP" and it receives 1 IP + settings from the Mikrotik don't care, just change it to manual)
Set manually the default gateway to 192.168.1.254/24.
On the Mikrotik, add another IP address on the bridge-interface 192.168.1.254 (never done it on Mikrotik, but I read it is possible)

Like this, even without "VLAN" the traffic from Wifi clients MUST hit the Mikrotik first if they ever want to reach 10.1.0.0/16 internal IP space. So now perhaps some filtering is possible.

This is plain nuts,
Provide a friggen network diagram so its clear from the start! (indicate which devices are managed or unmanaged including any secondary routers or access points aka can handle vlans).
Also your config
/export hide-sensitive file=anynameyouwish

Also the RJO1 copper cage for the SFP or SFP+ port for that matter work great, if you need another ethernet connection from the router. Ubiquiti sell something similar thats readily available and not expensive.