I have connected 2 PCs (PC-1 and PC-2) to my MikroTik hEX (RB750Gr3).
I want to disallow internet access only for PC-2 (PC-1 and other connected devices should have internet access).
But I want to be able to connect from PC-1 to PC-2 and vice versa (for example: on PC-2 is running some server and I want that server accessible from PC-1). In other words: For PC-2 allow access only for LAN. How to do this?
Thanks for answer.
This can be translated almost directly to firewall rules:
/ip firewall filter {
allow from PC-2 to LAN:
add chain=forward src-address=<PC2_IP> dst-address=<LAN_SUBNET> action=accept
deny from PC-2 to everywhere else:
add chain=forward src-address=<PC2_IP> action=reject
Which can also be combined:
deny from PC to not-LAN:
add chain=forward src-address=<PC2_IP> dst-address=!<LAN_SUBNET> action=reject
}
Here <LAN_SUBNET> should be the prefix you want to allow, e.g. 192.168.88.0/24 for the IPv4 rule, or 2001:db8:abcd:0::/64 for IPv6.
The rule checking goes from top to bottom until first match, so make sure the rule goes after "allow established" but before any "allow everything" rules you might have.
Note: Within the same subnet, access will always be allowed, as communications only go through the built-in switch and don't reach the OS. (Although RouterOS allows overriding that if necessary – under /interface ethernet switch rule, you can find an option to redirect packets from PC-2 to the OS as well. However, it's generally best to assume that intra-subnet traffic is unfiltered.)
In addition to what @grawity said, make sure to make PC-2's DHCP lease static. You also have to determine the threat level. If PC-2 is used by someone who is technically skilled, then you'll want to prevent the router from auto-adding ARP from broadcasts, and set the DHCP server to Add ARP for leases. This will prevent them from using a static IP to bypass.
Now that I think about it, the easier solution would be to just filter based on MAC address:
/ip firewall filter add chain=forward src-mac-address=XX:XX:XX:XX:XX:XX dst-address=!X.X.X.X/XX action=reject