Community discussions

MikroTik App
 
bach1
just joined
Topic Author
Posts: 9
Joined: Tue Jan 16, 2018 9:19 pm

How to disable access from local to some local to Mikrotik AP?

Tue Jan 16, 2018 9:26 pm

Since I am not very wrought in this one, do I need someone to write an example of how to do it on Mikrotik AP in bridge mode? basically I just need the range IP 192.168.20.110-114 not to reach 192.168.20.4-100 but vice versa from the whole range 192.168.20.0/24 to IP 192.168.20.110-114 range yes.
Thank you for your help.
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How to disable access from local to some local to Mikrotik AP?

Tue Jan 16, 2018 9:54 pm

Make a second SSID (create a VAP interface), and make the insecure devices use the second AP, and put that on a different IP range (don't bridge the VAP - put a new IP address directly on it and configure a new DHCP service on this network). Then use the IP Firewall filter to block in-interface=VAP out-interfae=LAN.

Blocking things in the way you're attempting is not actually secure at all because any device that decides to spoof its IP address or MAC address can do so and easily bypass your security.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
bach1
just joined
Topic Author
Posts: 9
Joined: Tue Jan 16, 2018 9:19 pm

Re: How to disable access from local to some local to Mikrotik AP?

Tue Jan 16, 2018 10:41 pm

This Wifi is only for those 5 clients and they do not know SSIDs or their wifi passwords, I add them to myself, they do it if they scanned the network to not find my printers, satellites, etc. from my range 192.168.20.4-100, otherwise I do not mind.
 
poizzon
Member Candidate
Member Candidate
Posts: 113
Joined: Fri Jun 21, 2013 12:53 pm

Re: How to disable access from local to some local to Mikrotik AP?

Wed Jan 17, 2018 2:00 am

what is devices 192.168.20.110-192.168.20.114 ?

May be you block in that side ?
--
poi
 
bach1
just joined
Topic Author
Posts: 9
Joined: Tue Jan 16, 2018 9:19 pm

Re: How to disable access from local to some local to Mikrotik AP?

Wed Jan 17, 2018 8:48 am

These are simple routers and blocking is not going well. Better it would be on my MikroTik, which is also Wifi AP and is in bridge mode, but I do not know how to isolate the network range 192.168.20.4-100 just for these 5 routers 110-114, no extra secure locks I do not need.
 
evince
Member
Member
Posts: 329
Joined: Thu Jul 05, 2012 12:11 pm
Location: Weiswampach - Luxemburg
Contact:

Re: How to disable access from local to some local to Mikrotik AP?

Wed Jan 17, 2018 10:25 am

Why don't u use Vlan?

It is realy more secure.
 
bach1
just joined
Topic Author
Posts: 9
Joined: Tue Jan 16, 2018 9:19 pm

Re: How to disable access from local to some local to Mikrotik AP?

Wed Jan 17, 2018 10:34 am

Because I just need what I have already written - clients need to get to the range 192.168.20.1-3 for some reason. I do not want to isolate from network 192.168.20.0 just the extent as I already wrote. Then I would have to work hard to put more rules on the main router to get my services on the internal network that are at 20.1-3 addresses.
Simply simply, on Mikrotik Ap in the bridge simply say the requests from addresses 192.168.20.110-114 to addresses 192.168.20.4-100 drop.
Nothing more and I need to help if and how to do it on Bridgi by a filter.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How to disable access from local to some local to Mikrotik AP?

Wed Jan 17, 2018 9:40 pm

The easiest thing to do would be to enable the "use IP firewall" option on your bridge so that you can make forwarding filter rules that block the traffic you want.
Make an IP address list called "LimitedClients" and list the IP addresses 192.168.20.110-114
Make another IP address list called "ProtectedHosts" and list the IP addresses 192.168.20.4-100

Then your forward chain can have a rule that says:
chain=forward src-address-list=LimitedClients" dst-address-list="ProtectedHosts" action=drop

Make sure this rule comes before any other rule that would accept such packets, and you're set.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
bach1
just joined
Topic Author
Posts: 9
Joined: Tue Jan 16, 2018 9:19 pm

Re: How to disable access from local to some local to Mikrotik AP?

