I have an IoT-VLAN that I want to isolate from all my another VLANs but not internet. It works well except for Pihhole gui (10.10.30.2) which is also the dns. How should I write the rule to block even the http. Tried tcp port 80 both forward and input.
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="Isolate IoT-vlan" dst-address-list=lan-without-iot-vlan src-address-list=\
iot-vlan
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="Isolate IoT-vlan" dst-address-list=lan-without-iot-vlan src-address-list=\
iot-vlan
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
disabled=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
