I have an RB1100 with a few ranges set up and my problem I want to create a port which I can plug into that can access all the other ports and ranges.
This is what I have
Eth1 10.10.1.x
Eth2 10.10.2.x
Eth3 10.10.3.x
Eth4=net out
Eth5 is what I would like to be able to get into all the other ranges.
Everything is routed out eth4.
Any ideas?
Is this just firewall rules? If so what I do I need. Ultimately I want to be able to login to equipment on all ranges.
Thanks in advance.
Just add private IP address to Eth5 interface (e.g. 192.168.1.1/24)
It’s a router so other subnets are reachable by default, unless you block them explicitly in firewall rules.
HTH,
So in theory I should be able to access a 10.10.0.x from a 10.10.1.x? because I cant =(
how with access with mac address? you can?
So in theory I should be able to access a 10.10.0.x from a 10.10.1.x? because I cant =(
Maybe firewall on your PC blocks traffic?
HTH,
Nah its not a comp firewall. Hmmm. Everything is mangled by prerouting rules. so Is there a way to make an exeception via port or ip?
Mangle doesn’t block traffic.
Also, it would be helpful if you posted your configuration - people guessing probably isn’t going to help much.
Here is my firewall
/ip firewall filter
add action=drop chain=forward comment=“drop invalid connections”
connection-state=invalid disabled=no protocol=tcp
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward comment=“allow related connections”
connection-state=related disabled=no
add action=drop chain=forward disabled=yes src-address=0.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=0.0.0.0/8
add action=drop chain=forward disabled=yes src-address=127.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
add action=drop chain=forward disabled=yes src-address=224.0.0.0/3
add action=drop chain=forward disabled=yes dst-address=224.0.0.0/3
add action=jump chain=forward disabled=no jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=drop chain=tcp comment=“deny TFTP” disabled=no dst-port=69
protocol=tcp
add action=drop chain=tcp comment=“deny NFS” disabled=no dst-port=2049
protocol=tcp
add action=drop chain=tcp comment=“deny RPC portmapper” disabled=no dst-port=
111 protocol=tcp
add action=drop chain=tcp comment=“deny RPC portmapper” disabled=no dst-port=
135 protocol=tcp
add action=drop chain=tcp comment=“deny NBT” disabled=no dst-port=137-139
protocol=tcp
add action=drop chain=tcp comment=“deny cifs” disabled=no dst-port=445
protocol=tcp
add action=drop chain=tcp comment=“deny NetBus” disabled=no dst-port=
12345-12346 protocol=tcp
add action=drop chain=tcp comment=“deny NetBus” disabled=no dst-port=20034
protocol=tcp
add action=drop chain=tcp comment=“deny BackOriffice” disabled=no dst-port=
3133 protocol=tcp
add action=drop chain=tcp comment=“deny DHCP” disabled=no dst-port=67-68
protocol=tcp
add action=drop chain=udp comment=“deny TFTP” disabled=no dst-port=69
protocol=udp
add action=drop chain=udp comment=“deny PRC portmapper” disabled=no dst-port=
111 protocol=udp
add action=drop chain=udp comment=“deny PRC portmapper” disabled=no dst-port=
135 protocol=udp
add action=drop chain=udp comment=“deny NBT” disabled=no dst-port=137-139
protocol=udp
add action=drop chain=udp comment=“deny NFS” disabled=no dst-port=2049
protocol=udp
add action=drop chain=udp comment=“deny BackOriffice” disabled=no dst-port=
3133 protocol=udp
add action=accept chain=icmp comment=“echo reply” disabled=no icmp-options=
0:0 protocol=icmp
add action=accept chain=icmp comment=“net unreachable” disabled=no
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment=“host unreachable” disabled=no
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=“allow source quench” disabled=no
icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment=“allow echo request” disabled=no
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment=“allow time exceed” disabled=no
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment=“deny all other types” disabled=no
add action=drop chain=input comment=“drop ftp brute forcers” disabled=no
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content=“530 Login incorrect” disabled=no
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content=“530 Login incorrect”
disabled=no protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=Oout5
passthrough=no src-address=10.10.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether5-Gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Now it seems like when I add another 10.10.x.x range such as 10.10.1.x I cannot access the 10.10.0.0. side from the 10.10.1.1. side. Is there something I can do to make that work?
How are you testing between the networks?
You also have a mangle rule that sets a routing mark for all traffic sourced from 10.10.0.0/24. That could affect return traffic.