Hi,
For one specific physical port on my router (port 14) I like to block all LAN activities, browsing, share access. Only internet access should be allowed. How can I achieve that?
MikroTik RouterBoard on 192.168.10.1 (runs DHCP, DNS etc)

Thanks!

Many aspects of the router configuration are integrated and its not always easy to pinpoint a solution without knowing the full context.

In general if you have a drop all else rule in the forward chain, then any traffic not permitted will not pass.
So that begs what firewall filter rules do you have in place now?

The other obvious area of interest is the port itself, what traffic flows over this port, one LAN, one VLAN, a Bridge etc................

Sounds like a guest port to me. Put it on a separate subnet and allow it access only to non private addresses (through the use of address lists to keep it clean and short).

But anav is correct, I may be out of context. Let me know.


Sent from my cell phone. Sorry for the errors.

Indeed i want to create a guest port.
Can you give me some hints how to achieve this securely? I'm not really confident yet with this router.

make sure this port is not part of the bridge with other LAN ports. otherwise traffic will not hit firewall unless you tells it to.

set up separate IP Address, Network, DHCP server etc for this port. make sure traffic from this subnet is NATed. I would have a separate masquerade rule for each subnet.

still you need firewall rule on the forward chain to block traffic from this subnet to another, as anav suggested.

Concur that is the clearest way. To separate groups of users one can
a. put another lan not on the same bridge (on its own - a single lan using a single port etherface)
b. create another bridge just for the guest users
c. create a vlan that runs on the existing bridge

(in all cases as solar pointed out you need to create a NEW LAN/vlan structure DHCP, ip pool, dhcp server, dhcp-server-network, and IP address entries.

The simple case would be a LAN off the bridge
I use VLANS because I have a mix of guest wifi and house wifi on Access Points and vlans is easier for me to manage it that scenario.
Or put in other words, I have a mix of guest and regular user traffic on a port and a single bridge and vlans allow me to separate them effectively while sending all that traffic through a single port.

In your case, the whole port is strictly guest which makes life easier.

Tried to make a separate bridge, dhcp server, ip pool, vlan. But i could not make it work.
Here the farrest I came:
https://www.dropbox.com/s/xrgr4srqej1x7 ... t.txt?dl=0

I can't figure out in what order I have to connect all. Should the vlan be connected to port 1 (the port to my internet router) or to etherport 2, the port I want to operate as a guest port?
dhcp1 is the normally working one with pool1 (192.168.10.1) and the guest one 192.168.11.1

Any help is appreciated!

Okay you went overboard LOL.
You could do it many ways.
VLAN on current bridge with VLAN network
Separate Bridge with a separate LAN network
Separate LAN network not on a bridge ****************************

Same as for the primary LAN you need to conduct at least FOUR STEPS
ip address
Ip pool
ip DHCP SERVER
ip DHCP SERVER NETWORK

Lets say you simply opt for a DMZ type LAN (separate LAN from bridge).

1. Define the interface (decide to use ether4 for other LAN, (basically ensure its not on the bridge and enter appropriate comment etc......
set [ find default-name=ether4 ] comment=Guest-DMZ speed=100Mbps

2. /ip pool
add name=dhcp_Guest ranges=192.168.2.2-192.168.2.100

3. /ip dhcp-server
add address-pool=dhcp_DMZ disabled=no interface=ether4 lease-time=1d name=\
Guest_server

4. Ensure Ether 4 a is not on the bridge, remove if it is.
/interface bridge port
add bridge=Bridge comment=defconf interface=ether2
add bridge=Bridge comment=defconf interface=ether3

5. Ensure the Guest Lan is part of the LAN interface List.
/interface list member
add comment=defconf interface=eth1 list=WAN
add interface=Bridge list=LAN
add interface=ether4 list=LAN

6. /ip address
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0

7. /ip dhcp-server network
add address=192.168.2.0/24 comment=GuestDMZ_Network dns-server=192.168.2.1 \

8. Add Firewall rule in the Forward Chain.
/ip firewall filter
add action=accept chain=forward comment="ENABLE GUEST to WAN" \
in-interface=ether4 out-interface-list=WAN (*or out-interface=WAN if you only have one WANIP)

I reverted my previous changes and followed the whole procedure. Managed to get most done. See my current situation here:
https://www.dropbox.com/s/xrgr4srqej1x7 ... t.txt?dl=0
(Due to some cable issues i used ether_02_Guest and not ether04)

But:
/ip dhcp-server
add address-pool=dhcp_Guest disabled=no interface=ether02_Guest lease-time=1d name=Guest_server
results in: DHCP server cannot run on slave interface

And the ip filter shows a message on the firewall, filter rules dialog: in/out interface matcher not possible when interface (ether02_Guest) is slave. use master instead (bridge LAN)

I assume the second one is related to the first?

