Page 1 of 1
Block specific IP to access LAN
Posted: Tue Jun 26, 2018 5:04 pm
by holian
Masters,
I have an ubuntu, insalled under vmware... I would like to set up our Mikrotik router to block this ubuntu to access local LAN. I would like to allow access only the external internet for this IP.
I tried a lot of firewall rule, but non of work. May i ask some help about it?
Regards
Re: Block specific IP to access LAN
Posted: Tue Jun 26, 2018 5:16 pm
by Anumrak
Hey. Just add firewall filter input chain drop rule for your server IP address.
Re: Block specific IP to access LAN
Posted: Tue Jun 26, 2018 11:53 pm
by sindy
IP (L3) firewall cannot block communication between devices in the same subnet because that happens on L2. So if the Ubuntu is the only machine connected to some a physical interface of the Mikrotik, you may permit use of firewall also for bridge, and set bridge firewall rules to block it; if some other devices are connected (indirectly, by means of external hub or switch) to the same physical interface of the Mikrotik like the Ubuntu, you cannot block traffic between the Ubuntu and these devices because that traffic won't pass through the Mikrotik at all.
Re: Block specific IP to access LAN
Posted: Wed Jun 27, 2018 3:31 pm
by Anumrak
Masters,
I have an ubuntu, insalled under vmware... I would like to set up our Mikrotik router to block this ubuntu to access local LAN. I would like to allow access only the external internet for this IP.
I tried a lot of firewall rule, but non of work. May i ask some help about it?
Regards
You better write a little scheme, in order to understand your topology. If you want to drop the packets destined in your router, just add a drop rule in input chain. If you have a bridge on Tik for all your LAN in same address space, just add drop rule in bridge filter to your subnet or single host with mac-address mask.
https://wiki.mikrotik.com/wiki/Manual%3 ... e_Firewall
Re: Block specific IP to access LAN
Posted: Wed Jun 27, 2018 7:07 pm
by holian
IP (L3) firewall cannot block communication between devices in the same subnet because that happens on L2. So if the Ubuntu is the only machine connected to some a physical interface of the Mikrotik, you may permit use of firewall also for bridge, and set bridge firewall rules to block it; if some other devices are connected (indirectly, by means of external hub or switch) to the same physical interface of the Mikrotik like the Ubuntu, you cannot block traffic between the Ubuntu and these devices because that traffic won't pass through the Mikrotik at all.
I think you have right.
Mikrotik connected to switch which is connected to server (on this server run the vmware...).
So in this case there is no way to isolate this Ubuntu from other devices on LAN?
Re: Block specific IP to access LAN
Posted: Wed Jun 27, 2018 7:16 pm
by kai
If you have a managed switch, wouldn't it be possible to put the VMWare server on it's own VLAN and isolate it that way?
Re: Block specific IP to access LAN
Posted: Wed Jun 27, 2018 10:34 pm
by sindy
Even if you don't have a managed switch, a dedicated VLAN with a dedicated IP subnet for the server could be the solution as there is VMware on the other end which does support VLANs on its vswitches, and as most dumb switches will pass packets with VLAN headers.