Hello,
I am looking for a simple command that will disable/enable connections to a single local IP address on my LAN.
I've tried the following that I found in this forum post - viewtopic.php?t=119019
/ip address disable [find address="10.1.10.xxx"]
/ip address set [find address="10.1.10.xxx"] disabled=yes
But neither of these do not seem to work as the target machine still responds to pings, at least in ROS v7.7.
Any help would be greatly appreciated.
Thanks
Re: Disable Single LAN IP Address
That command is to disable an IP address that is assigned to an interface of the router/switch, not an external one.
You cannot actually enable or disable an IP address on another device, you can however "intercept" traffic from/to that address and redirect it to nowhere (action=drop in /ip firewall filter).
This you can normally do through a firewall rule but you cannot entirely block the traffic within the same LAN/subnet, because it doesn't pass through the firewall.
If you have an interface on the router switch that is connected to only that IP that you want to block, you can disable that interface IP address (i.e. the IP on the other side) or the actual interface, but if (like in most cases) you have a bridge you need to disable the interface, as the IP is assigned to the bridge.
And the firwall approach is not that easy as the firewall filter can be applied to different chains, depending on what you want to achieve in detail, and since firewall rules are executed sequentially it is vital to have the rules in the "right" order (i.e. if the "drop" rule is after an "accept" rule including that IP it will never find anything to drop).
You should better detail your network setup and what you would like to obtain, and post your configuration, along the lines of this post:
viewtopic.php?t=203686#p1051720
this way someone will (hopefully) be able to help you.
You cannot actually enable or disable an IP address on another device, you can however "intercept" traffic from/to that address and redirect it to nowhere (action=drop in /ip firewall filter).
This you can normally do through a firewall rule but you cannot entirely block the traffic within the same LAN/subnet, because it doesn't pass through the firewall.
If you have an interface on the router switch that is connected to only that IP that you want to block, you can disable that interface IP address (i.e. the IP on the other side) or the actual interface, but if (like in most cases) you have a bridge you need to disable the interface, as the IP is assigned to the bridge.
And the firwall approach is not that easy as the firewall filter can be applied to different chains, depending on what you want to achieve in detail, and since firewall rules are executed sequentially it is vital to have the rules in the "right" order (i.e. if the "drop" rule is after an "accept" rule including that IP it will never find anything to drop).
You should better detail your network setup and what you would like to obtain, and post your configuration, along the lines of this post:
viewtopic.php?t=203686#p1051720
this way someone will (hopefully) be able to help you.
Re: Disable Single LAN IP Address
I think it can be done with routing rules. Select src/32, dst 0.0.0.0/0 and drop
Re: Disable Single LAN IP Address
If it doesn't pass the router, it doesn't get dropped.
Re: Disable Single LAN IP Address
Seeing the degree of the OP question, I doubt your answers are adequate.
First of all the OP needs to understand how IPv4 works...
First of all the OP needs to understand how IPv4 works...
Who is online
Users browsing this forum: No registered users and 5 guests