Community discussions

MikroTik App
Topic Author
Posts: 37
Joined: Tue Jun 06, 2017 11:50 am

Isolating Static IP customers/clients on local netowrk

Tue Sep 04, 2018 3:32 am

I have my core router with one WAN and one LOCAL bridge. I assign my customers router a local Static IP for example. IP: Gateway: with 1:1 NAT.

> My problem is I need a way to Isolate and restrict customers IP usage. Like if a customer changes their WAN IP than that IP is not in a simple queue there for they basically have unlimited bandwidth.

> Also customers can Ping the WAN IP of other customers which should not be able to happen.

Hopefully this all makes sense.
Thanks in advanced,
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 21, 2016 12:04 am

Re: Isolating Static IP customers/clients on local netowrk

Tue Sep 04, 2018 3:59 am

If I understand you correctly, you want to drop requests for all IP addresses that you have NOT assigned to simple queues, You would need to use Firewall Filter. Go to IP --> Firewall --> Filter Rules in winbox, and create rules that allow forwarding for only the IP addresses that you want. Drop all others. There are plenty of forum posts on how to configure a basic firewall. If you have a small amount of IP addresses that you want to allow, just make an address list in IP-->Firewall--> Address Lists, and reference the address list in your rules (that will allow you to make just one rule for all addresses). You can make the rule log a special prefix when the rule is matched, so that you can review the log files and see the unauthorized ip address that is being used.

As for not allowing ICMP, that is also a firewall filter issue. Create a rule that drops ICMP packets for the given set of IP Addresses, potentially from a given set of Ip addresses or blocks.

Kind regards

Who is online

Users browsing this forum: aesmith, antant, riyoritsu, Znevna and 143 guests