I wanted to create a DMZ where the web server can live separately from all other servers and computers so if it is hacked, the hacker cannot easily access the other servers and computers. I also need to be able to access the web server via SSH on port 22 (or some other port so it can still be managed).
So I decided to create a new bridge called bridge-dmz and assign ethernet port 8 to bridge-dmz and gave it an IP of 192.168.111.1. There is no DHCP server for the network. I connected my web server to port 8 on the Mikrotik and assigned it a static IP address 192.168.111.2. I changed my NAT rule to forward ports 80 and 443 to the web server's new address (192.168.111.2). So far to this point, all is working as expected.
Now I want to block access from the 192.168.111.0/24 network to 192.168.89.0/24 so I added a firewall rule:
Code: Select all
/ip firewall filter add action=drop chain=forward dst-address=192.168.89.0/24 src-address=192.168.111.0/24