Hi there, I am using the latest firmware 6.43.8 and there are no slave or master selections????
Some questions for your config below......

1. What the heck is vlanID 10 and why is it on your WAN interface???
2. Why is your WAN interface part of the LAN List member under IT SHOULD BE list=WAN

3. Here is one problem you still have ether2 on the bridge. Remove it!
add bridge=bridgeLAN comment=defconf interface=ether02_Guest

4. Where is DCHP-server for ether2??

5. WHY DO you have two IP addresses for ether 2??? The first one should be your bridge interface

6/ Ensure you have an allow dst firewall filter rule (show below)

7. Your masquerade rule is incorrect

8. Your Dst NAT rules are incorrect.

/interface bridge
add fast-forward=no name=bridgeLAN
/interface ethernet
set [ find default-name=ether2 ] comment=Guest-DMZ name=ether02_Guest speed=100Mbps
set [ find default-name=ether1 ] name=ether1_WAN speed=100Mbps

/interface vlan
add interface=ether1_WAN name=vlan_NOWIREGUEST vlan-id=10 ???????????
/interface list
add name=LAN
???? where is add name=WAN

/ip dhcp pool
add name=dhcp_pool1 ranges=192.168.10.50-192.168.10.99
add name=dhcp_Guest ranges=192.168.11.2-192.168.11.100 (good)

/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=bridgeLAN name=dhcp1
???????????? where is ether 2

/interface bridge port
add bridge=bridgeLAN comment=defconf interface=ether02_Guest <----- get rid of this........

/interface list member
add comment=defconf interface=ether1_WAN list=LAN ?????? should be list=WAN
add interface=bridgeLAN list=LAN
add interface=ether02_Guest list=LAN (good)

/ip address
add address=192.168.10.1/24 interface=ether02_Guest network=192.168.10.0 <----- change this to interface=bridgeLAN
add address=192.168.10.125/24 disabled=yes interface=ether1_WAN network=192.168.10.0
add address=192.168.11.1/24 interface=ether02_Guest network=192.168.11.0 (good)

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1_WAN

/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24
add address=192.168.11.0/24 comment=GuestDMZ_Network dns-server=192.168.11.1 (good)

/ip firewall filter
HI ASSUME YOU HAVE FORWARD CHAIN AS FOLLOWS or roughly anyway
-- accept established related
--drop invalid packets
-- accept LAN to WAN (in-interface=bridgeLAN etc...._
add action=accept chain=forward comment="ENABLE GUEST to WAN" in-interface=ether02_Guest out-interface=ether1_WAN (this should work with above changes)
-- accept connection-nat-state=dstnat
-- drop all else

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24
Try
add action=src-nat chain=srcnat dest-address=10.168.10.125 (assuming .125 is your fixed WANIP???? )

add action=dst-nat chain=dstnat comment=torrent protocol=tcp dst-port=51413 in-interface=ether1_WAN \
to-addresses=192.168.10.200 (assume this is your server)?
add action=dst-nat chain=dstnat comment=torrent protocol=udp dst-port=51413 in-interface=ether1_WAN \
to-addresses=192.168.10.200

Note: if you know what external WANIPs are allowed to use your server, then you should put those IPs on a firewall address list and add them to your dst nat rules!!

I tried to fix the issues you appointed
Still when i try to add the 2nd dhcp server (interface: ether02_Guest, addresspool: dhcp_Guest) I get the message:
Couldn't add new DHCP server - can not run on slave interface
I still get a 192.168.10.x address on my computer on port 2, and still access to my server

On the router of my internet provider I did set a static adress for the mikrotik: 192.168.178.200.
A while ago I tried to make a guest VLAN with my 2 unifi wifi APs but that failed as well, They are now direct on the main network. I start to think the mikrotik is a way to far for me....

updated config: https://www.dropbox.com/s/xrgr4srqej1x7 ... t.txt?dl=0
I really don't have any special wishes on my router.
When there is some rubbish in my script, just please tell me how to bring it into a correct state.
I would be very grateful for any help!

# feb/02/2019 02:22:35 by RouterOS 6.43.8 (good)
192.168.178.200 is your WANIP from previous post, just here to remind me LOL.
/interface ethernet (good)
set [ find default-name=ether2 ] comment=Guest-DMZ name=ether02_Guest speed=100Mbps
set [ find default-name=ether1 ] name=ether1_WAN speed=100Mbps
set [ find default-name=ether10 ] name=ether10_NAS01 speed=100Mbps

/interface vlan
add interface=ether1_WAN name=vlan_NOWIREGUEST vlan-id=10 GET RID OF THIS FOR NOW, IT HAS NO BUSINESS BEING ON ETHER1 at least for now and until we know why??

