I have some IoT stuff at home. They are connected to the 2.4GHz band access point on a MikroTik hAP AX3 router. I want to block them from the Internet while keeping them on the same bridge so that things like Airplay would still work.
One solution is to gather all the MAC addresses of the devices and then add firewall rules to reject packets from them destined to the WAN interface list. This is tedious because I need to keep adding MAC addresses for new devices.
Another solution is to create a dedicated WiFi access point for IoT devices, bridge the WiFi interface with LAN, and then configure the firewall to reject packets from this WiFi interface.
However, simply adding a firewall rule that rejects packets from the new WiFi internet does not work because it is L3 firewall only sees the bridge. We need to use the bridge level (L2) firewall as shown below.
/interface wifiwave2
add configuration.mode=ap .ssid="put_ssid_here" master-interface=wifi-ap-2g name=wifi-no-internet security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp security.passphrase="put_wifi_password_here"
/interface bridge port
add bridge=bridge interface=wifi-no-internet
/interface bridge filter
add action=mark-packet chain=input in-interface=wifi-no-internet new-packet-mark=block-wan
/ip firewall filter
add action=reject chain=forward comment=\
"reject wan access for packets marked block-wan" out-interface-list=WAN \
packet-mark=block-wan reject-with=icmp-network-unreachable
/ipv6 firewall filter
add action=reject chain=forward comment=\
"reject packets marked with block-wan" out-interface-list=WAN \
packet-mark=block-wan reject-with=icmp-admin-prohibited
The config above still allows packets from WAN to reach the devices. But they won't be able to send any packets back.
