In the forward chain, remove the default rule
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
Replace with
add chain=forward action=accept comment="host to internet" in-interface-list=LAN src-address=singlehost-IP out-interface-list=WAN
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required, or remove }
add chain=forward action=drop comment="Drop all else"
If you decide to add more hosts that are allowed, simply turn src-address=singlehost-IP to src-address-list=internet-traffic
/ip firewall address-list
add address=host1-allowed-IP list=internet-traffic
add address=host2-allowed-IP list=internet traffic
...
add address=hostN-allowed-IP list=internet traffic
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
Replace with
add chain=forward action=accept comment="host to internet" in-interface-list=LAN src-address=singlehost-IP out-interface-list=WAN
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required, or remove }
add chain=forward action=drop comment="Drop all else"
If you decide to add more hosts that are allowed, simply turn src-address=singlehost-IP to src-address-list=internet-traffic
/ip firewall address-list
add address=host1-allowed-IP list=internet-traffic
add address=host2-allowed-IP list=internet traffic
...
add address=hostN-allowed-IP list=internet traffic
Statistics: Posted by anav — Thu Jan 30, 2025 3:48 am