Add a simple Firewall for routed clients

muelli · June 28, 2022, 11:25am

Hello forum,

obviously I am too stupid to set up one of my RB as a simple firewall.
RB_1 and RB_2 are setup as a wireless bridge, RB_1 serves as a dhcp server that provides IPs to clients on the side of RB_2.
Clients connected to RB_2 can access the Internet, everything works.

Now I need to limit access to the internet. Only clients with a certain IP on the RB_2 side should be allowed to access the internet, but I somehow cannot manage to enable the firewall on RB_1 to do this.
Tried several rules and chains, no success. Everything is allowed through.

Can someone give me a hint on how to do this in winbox?

Current config of RB_1 is attached!

Thanks!
RB_1.txt (1.49 KB)

holvoetn · June 28, 2022, 1:36pm

In the context of “give a man a fish and he can eat for a day, teach a man to fish and he can eat life long”

What you’re looking for is forward rules.

create rule to drop all forward from that complete IP subnet of RB_2 (yes, drop, it’s the easiest “catch all” in my view)
add rules BEFORE this rule to allow the specific IPs you want to … allow. (better, use address list to have all the allowed IPs in it)

May I suggest some other things:

start with the default firewall if this RB_1 device is facing internet !!
Currently you have nothing.
upgrade to latest long term version. 6.32 is 7 years old !! What device are you running this on ?

muelli · June 28, 2022, 3:50pm

Thanks for your input!
I use the RB532A, which is mipsle and the routerOS I use is the latest supported version for that CPU architecture, sadly.
And the RB_1 is connected to another router, so no problem if the firewall is currently empty.

About the problem I am facing:
Thought something was wrong with conflicting subnets, so I changed everything from 192.168.1.0/24 to 192.168.119.0/24… but the problem still persists.

I already tried to add a DROP rule in the forward chain for 192.168.119.0/24 :
/ip firewall filter
add action=drop chain=forward src-address=192.168.119.0/24

I can still connect/ping the internet from the clients behind RB_2… Does the rule have to be activated somehow?

holvoetn · June 28, 2022, 7:44pm

Ok, understood on device and version.

How sure are you rb2 and clients are passing via rb1 to get out ?
Is it through ip settings ( gateway) or physical cable or … ?
Because that drop rule should really drop all forward communication for that subnet.

Can you provide current config export as well ?

muelli · June 29, 2022, 6:22am

Clients on RB_2 HAVE to get out via RB_1, because there is only the wireless bridge that connects RB_2 to RB_1.
So I do not see how the Clients on RB_2 side could get around RB_1 to get out…

However thinking about your question… THe DHCP server on RB_1 is dishing out the router behind RB_1 (192.168.119.100) as gateway for clients.
Tried a little test, change the default gw on one client to the IP of RB_1 and pinged the web:

pi@raspberrypi:~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8. 56(84) bytes of data.
From 192.168.119.101: icmp_seq=1 Redirect Host(New nexthop: 192.168.119.100)
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=14.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=13.2 ms

Seems RB_1 wants the clients to go via 192.168.119.100 no matter what. But I have a feeling that could be the problem?

Config for RB_2 is attached!
Thanks…
RB_2.txt (1.8 KB)

holvoetn · June 29, 2022, 6:27am

Did you on the client also renew DHCP lease ?
Or delete lease on RB1, it will renew as well then.

Otherwise it might take some time before the new settings are in effect.

But it still doesn’t explain why that drop rule is not working.
I was referring to config of RB1, with the latest change you did on subnet etc.

muelli · June 29, 2022, 6:52am

No I just deleted the default GW and added a new one. I tested with lease delete, same result.

RB_1 config attached!
RB_1.txt (1.58 KB)

holvoetn · June 29, 2022, 7:31am

Just checking, clients behind rb2 are effectively getting a lease from rb1 in 119.0/24 range ?

muelli · June 29, 2022, 7:39am

yes, I can see the leases and they match their actual IPs / GWs

2frogs · June 29, 2022, 1:18pm

You have R1 setup as a bridge. Your clients behind R2 are getting DHCP from R1 by chance. And with gateway of other Router, your clients are going out it directly.

holvoetn · June 29, 2022, 1:38pm

Makes sense.

Best to decouple things.
Ethernet away from bridge, same subnet as router.
Ip address on bridge different subnet.
Dhcp server on bridge.
Gateway on dhcp same ip as bridge ip.
Firewall rule to be adjusted to new subnet if needed.

It has to work.

muelli · June 30, 2022, 5:28am

Hmm, if I understand this correctly, yoou mean the clients use a layer below the OSI layer on RB_1 that the firewall uses?
Thinking about it, the firewall on RB_1 must use layer 4 and the clients get past it as the are going by in layer 3?

Not sure if I understood this correct.
Should I give the clients behind RB_2 a new subnet and RB_1 as default GW?

2frogs · June 30, 2022, 10:41am

From your provided R1 export:

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1

Add an IP address for ether1 from the 192.168.1.0/24 of your other Router and remove ether1 bridge port entry. You will also need a route on your other Router for 192.168.119.0/24 with gateway of R1>ether1 IP address. To also further separate the networks, change R1>dhcp server network gateway entry to the R1> bridge IP address. And add route with gateway of other Router IP address.