Hi,

I have a server on 192.168.1.0/24 subnet with IP 192.168.1.2 and I want only my PC 192.168.1.10 allow to access the server, but not other host on the same network.

server + my PC + other host -> switch -> RB1000U -> internet

the firewall on the RB1000U will not work if the hosts are on the same subnet with the rules as below:

ip firewall filter add chain=forward src-address=192.168.1.10 dst-address=192.168.1.2 action=accept
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.1.2 action=drop

Just wondering is there any way that I can get this work?

Thanks.

Put the firewall rule in the server firewall, not the router.

Hi SurferTim,

thanks for your post.

server is just a example but what I really want is limit particular users to use/access the printer.

Printer doesn't have firewall.

is this do-able on the router?

Thanks.

You should show your network layout but the most likely reason that your rules had no effect is that the traffic between the clients and server are not going through the router. If for instance you have a switch on that subnet the router probably never sees intra-subnet traffic.

Figure a way to get your server/printer on its own routerboard interface or VLAN or subnet or similar so that you can isolate it physically and/or logically and thus control the traffic to/from the device.

server + my PC + other host -> switch -> RB1000U -> internet

the server, your pc and other host are connected to switch so if you use a static ip then the RB can't do any thing to you in your local network...
to solve the problem you must use DHCP server in your RB to control the traffic between the IPs..

If you haven't figured it out on your own by now, put your common devices that you want to restrict (server, printer, etc) on their own ethernet interface. Then you can block them with a chain=forward rule.

server + my PC + other host -> switch -> RB1000U -> internet

the server, your pc and other host are connected to switch so if you use a static ip then the RB can't do any thing to you in your local network...
to solve the problem you must use DHCP server in your RB to control the traffic between the IPs..

DHCP would not help force the traffic to go via the router, in your example.

DHCP would not help force the traffic to go via the router, in your example.

ok what about the PPPoE server...
the pool will be controled by the router

DHCP would not help force the traffic to go via the router, in your example.

ok what about the PPPoE server...
the pool will be controled by the router

In this respect it would be no different to DHCP. The OPs problem is not to do with IP allocations, it is to do with trying to force the traffic between two devices to go through the router (where it can be firewalled) rather than directly between the two devices (because they on the same subnet and the traffic can/will flow via the switch).

The best option is a vlan access map on the switch.

I guess if you must use a router then you could bridge ports on the router and connect the printer via that bridged port, you could then control traffic via the bridge....

Sent from my GT-I9100 using Tapatalk 2

In this respect it would be no different to DHCP. The OPs problem is not to do with IP allocations, it is to do with trying to force the traffic between two devices to go through the router (where it can be firewalled) rather than directly between the two devices (because they on the same subnet and the traffic can/will flow via the switch).

I agree with you in DHCP but not in PPPoE ...

I think it will be controlled by the router only because the ip is in PPPoE tunnel
the switch can't connect them directly without the Router and you can test it by drop the traffic between the clients in firewall and you will not be able even to ping them

In this respect it would be no different to DHCP. The OPs problem is not to do with IP allocations, it is to do with trying to force the traffic between two devices to go through the router (where it can be firewalled) rather than directly between the two devices (because they on the same subnet and the traffic can/will flow via the switch).

I agree with you in DHCP but not in PPPoE ...

I think it will be controlled by the router only because the ip is in PPPoE tunnel
the switch can't connect them directly without the Router and you can test it by drop the traffic between the clients in firewall and you will not be able even to ping them

Yes, you are right, but I suspect PPPoE is a bit overkill for the OPs situation.