I have an Ubuntu installation under VMWare. I would like to set up our Mikrotik router to block this Ubuntu to access local LAN. I would like to allow access only the external internet.
I tried a lot of firewall rule, but none of them work. How can I achieve this?
If you have Ubuntu in a VMware VM, and it's connected to via bridged networking, it will by nature of IPv4 be able to reach everything in the same subnet/layer2 domain without going going to the router. What happens is the VM's IP stack will send an ARP request - ARP WHO HAS to the broadcast address in the same subnet. The requested destination host will reply with it's MAC address and the two hosts communicate directly without the router.
What you could do, on Mikrotik, is create another ipv4 address in another subnet (eg 192.168.2.1/24 if 192.168.1.1/24 is your main) and set up a static DHCP lease for your Ubuntu VM's MAC so it gets the address 192.168.2.50/24 and uses 192.168.2.1 for it's default gateway. Then you can set firewall rules in Mikrotik to block traffic between 192.168.2.1 and 192.168.1.1 - HOWEVER PLEASE NOTE THIS DOES NOT ACTUALLY PREVENT A COMPETENT ATTACKER WITH ROOT ACCESS ON THE LINUX VM FROM ACCESSING YOUR LAN -
To properly do this, you'd actually need a separate VLAN or the a Mikrotik/Linux VM connected to both private network and LAN network acting as the firewall between. I don't think this is something I could explain over StackOverflow though...
Also - this answer is getting down voted since it's off topic since it relates to general computing and not programming. There is another similar forum called super user which would be more appropriate for this kind of question.
