I'm using a RouterOS device as a router on a stick.
I'd like to isolate a certain VLAN from the outside world so that the VLAN cannot instantiate any connections to other VLANs or to the Internet (WAN).
I've set up the following firewall rule:
/ip firewall filter
add chain=forward \
action=reject reject-with=icmp-admin-prohibited \
connection-state=!established,related,untracked \
in-interface=vlan120
It works for ping:
ping www.google.com
PING www.google.com (172.217.20.4) 56(84) bytes of data.
From _gateway (192.168.120.1) icmp_seq=1 Packet filtered
It works for tcp:
telnet www.google.com 80
Trying 172.217.20.4...
Trying 2a00:1450:400d:805::2004...
telnet: Unable to connect to remote host: Cannot assign requested address
But it does not work for udp:
nc -z -v -u time1.google.com 123
Connection to time1.google.com 123 port [udp/ntp] succeeded!
Any help appreciated!