/ip pool (good)
add name=dhcp_pool1 ranges=192.168.10.50-192.168.10.99
add name=dhcp_Guest ranges=192.168.11.2-192.168.11.100

/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=bridgeLAN name=dhcp1
ADD its missing!!!!
add address-pool=dhcp_Guest interface=ether02_Guest name=guestDHCP

/interface bridge port
add bridge=bridgeLAN hw=no interface=none Remove this last entry as it appears to apply to nothing........

/interface list member (GOOD)
add comment=defconf interface=ether1_WAN list=WAN
add interface=bridgeLAN list=LAN
add interface=ether02_Guest list=LAN

/ip address (good but not sure on wanip address in green,)
add address=192.168.10.1/24 interface=bridgeLAN network=192.168.10.0
add address=192.168.11.1/24 interface=ether02_Guest network=192.168.11.0
add address=192.168.10.125/24 disabled=yes interface=ether1_WAN network=192.168.10.0 ???????????????????????

/ip dhcp-server network (good)
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24
add address=192.168.11.0/24 comment=GuestDMZ_Network dns-server=192.168.11.1

/ip firewall filter
add action=accept chain=forward comment="ENABLE GUEST to WAN" in-interface=ether02_Guest out-interface=ether1_WAN
I see nothing wrong with this rule......

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24 (REMOVE THIS RULE) and add the following
add action=src-nat chain=srcnat out-interface=ether1_WAN to-addresses= 192.168.178.200

add action=dst-nat chain=dstnat comment=torrent dst-address=192.168.10.200 dst-port=51413 in-interface=ether1_WAN protocol=tcp src-port=51413 to-addresses=\
192.168.10.200 to-ports=51413
add action=dst-nat chain=dstnat dst-address=192.168.10.200 dst-port=51413 in-interface=ether1_WAN protocol=udp src-port=51413 to-addresses=192.168.10.200 \
to-ports=51413 Wrongly configured should like the following simpler config

add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp in-interface=ether1_WAN \
to-addresses=192.168.10.200
add action=dst-nat chain=dstnat dst-port=51413 protocol=udp in-interface=ether1_WAN \
to-addresses=192.168.10.200

Wow, thank you for your help! I really appreciate that!

Seems I'm almost there. There are no red remarks anymore and both dhcp servers distribute addresses from the correct address pool
However the computer on port2 is not able to reach the internet. Not by url, also not by ip address, so it does not seem to be a dns issue. Should there be a specific firewall forward rule?

Actual config:
https://www.dropbox.com/s/xrgr4srqej1x7 ... t.txt?dl=0

Well I cannot comment on firewall rules as they seem to be missing from your drop box config.......
You know you can simply paste that code into the thread and above using the square black box and the white brackets( located on the same row as BOLD, ITALICS UNDERLINE etc.), put the text into a shortened code format that looks quite good here!! Instead of using drop box!

What is interesting is your bridge dhcp-server network is missing the dns-server of 192.168.10.1 ??
What is interesting is your guest dhcp-server network is missing the gateway of 192.168.11.1 ??
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24
add address=192.168.11.0/24 comment=GuestDMZ_Network dns-server=192.168.11.1

Put in some dns servers here 1.1.1.1, 8.8.4.4 and 8.8.8.8. are common.
/ip dns
set allow-remote-requests=yes

(mine looks like this - /ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222

Finally this looks wrong, delete both..............

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=src-nat chain=srcnat out-interface=ether1_WAN to-addresses=192.168.178.200

Its very confusing you only have ONE WAN............... thus this is what you should do.....

If a dynamic WANIP
add action=masquerade chain=srcnat out-interface=eth_1 WAN

If a static WANIP
add action=src-nat chain=srcnat to-address=wanIP out-interface=eth_1 WAN

As for DNS in firewall rules,
in the input chain you need something like.........
So that dns queries only from the LAN are permitted.

add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp

Looking back, ensure all your rules to allow guest in firewall filter rule identify ether2.
It looks like I had given examples of ether4???

I found the reason why I dindnt have internet:
/ip dhcp-server network
add address=192.168.11.0/24 comment=GuestDMZ_Network dns-server=192.168.11.1
Changed to:
add address=192.168.11.0/24 comment=GuestDMZ_Network dns-server=8.8.8.8 gateway=192.168.11.1

Now I have internet on the guest port!
The only leftover I can see now: I can still ping the server (192.168.10.200) and see the shares. so the main network is not yet invisible for guests. Any clue?
https://www.dropbox.com/s/xrgr4srqej1x7 ... t.txt?dl=0

You don't have any firewall in place at all (or at least it's not included in the exported config you made available)! You need something fast!

