hello,

i have basic setup, one wan one lan interface.

What i am trying to do is to prevent specific internal ip from seeing other internal ips, but able to access internet. so:

0 chain=input action=accept src-address=192.168.0.151
dst-address=192.168.0.99

here i allow specific ip to acces router itself.


1 chain=forward action=drop src-address=192.168.0.151
dst-address=192.168.0.0/24

here i want that specific ip not to access 192.168.0.xxx.

what is wrong here?

Basic TCP/IP: when hosts are on the same subnet, they don't use the router to talk to one another. The hosts talk directly. Since the router never sees the traffic it cannot block it.

It all depends on your network layout. The router can only control traffic that goes over/through it, it cannot control stuff that never reaches it. So if you have a switch connected to the LAN port of the router (or are using the switch chip on the router) it has no control over that traffic and cannot block it. Because of the way TCP/IP works, anything on the same layer2 network does not need a router to talk to each other.

I see, thank you. I thought router can control and shape all the traffic on internal lan.

Why I want to do this is because there is another router connected as 192.168.0.151, and it has 10.0.0.x internal network, which clients able to ping 192.168.0.xxx network. Since 10.0.0.x gateways through 192.168.0.151 i thought it is possible somehow to restrict it only to see internet.

That is something that you need to setup and control with your edge equipment (Access Points, Switches, etc.). Depending on your network layout and the routerboard that you have, you could potentially connect that router directly to another port on the routerboard (and remove it from the switch chip if that's the way you have it set up) and give it a different subnet, DHCP server, and firewall rules. That would accomplish what you are looking for.

thank you