Hello everybody,
After me sob and yogender have helped to isolate the VLANs among themselves THANKS !!! I would now like to prevent access to the microtics in the same LAN.
The adminclient is in Vlan5 (= 172.16.5.0 / 24). The microtronic router has the IP 172.16.5.254 in the adminVLAN5. The admin should of course access the microtics but all other VLANs not!

VLAN 10 - 200: 172.16.10.0/24 -> 172.16.200.0/24
Microtics VLAN DHCP and Gateway IPs: 172.16.10.254 -> 172.16.200.254

VLAN5 client to 172.16.5.254 -> accept
VLAN10 clients to 172.16.10.254 -> drop
VLAN20 clients on 172.16.20.254 -> drop
.
.
.
VLAN200 clients to 172.16.200.254 -> drop

What do you think of these rules and in this order:
/ Ip firewall filter add chain=input in-interface=adminVLAN5 action=accept
/ Ip firewall filter add chain=input in-interface=all vlan action=drop

I would be happy about every tip!

Greetings VlanLearner

Excuse me for my bad english (google translation)

Did you test the rules you posted? They look exactly as what you need.

Yes, if you want to block access like, winbox... you can do it in /ip firewall filter

Assuming that your router (the one you want to prevent access) is the Gateway, you need to create input rules to accept from those you want to grant access.
And after, you deny (action=drop) from everyone else.

Example for winbox:
Where XXX.XXX.XXX.XXX/XX is the Source IP you want to grant access.

If multiple IPs are needed, you can create an address-list and use the fild src-address-list and put all IPs in that list.

Thank you all!
@sob - I am doing lot of my testing remote via opvn therefore I am very carefully. I am so glad that I beginn to understand firewall rules

@ploquets
XXX.XXX.XXX.XXX/XX is not a single IP but an expression for a subnet incl. subnetmask? e.g. 192.168.10.0/24
- Do I need 172.16.5.254/24 or just the IP 172.16.5.254?
- Should I insert your rules before or after the mentioned above rules or is it unimportant?

Thank You again
VlanLearner

Thank you all!
@sob - I am doing lot of my testing remote via opvn therefore I am very carefully. I am so glad that I beginn to understand firewall rules

@ploquets
XXX.XXX.XXX.XXX/XX is not a single IP but an expression for a subnet incl. subnetmask? e.g. 192.168.10.0/24
- Do I need 172.16.5.254/24 or just the IP 172.16.5.254?
- Should I insert your rules before or after the mentioned above rules or is it unimportant?

Thank You again
VlanLearner

The XXX.XXX.XXX.XXX/XX is for the Source IP that is allowed to login. If you have a whole subnet that you want to allow, then use with the /24 or the respective mask of your subnet.
If only your computer is allowed to admin the RB, then, you should only use your PC IP (with /32 mask or with no mask at all)

Those rules I've mentioned above are to achieve the allowing (exceptions) and blocking everyone (but exceptions on the first rule)
If you use your rules and they worked as you need,then you probably won't need more rules to do the same thing again.

- Should I insert your rules before or after the mentioned above rules or is it unimportant?

Order of rules is very important. Once a rule matches packet, further rules are not processed. Exception is "/ip firewall mangle" and rules with passthough=yes. So if you want to play it safe, add accept rule to input chain with your remote address, and put it before all others. Then even if you mess up something down the chain, you'll still be able to connect.

Hello everybody,
Finally, I would ask you to check my firewall rules. They are there to give the admin access to all VLANs and the Mikrotic. The client VLANs must not have contact with one another and do not come to the microtik router.



For information:
The actual firewall (PFSense) is behind the modem and before the Mikrotic.
Modem-> PFSense (Firewall, DNSResolver, Squid with SquidGuard, NAT) -> Mikrotic (no-NAT, Router + DHCPServer,) -> VLANs-> Clients

Sorry for my bad English!

Greetings VlanLearner

It's better to post text export (created by "/export" in terminal), because WinBox does not necessarily show all fields. But based on what you asked about, I assume you don't have any hidden extras and it looks ok. It will do:

1) Forwarding: Block between VLANs, except when source is VLAN5. Allow everything else.
2) Input: Block from VLANs, except when source is VLAN5 (any traffic) or 172.16.5.0/24 (just tcp/8291). Block tcp/8291 from ether1. Allow everything else.

When you look at it, it's really simple, the rules are self-explanatory.

Hello Sob,
Thank You once more!!
Everythink is working just fine.

Best greetings
vlanlearner