Start protecting router itself by applying rules from wiki (section Router protection).

Then proceed with something better. The code below is default firewall on my hAP ac² on ROS 6.44beta61:

Then you want to remove ether02_Guest from LAN interface list [*]:

Then you can stop traffic between ether02_Guest and the rest of LAN using the following firewall filter rule
this rule can be the last filter rule if the default (as posted above) filter config is in use. The rule above will only block new connections initiated in ether02_Guest subnet but will allow connections initiated from LAN (targeting Guest subnet). If you want to block those as well, simply remove connection-state=new from the rule.

[*] by removing ether02_Guest from LAN interface list, guests will loose access to some services, provided by router, such as DNS server ... look at all rules with action=accept chain=input and decide which rules shoudl apply also to ether02_Guest ... add another instance of those rules, but with in-interface=ether02_Guest instead of in-interface-list=LAN. Place those rules above the general action=drop chain=input in-interface-list=!LAN rule.

Hey guys/gals

Why not setup a routing rule for a specific src ip/range/group to route to default route only, being the internet. any other routes would be implicitly denied.
So
* isolate to single port
* create route to 0.0.0.0/0 to uplink in route table "internet-only"
* create routing rule for specific source ip/range/group to do lookup-in-table-only in "internet-only"

Hi MKX that is new to me and thus a good learning point.
I thought that layer2 was blocked automatically if

a. lan A was on Bridge
b. lan B was NOT on bridge
c. LANB was on a different bridge
d. LANB was on a VLAN, anywhere (on or off bridge)

In otherwords the /interface list members has no effect on L2 connectivity between subnets.
bridge list=LAN
eth02 list=LAN

TRUE OR FALSE????????????????????

++++++++++++++++++++++++++++++++++++++++++++++
Assuming True and L2 is not leaking then the only forward chain firewall filter rules required are.

a1. established, connected accept
a2. drop invalid packets
b. lans or vlans to wan accept
c. dst packets if required accept
d. drop all.

There should be no L3 connectivity between subnets because none has been permitted above???

Hi All,
With the great support of anav and the finishing touch of mkx I finally managed to reach my goal, a normal working network AND one guest port with no access to the rest of the LAN.
Seems I rather underestimated all possibilities of this router. Without your help I would not only still have a problem, but also a non-secure network...

To all contributers: Big Thanks!!!!

to be complete the latest situation: https://www.dropbox.com/s/xrgr4srqej1x7 ... t.txt?dl=0

In otherwords the /interface list members has no effect on L2 connectivity between subnets.
bridge list=LAN
eth02 list=LAN

TRUE OR FALSE????????????????????

True.

a1. established, connected accept
a2. drop invalid packets
b. lans or vlans to wan accept
c. dst packets if required accept
d. drop all.

There should be no L3 connectivity between subnets because none has been permitted above???

True.

But what you describe above is not how things are configured by default and is not how @GeneralFailure had it (and still has). Please try to read poster's config and think of necessary changes in this perspective next time.
The default (again: default, not your settings) firewall allows all connectivity to router (chain=input) from LAN interface list, and only drops connections from WAN not dst-nated (in chain=forward). Which means that most of L3 connectivity is implicitly allowed. Dropping guest interface from LAN interface list doesn't change much for rules until here (except for connections from guest to router which is actually beneficial as we don't want random guest to fuss with router, do we? Instead some more restrictive allow rules might be necessary for a few select router functions allowed to guests might be deserved). But: if we want to explicitly drop connections between guest and LAN and keep using LAN interface list as synonym for LAN, then we need to remove guest from the LAN interface list. Then we can create filter rule that drops guest to LAN connections using LAN interface list as target (it's open here whether to use another interface list for guest or to refer to particular interface ... using interface list is slightly more future proof in case we want to add additional interfaces to guest subnet or even create a small bridged network for it). Using meaningful names (and LAN is not reverse of WAN!) helps with readability of configuration.

to be complete the latest situation: https://www.dropbox.com/s/xrgr4srqej1x7 ... t.txt?dl=0

One more touch ... in your latest config you have the following:

These rules actually don't belong in NAT section. If anywhere they'd belong in /ip firewall filter section. But these two are not needed at all as all connections from LAN are implicitly allowed (no filter rule is dropping such traffic, hence it's allowed).

In addition to that, you can re-work the dst-nat rules ... use in-interface-list=WAN instead of in-interface=ether1_WAN. That will make them consistent to filter rules in using interface lists...