I have a public (192.168.20.0/24 and private (192.168.10.0/24) network on a rb493. To keep the public off the private network I wrote a rule to drop traffic from the public to the private. That rule works but it also blocks traffic from the private network to the public. I have two access point on the public side that I would like to be able to manage from the private side. Here are the firewall rules that I have.
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop src-address=192.168.10.0/24
dst-address=192.168.20.0/24
1 ;;; Accept established connections
chain=input action=accept connection-state=established
2 ;;; Accept related connections
chain=input action=accept connection-state=related
3 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
4 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2
5 ;;; Drop excess pings
chain=input action=drop protocol=icmp
6 ;;; allow access to router from the 10 vlan
chain=input action=accept src-address=192.168.10.0/24
in-interface=!ether3
7 ;;; allow access to the router from the 15 management vlan
chain=input action=accept src-address=192.168.15.0/24
in-interface=!ether2
8 ;;; Drop items from invalid ip address
chain=forward action=drop src-address=0.0.0.0/8
9 chain=forward action=drop dst-address=0.0.0.0/8
10 chain=forward action=drop src-address=127.0.0.0/8
11 chain=forward action=drop dst-address=127.0.0.0/8
12 chain=forward action=drop src-address=224.0.0.0/3
13 chain=forward action=drop dst-address=224.0.0.0/3
14 ;;; Log everything else
chain=input action=log log-prefix="DROP INPUT"
15 ;;; Drop everything else
chain=input action=drop