Dear Sir,

Now i want to block my local intranet to some users.
those intranet use port: 81-84
IP address: 192.168.100.150 - 192.168.100.154
I have try to filter port and address but those group still can access.

ip firewall filter> add chain=forward src-address=10.10.10.30 protocol=tcp dst-port=81-84 action= drop

This rule is correct or not?
Please help to solve it!

Regard,

If you want to block 192.168.100.150 - 192.168.100.154 then you have to set these addresses as src-address. In your rule src-address is 10.10.10.30

Ok, now i have another example and i hope you can explain me clearly:
Ex: I have username=rakou (this users is stay under Mikrotik)
IP: 10.10.10.30

Now i want to block this IP by do not allow access(Remote, Ping, IP Scan,... ) to Range: 192.168.20.50-192.168.20.80 and this range add to address list name=Intranet-Rang

As i add firwall filter now:

ip firewall filter> add chain=forward src-address-list=Intranet-Range dst-address=10.10.10.30 action= drop

So this rule is correct or not?

Rakou,

Quote:
ip firewall filter> add chain=forward src-address-list=Intranet-Range dst-address=10.10.10.30 action= drop


So this rule is correct or not?

What that rule means is that every traffic starting at the address list Intranet-Range (192.168.20.50-192.168.20.80) intended to go to the ip 10.10.10.30 will drop...if that is you want to do...yes...the ip 10.10.10.30 won't have requirments from those ip's, and well everything also depends on your other filter rules, why don't you give us the filter rules you have so we can check it out and see if there is any more configuration.

Ok, sir. I have add two rule in the firewall filter:

1. Block IP: 10.10.10.30 can't access to local Intranet-Range(192.168.100.150 - 192.168.100.154) use port 80-84

ip firewall filter> add chain=forward src-address=10.10.10.30 protocol=tcp dst-port=81-84 action= drop

But when i add this rule all clients under Mikrotik range(10.10.10.0/24) can't access to Intranet-Range at all. So why this rule affect to all clients?

2. Block IP: 10.10.10.50 can access to Local network(Ex: can access to Intranet-Range) but can't access to internet

IP firewall filter> add chain=forward src-address=10.10.10.50 dst-port=80 action= drop

So this rule can be accept or not?
I wish you can show me the really code to solve this problem because i really conflict with Mikrotik Firewall rule work and how to add second rule to work!

Regard,

Ok show me a diagram of your network and print the ip configuration in your router and also the firewall configuration...

I can take a look and see what's wrong, and make the modifications

IP firewall filter> add chain=forward src-address=10.10.10.50 dst-port=80 action= drop

here it iz quite evident that u r dropping port 80 for IP 10.10.10.50 so how will the user access the web whr most sites use port 80

One question how do I block ports 81 to 65536


Gateway is 192.168.2.1


Thanks

How do I block all ports except 80 & 443 on lan eth2
In winbox step by step configuration
Gateway ip is 192.168.2.1


Also pictures would be nice too to show me how to do it


Thanks

/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=80
/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=443
/ip firewall filter add chain=forward action=drop



Will this code work to block all ports but 80 & 443
And where do I put this code for it to work


Thanks

/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=80
/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=443
/ip firewall filter add chain=forward action=drop



Will this code work to block all ports but 80 & 443
And where do I put this code for it to work


Thanks

/ip firewall filter add chain=forward action=drop protocol=tcp dst-port=!80,443

block all tcp ports except 80,443