Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall rule to separate networks

Post Reply
 
insyne
just joined
Topic Author
Posts: 11
Joined: Wed Mar 14, 2012 10:38 pm

Firewall rule to separate networks

Wed Jun 27, 2012 9:50 pm

I have a public (192.168.20.0/24 and private (192.168.10.0/24) network on a rb493. To keep the public off the private network I wrote a rule to drop traffic from the public to the private. That rule works but it also blocks traffic from the private network to the public. I have two access point on the public side that I would like to be able to manage from the private side. Here are the firewall rules that I have.


Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop src-address=192.168.10.0/24
dst-address=192.168.20.0/24

1 ;;; Accept established connections
chain=input action=accept connection-state=established

2 ;;; Accept related connections
chain=input action=accept connection-state=related

3 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

4 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2

5 ;;; Drop excess pings
chain=input action=drop protocol=icmp

6 ;;; allow access to router from the 10 vlan
chain=input action=accept src-address=192.168.10.0/24
in-interface=!ether3

7 ;;; allow access to the router from the 15 management vlan
chain=input action=accept src-address=192.168.15.0/24
in-interface=!ether2

8 ;;; Drop items from invalid ip address
chain=forward action=drop src-address=0.0.0.0/8

9 chain=forward action=drop dst-address=0.0.0.0/8

10 chain=forward action=drop src-address=127.0.0.0/8

11 chain=forward action=drop dst-address=127.0.0.0/8

12 chain=forward action=drop src-address=224.0.0.0/3

13 chain=forward action=drop dst-address=224.0.0.0/3

14 ;;; Log everything else
chain=input action=log log-prefix="DROP INPUT"

15 ;;; Drop everything else
chain=input action=drop
Top
 
Dobby
Member
Member
Posts: 399
Joined: Wed Jan 11, 2012 12:07 am
Location: Hogwarts

Re: Firewall rule to separate networks

Thu Jun 28, 2012 7:43 pm

Deleted because not related.
Last edited by Dobby on Mon Mar 11, 2013 3:37 am, edited 1 time in total.
Top
 
User avatar
lordkappa
Member Candidate
Member Candidate
Posts: 133
Joined: Wed May 16, 2012 1:53 pm
Location: Vancouver, Canada

Re: Firewall rule to separate networks

Fri Jun 29, 2012 4:39 am

I think insyne just wanted to block public addresses from entering his router from the outside; not set up VLANs.

Looks like your problem is that your first firewall rule is not set up correctly. You seem to have transposed the src and dst ip's.
Top
 
insyne
just joined
Topic Author
Posts: 11
Joined: Wed Mar 14, 2012 10:38 pm

Re: Firewall rule to separate networks

Mon Jul 09, 2012 10:13 am

I originally had the src and dst switched but it didn't block anything. I was also having some other weird issues. I restored the router and reprogrammed it. Now the firewall rule is working as it should.
Top
Post Reply

Who is online

Users browsing this forum: CGGXANNX, maldridge, pepe262 and 112 guests
  4. RouterOS
  5. General