Firewall rule on MikroTik router?

I have a Raspberry Pi standing around as a web server. Now, when the server is hacked, I want you to be unable to access the other devices on our network.

Our network looks something like this:

WIRELESS INTERNET ACCESS

DSL → Fritz! Box ---------------> cell phones, laptops, etc.

_______ \ /

______Switch → MikroTik router → Raspberry Pi

_______ \ /

____ Desktop PCs, NAS, etc.

I have set a firewall rule in the MikroTik router that drops everything that comes from the RasPi and goes to 192.168.178.0/24. The RasPi has the IP address 192.168.178.14.

If I log into the RasPi with SSH, I can do that normally. Even if I ping something from the RasPi in our network, it works.

Is that because the RasPi is on the same subnet as everyone else?

Or did I mess up something in the firewall rule configuration?

Is that because the RasPi is on the same subnet as everyone else?

Yes. Your requests never go through the gateway, so nothing is blocked.

What you are looking for is a DMZ; So a dedicated network where only the Raspi is in it and where the requests to the other devices must necessarily go through the gateway.

How would I implement this in the configuration?

Either you open a new subnet at the Mikrotik and route everything else against the Fritzbox, or you drag all the subnets onto the Mikrotik and only let the Fritzbox do the Internet.

Packet filter rules then stayed the same as you built them.