@go4030:
Just one question...if my network is /24, I would change the /32 to /24?
No. we are talking about
so you are selecting only the destination mikrotik device (single host = /32). If you put /24, you may block access to other devices in theory, depending on your network setup.
I'm using the Mikrotik as an AP and it is connected to another router.
You could kinda say that in original post...
1. Make eth1 - eth4 and wlan1, wlan2 as Bridge1
2. Make eth5 as Bridge2
3. Firewall rule that drops all traffic from Bridge1 to router (input block)
4. Restrict router access services to Bridge 2 only.
Absolutely! your thinking is perfectly valid and this approach is called "management port" That means only one port (or few selected ports) can be used to manage the device. Just few notes from me:
- do not confuse wlan/wan - those are two very different things. I understand it was just a typo, but less obvious typos can easily steer others to give you wrong answer.
- make sure that you restrict access to Bridge2 not just in , but also in .
Optional:
- create a dhcp-server on the Bridge2 with some different subnet. That way you will get IP address from the router when you connect to your Eth5 and that will allow you to connect easily via IP, not just MAC.
- you may also configure your Mikrotik to allow internet connection from the Bridge2, which will allow you to search on the internet and look for help/reference, while you are connected to the Eth5
@2frogs
Another option is to set your device IP or list of IP's in IP> Service.
That would be reliable only if your IP is static. You did not mention that, therefore if OP followed your advice, he would sooner or later lose access, because his IP would change.
@anav
FIRST IGNORE the advice from above. The pony is pretty but those are LSD colours! ;-P
I love you too... But I also dare you to prove with an example, when will my answer fail to do what OP asked?
There are many ways to accomplish this task
Not really. The question was pretty clear - prevent wifi clients from accessing the interface. Thats it. OP did not ask for complete reconfiguration of his router.
Let me rephrase your statement:
"There are many ways to accomplish security of RouterOS"
Please keep in mind that I did not have knowledge he uses it in a non-defconf way. Given that assumption, I did not want to complicate things. We could argue if it is really necessary to separate wlan/eth interfaces and use different subnets. I admit it is more secure approach, but I consider it rather overkill in basic home situation.