Page 1 of 1
firewall filter
Posted: Tue Nov 24, 2009 7:19 am
by b2k
please help.. i am newbie here..
hehehe
how to make rules like:
Client A. 192.168.1.2
can not ping to client B. 192.168.2.2 but
client B. 192.168.2.2
can ping to client A. 192.168.1.2
please help.. guys..
Re: firewall filter
Posted: Tue Nov 24, 2009 9:16 am
by normis
how are these clients connected to the router? are they wireless users, or lan users connected through a switch?
Re: firewall filter
Posted: Tue Nov 24, 2009 11:15 am
by b2k
how are these clients connected to the router? are they wireless users, or lan users connected through a switch?
lan users connected throungh a switch
i have 2 lan card in my router, A. 192.168.1.1 and B. 192.168.2.1
Re: firewall filter
Posted: Tue Nov 24, 2009 11:29 am
by normis
in that case, their connections are not going through the router at all, you can't control them.
Re: firewall filter
Posted: Tue Nov 24, 2009 11:42 am
by b2k
in that case, their connections are not going through the router at all, you can't control them.
if the connections are going through on the router.., how i can control them..?
Re: firewall filter
Posted: Tue Nov 24, 2009 11:44 am
by normis
but they are not
if they would be connected directly to the router, instead of a switch, you would make simple filter rules like:
Client A. 192.168.1.2 can not ping to client B. 192.168.2.2 but
client B. 192.168.2.2 can ping to client A. 192.168.1.2
/ip firewall filter add chain=forward src-address=192.168.2.2/32 dst-address=192.168.1.2/32 action=accept
/ip firewall filter add chain=forward src-address=192.168.1.2/32 dst-address=192.168.2.2/32 action=drop
Re: firewall filter
Posted: Tue Nov 24, 2009 11:52 am
by sudiptakp
Hi,
If your topology is as following then you may try the configuration as below.
Switch1(192.168.1.0/24)------------(RouterOS)------------Switch2(192.168.2.0/24)
/ip firewall filter
add action=drop chain=forward comment="ping block" disabled=yes icmp-options=8:0-255 \
protocol=icmp src-address=192.168.1.0/24
thanks,
Sudipta
Re: firewall filter
Posted: Tue Nov 24, 2009 11:58 am
by sudiptakp
/ip firewall filter
add action=drop chain=forward comment="ping block" disabled=yes icmp-options=8:0-255 \
protocol=icmp src-address=192.168.1.0/24
Sorry for typo......in the above config put
disabled=no
Thanks,
Sudipta
Re: firewall filter
Posted: Tue Nov 24, 2009 12:07 pm
by b2k
thanks all.. my problem solve..!
Re: firewall filter
Posted: Tue Nov 24, 2009 12:43 pm
by Chupaka
/ip firewall filter add chain=forward src-address=192.168.2.2/32 dst-address=192.168.1.2/32 action=accept
/ip firewall filter add chain=forward src-address=192.168.1.2/32 dst-address=192.168.2.2/32 action=drop
is it working?!? I would add 'connection-state=new', because if you simply accept one direction and drop opposite direction - ping won't work in both directions, no?..
Re: firewall filter
Posted: Wed Nov 25, 2009 3:45 am
by b2k
/ip firewall filter add chain=forward src-address=192.168.2.2/32 dst-address=192.168.1.2/32 action=accept
/ip firewall filter add chain=forward src-address=192.168.1.2/32 dst-address=192.168.2.2/32 action=drop
is it working?!? I would add 'connection-state=new', because if you simply accept one direction and drop opposite direction - ping won't work in both directions, no?..
yups it is working, i am use the sudiptakp solution..
thankss...
by the way guys, how i can block connection between Client A. 192.168.1.2 and client B. 192.168.2.2, but client B. can connect to client A.
need your help guys..
Re: firewall filter
Posted: Wed Nov 25, 2009 3:57 am
by Chupaka
by the way guys, how i can block connection between Client A. 192.168.1.2 and client B. 192.168.2.2, but client B. can connect to client A.
omg!..
http://forum.mikrotik.com/viewtopic.php ... 94#p181694
Re: firewall filter
Posted: Wed Nov 25, 2009 4:37 am
by b2k
i mean, client A. 192.168.1.2 can not see shared folder in client B. 192.168.2.2 but
client B. 192.168.2.2 can see shared folder in client A 192.168.1.2
if i used this code :
/ip firewall filter add chain=forward src-address=192.168.2.2/32 dst-address=192.168.1.2/32 action=accept
/ip firewall filter add chain=forward src-address=192.168.1.2/32 dst-address=192.168.2.2/32 action=drop
client A and B totally can not connect
Re: firewall filter
Posted: Wed Nov 25, 2009 5:01 am
by b2k
thanks bro.. i am release must used "connection-state=new"
thanks bro...
by the way, can mikrotik block mac address ?
Re: firewall filter
Posted: Wed Nov 25, 2009 12:37 pm
by Chupaka
/ip firewall filter add src-mac-address=