I have the following subnets in my network:

Net4: 192.168.4.0/23
Net10: 192.168.10.0/23
Net15: 192.168.15.0/24
Net25: 192.168.25.0/24
Net30: 192.168.30.0/24

and I have a device in Net10 which I want to be visible only to Net10 and Net4.

I have created a Firewall rule which works, but it gives access also from these subnets 192.168.0.x, 192.168.1.x , 192.168.2.x as well



Is it possible to share the device only to 192.168.4.0/23 and 192.168.10.0/23 with another way?

I have created a Firewall rule which works, but it gives access also from these subnets 192.168.0.x, 192.168.1.x , 192.168.2.x as well

Is it possible to give access only to 192.168.4.0/23 and 192.168.10.0/23 with another way?

You'll have to use two rules, each targeting individual subnet. Problem with 192.168.0.0/21 is that it covers wide range of addresses and if you want to only cover some exact ranges, then you can't do it with single wide range.

BTW, I doubt that your post is entirely accurate. 192.168.0.0/21 ranges from 192.168.0.0 to 192.168.7.255, so it doesn't cover Net10 (192.168.10.0/23 which ranges 192.168.10.0-192.168.11.255) and thus this rule doesn't affect connectivity between Net10 and your device.

What about making address list MY3SUBNETS with all 3 subnets and creating rule that uses MY3SUBNETS for src or dst ?

What about making address list MY3SUBNETS with all 3 subnets and creating rule that uses MY3SUBNETS for src or dst ?

Great, could you explain how I could do this

edit: In Firewall / Address list I create 2 new records with the same name and each should have the subnet? Is this the way?

Three key screens from WinBox should enlighten You where to tinker

In Firewall / Address list I create 2 new records with the same name and each should have the subnet? Is this the way?

Yes, enter address with subnet mask, e.g. "192.168.4.0/23"

Thanks a lot for your replies!
I created an address list and I used it in the rule and it worked!

Just for your edification. General rules of thumb.

1. To firewall a single address use: src-address or dst-address

2. To firewall a single subnet use: src-address=subnet or dst-address=subnet ( where subnet example looks like 192.168.88.0/24 )

3. For two or more subnets use: INTERFACE LISTS.
Exception: The management subnet ( base or management vlan typically ), is one case where for a single subnet we create an interface list. The reason being is that we are likely to need it in an interface list to apply to a. neighbours discovery, b. firewall rules c. interface ilst member d. winbox macserver. We can also add other interfaces to the management interface such as an off bridge port.

4. USE OF FIREWALL ADDRESS LISTs.

a. When one wants to capture REMOTE addresses or SUBNETS for firewall purposes. ( Interface lists are typically used ONLY for local interfaces )

b. Whenever you have a bunch of users, less than a full subnet that need to be identified for firewall rules.

c. Whenever you have a bunch of users from different subnets that need to be identified for firewall rules.

d. Anytime, you have a single user, or some users as described in b, c, AND whole Subnet(s), that need to be identified together for firewall rules.

+++++++++++++++++++++++++++++++++++++++

CAVEAT: On some rules in RoS, interface lists are NOT an option and one must use firewall address lists to identify users.

++++++++++++++++++++++++++++++++++++++++