Wed Jan 17, 2018 10:31 pm

Thanks to this, but if I apply this rule, I can not get myself out of range 192.168.20.4-100 to administer clients to addresses 192.168.20.110-114
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How to disable access from local to some local to Mikrotik AP?

Wed Jan 17, 2018 10:52 pm

Thanks to this, but if I apply this rule, I can not get myself out of range 192.168.20.4-100 to administer clients to addresses 192.168.20.110-114
Dude - you really need to learn what you're doing if you're going to get this picky about stuff and not just expect people to do everything for you.
Then your forward chain can have a rule that says:
chain=forward src-address-list=LimitedClients" dst-address-list="ProtectedHosts" action=drop
Look at this rule: it only matches (and drops) traffic if it is FROM the LimitedHosts and going TO the ProtectedHosts. Packets that get accepted before they reach this rule will not be dropped... Okay - so if you want the ProtectedHosts to have access to the LimitedHosts, then what you do is you place the above rule AFTER a rule which allows established,related connections, and then your requirement will be met. This is because the initial packet from Protected->Limited will NOT match this drop rule. The reply from the Limited->Protected host will get accepted by the established,related rule before it can reach the drop rule, so that will work. If a Limited host tries to make a new connection to the Protected hosts, the first (SYN) packet will NOT be established or related state - it will be in NEW state, so the "accept established,related" rule will not accept the packet - it will continue down the chain until reaching this rule which says to drop the packet. Thus no new connection will ever reach the established state.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
bach1
just joined
Topic Author
Posts: 9
Joined: Tue Jan 16, 2018 9:19 pm

Re: How to disable access from local to some local to Mikrotik AP?

Wed Jan 17, 2018 11:26 pm

I made the rule: chain=forward src-address-list="ProtectedHosts" dst-address-list="LimitedClients" action=accept
which I have dropped before the drop rule and I can not get to the address 192.168.20.110 or even ping if the drop rule
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How to disable access from local to some local to Mikrotik AP?

Wed Jan 17, 2018 11:36 pm

I made the rule: chain=forward src-address-list="ProtectedHosts" dst-address-list="LimitedClients" action=accept
which I have dropped before the drop rule and I can not get to the address 192.168.20.110 or even ping if the drop rule
ok - go into your router and run this command in a terminal:
/ip firewall filter export compact

copy and paste the results here.

I assume that you did add the IP addresses of the Protected and Limited hosts into the appropriate address lists, and that you did enable "use IP firewall" on your bridge.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
bach1
just joined
Topic Author
Posts: 9
Joined: Tue Jan 16, 2018 9:19 pm

Re: How to disable access from local to some local to Mikrotik AP?

Thu Jan 18, 2018 7:51 am

add action=accept chain=forward dst-address-list=klienti src-address-list=domov
add action=drop chain=forward dst-address-list=domov log=yes log-prefix=Klienti src-address-list=klienti

Yes, the firewall is turned on and the addresses are as follows:
klienti - 192.168.20.110-192.168.20.114
domov - 192.168.20.4-192.168.20.100

Once I enable the drop rule, I will not get to the client IP and stop pinging.
 
bach1
just joined
Topic Author
Posts: 9
Joined: Tue Jan 16, 2018 9:19 pm

Re: How to disable access from local to some local to Mikrotik AP?

Thu Jan 18, 2018 1:04 pm

Everything works as he does with these rules:


/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward dst-address-list=domov log=yes log-prefix=Klienti src-address-list=klienti

Who is online

Users browsing this forum: Bing [Bot], jvanhambelgium and 119 guests