I stumbled accros this thread as I have exactly the same issue.
Your solution looks good so I wanted to try it out. But when I do it in my lab the "drop" rule gets triggered as well even if I have an accept rule just before it. According to the Wiki
https://help.mikrotik.com/docs/display/ ... -RuleTable only the first rule should trigger.
If there are multiple rules that can match, then only the first rule will be triggered.
Here is my config running on an RB2011 6.49.7.
/interface ethernet switch rule
add ports=ether2 src-address=10.153.4.2/32 switch=switch1 comment="Allow"
add ports=ether2 dst-address=10.153.4.2/32 switch=switch1 comment="Allow"
add ports=ether2 switch=switch1 new-dst-ports="" comment="Drop"
The first two rules is to allow source and destination for the customer IP on the interface ether2, and the last rule is to drop anything else on the port. But as soon as the last rule is active all traffic gets dropped. Why can't I get it to work?