Hello,

in a big network with a lot of users and network ranges, I like to secure vulnerable network devices. For instance an old programmable logic controller. Often these devices have an old firmware, open ftp, and other unwanted open access.
The devices should still access the DHCP and ntp server and receive their IP address (if not static). ICMP should be possible and open access from a specific network range as 1.2.3.0/24

Attached and attempt, however the firewall is not working as well the members of the LAN don't get an IP from the DHCP server.
It would be great if the router could be passive, without receiving an IP. If I add Ether1 to the bridge, the LAN Member receive an IP from the DHCP server, however the Firewall is still not working.
Is this the right approach and possible? Is another approach better?
Thank you

you don't need an additional bridge

https://wiki.mikrotik.com/Manual:MPLSVP ... n_bridging

or add filter rule on bridge
/interface bridge filter add action=drop chain=forward in-interface=ether2 out-interface=ether3

or enable IP firewall usage on bridge
/interface bridge settings set use-ip-firewall=yes
end then
/ip fi fi add action=accept chain=forward in-interface=bridge1 in-bridge-port=ether2 out-bridge-port=ether3
etc...

This topic:
viewtopic.php?t=185541

seems to me very similar, maybe you can get some ideas/approaches from that one.