What I want to archive:
My goal is to use the MK behind a Fritzbox 7530 to limit the access for my wireless IoT devices only to the local network so that only my home assistant host can see and work with them and they dont have any internet access.
What I understand/read from other posts etc.:
I need to seperate my wireless interfaces to a VLAN/different Subnet, which I already figured out how to do it in Router OS. So that I can limit the network access via firewall rules.
Also I know that it would be rather simple to just give the IoT devices static IPs in the FB and block them. But I am lazy and up to the challange to lern something new.
What is my problem/do I not understand:
I know that it complicates things but I want to keep the FB and use it as DHCP server. But I know that the VLAN needs also an DHCP server which I also figured out, how to do it. So:
1. How do I let the VLAN communicate only to the HA-Host? Is it by implemeting the following filter rule: add action=accept chain=forward source address=vlansubnet in-interface=vlan destination address=IP HA-Host as mentioned by anav viewtopic.php?t=145868
2. Which filter rule to use to block internet access or is it obsolete with the rule above?
3. Should I still use the defcon filter rules and if so where should I implement the new rule, besides before the action=drop?
I tried to solve this issue for two days now. So "Help me obi wan kenobi you're my only hope"
Best regards
eagle005
Network topology:
