Hello, I have an RB2011UiAS-2HnD running OS 6.40.4. Within my network I have a security cam DVR which I would like to be able to access from different PCs within my network. BUT I do not want that device to be able to send traffic outside of my network. I have several security concerns regarding the online DVRs.
I have looked through the manual and my copy of RouterOS for a way to configure the firewall to do this, but apparently I'm a better programmer than router guru...... Also my wife will be PO'd if
"I break the Internet again ! "

Could someone point me to any examples of the best practice way to do this. I can work with winbox, webfig, or ssh........

Thank you in advance....

Hi,

quick and dirty:

/ip firewall filter add action=drop chain=forward dst-address=!192.168.0.0/24 in-interface=ether19

Assuming 192.168.0.0/24 is your network and the cam is connected at eth19.

Regards
Bernd

Thank you for the quick reply! I will try this out tonight and post how it goes. Hopefully I can use this as an example to get my head around the FW information in the RouterOS book.
Best Regards,
Dan

Hello I attempted the command provided:
/ip firewall filter add action=drop chain=forward dst-address=!192.168.0.0/24 in-interface=ether19 Which I adjusted for my network and for the interface. I am using an RB2011UiAS-2HnD running OS 6.40.4 ...... this device has 10 Ethernet ports allocated to two switches......
# NAME
0 R ether1-gateway
1 RS ether2
2 RS ether3
3 S ether4
4 S ether5
5 RS ether6-master-local
6 S ether7-slave-local
7 S ether8-slave-local
8 XS ether9-slave-local
9 RS ether10-slave-local
10 XS sfp1
11 RS wlan1
12 R bridge-local

When I attempt to execute the command I receive the following:
"in/out-interface matcher not possible when interface (ether 7-slave-local) is slave - use master instead (bridge-local)" So apparently I am overlooking something fundamental to the port configuration ???????

If the DVR has a static IP set the scr-ip to that IP address. Remove the in interface.

/ip firewall filter add action=drop chain=forward dst-address=!192.168.0.0/24 scr-address=192.168.0.250


250 is DVR.

Thank you, Changing the interface to the device IP rather than the actual port did the trick! Thank you both for the suggestions! Now I don't worry that someone outside of my network can access this device. And my wife is happy that I didn't break the Internet....again !!