this post was submitted on 06 Oct 2024
13 points (100.0% liked)

Mikrotik

207 readers
23 users here now

A community-contributed sublemmy for all things Mikrotik. General ISP and network discussion also permitted. Please ensure if you're asking a question you have checked the Wiki First: https://help.mikrotik.com

Mikrotik Rules: Don't post content that is incorrect or potentially harmful to a router/network.

This in itself is not a bannable offence but answers that are verifiably incorrect or will cause issues for other users will be edited or removed.

Examples: Factual errors - "EOIP is always unsecure" Configuration problems - Config that would disable all physical interfaces on a router Trolling - "Downgrade it to 5.26"

founded 1 year ago
MODERATORS
rayman30
13
Blocking device from LAN connections but allow internet (self.mikrotik)
submitted 6 hours ago by Nogami to c/mikrotik
4 comments fedilink hide all child comments
 

Hi All,

I'd like to block a couple of "guest" devices from accessing any devices on my LAN, but allow them internet access. They're streaming media boxes from a foreign country, and I'm not convinced they are, or will remain clean of malware.

Yes, the easiest solution is to simply remove them, or block them entirely, but there are "family issues" at work, and I'd like a short-term solution until the family members leave and take their device with them.

I've already rate limited them with queues so they don't have a significant upload speed so their ability to participate in any DOS business will be limited.

I have the device's MAC and have it locked to a static IP, so I'd like to deny 192.168.x.x and allow anything else.

Any ideas?

top 4 comments
sorted by: hot top controversial new old
[–] Mellow12 9 points 5 hours ago (1 children)

Setup a segregated VLAN. Setup firewall rules to block access back to your primary network. It’s good practice for IoT devices and other devices of dubious trust.

[–] [email protected] 4 points 5 hours ago (1 children)

I use the poor man’s VLAN: Guest Networks.

[–] [email protected] 1 points 4 hours ago* (last edited 4 hours ago)

i don't have the luxury here of such fancy features, so i just use a second router with its own network and ssid for things that don't need full lan access (streaming devices, mainly). double-nat, but don't care. everything works fine.

[–] [email protected] 4 points 5 hours ago

Depending on what ap you have, you can probably accomplish this with some kind of vlan setup, or if it's wifi only you can try seeing if it supports client isolation.