Hello,
I have 2 bridged named A and B. What I would like to do is to isolate each bridge from each other to prevent ip accesses.
Bridge A has Port 2,3,4
Bridge B has Port 5,6,7
What I currently did for each IP block for each bridge is below (sample):
;;; A_DROP
chain=forward action=drop protocol=!gre dst-address=100.64.1.0/24
in-interface=A log=yes
log-prefix=“A_UNATUH_ACCESS_TRIES”
Is there better approach to do this since I have to add single rule for each IP block.
Thanks in advance.
You may not need an address matched at all or use an address list
You may not need an address matched at all or use an address list
Edit: post duplicated.
If you are using the default firewall rules, you could change the default forward drop rule to:
/ip firewall filter
add chain=forward connection-nat-state=dstnat in-interface=WAN action=accept
add chain=forward out-interface=!WAN action=drop
And if you are not doing DST-NAT or UPNP, you can omit the first rule.
what you want is prevent one side to have a route to another side → routing issue → adjust routing config
Some options:
separate routing table for each interface (=VRF)
or just deny routing between them using routing rule (ex: action=unreachable)
just easy forward rule, in-interface=a, out-interface=b action=drop, and vice versa, that way no traffic can go between a and b.
Altough it will do the trick, it’s not the most efficient manner, as each packet needs to be processed, and the source system is non the wiser, and WILL keep on retrying.
Through routing notice, the source is advised that the network is not reachable.Also the user has immediate feedback, and is not kept waiting.
This can be done through firwall too, but with “action=reject reject-with=icmp-network-unreachable”
Can i ask for advise for the best way to isolate four bridges on a RB750,
Port1 + 2 = bridge_A
Port1 + 3 = Bridge_B
Port1 + 4 = Bridge_C
Port1 + 5 = Bridge_D
How you add Port1 to four different bridges?
What is the ultimate goal?
If you really need ports 2 to 4 to forward traffic at L2 layer to/from port 1 but not to each other, search for “bridge horizon” which allows exactly this on a single bridge. Some switch chips can do this in hardware, check the switch type used in your RB model.
If you need routing between devices connected to port 2 and the internet uplink connected to port 1, it makes more sense to attach one IP subnet to each of the ports 2..4 and follow the approach mentioned earlier in this thread.
I created individual Vlans for each port and then added them in bridge/port
so for bridge 2 - it has vlans port1 + vlanport2 , bridge 3 has vlanport1 + vlanport3 …
In that case the traffic is separated at L2 layer by running on individual bridges; to prevent routing between IP subnets which use those bridges, the firewall rules or vrf as suggested above can be used.
As i am a newbie ? could I ask for the four bridges do I need to create 4 routing marks on four interfaces - example
(1) interfaces=vlanport2 routing-mark=port2
(2) interfaces=vlanport3 routing-mark=port3
(3) interfaces=vlanport4 routing-mark=port4
(4) interfaces=vlanport5 routing-mark=port5
I am not sure what the fuss is about… Bridges are already separated at layer2, vlans are separated at layer 2.
The only thing need be done is FW rules and mainly no FW rules.
established related
{any allow rules like lan to wan}
Last rule
add chain=forward action=drop.
Done!
It doesn’t matter whether you are a newbie or an experienced professional. You have set up some configuration but you haven’t shown it so we can only guess. You have chosen one of the solutions above (as you mention routing marks, it is probably the VRF one), and you still haven’t stated how the overall network architecture / traffic matrix should look like, so we’d have to guess again. Describe what you already have (which is best done by exporting the configuration) and what you want to achieve.
Nets at L2 may be separated but routing at L3 works and OP asks how to prevent IP access.
@OP:
what about using filters at bridge level? Antything what is forwarded to other interface than WAN should be dropped.
@Bartoz, explain to me how devices from one bridge are going to magically access devices on a second bridge when the last forward rule in the forward chain is drop all??
(I know your knowledge far outstrips my few scribbles of notes on toilet paper that make up my imaginary expertise LOL, so please educamate me!! )
anav: maybe my toilet paper has just more layers than your?
BTW…
If you want to protect computers on one bridge at L3 from another L3 layer then you need to block bridge A pool (name it poolA) from poolB, poolC, poolD … poolC protect form poolD but not from poolE … poolF from poolA, poolB but not from poolZZ etc. …
Therefore you need n^2 rules to block/allow all bridge/L2 domain combinations … aren’t you? IMHO “headache” is an euphemism to such situation.
For particular bridge in “IP firewall” you define where you pass traffic to and you do not care if there are 10, 20 or 1000 additional L2 domains/bridges?
Am I wrong? I do not pretend to be THE ONE … share you experience and knowledge.
I am trying to establish if I need additional VRF route marks, which in my case has RB750 3 AP’s Vlans + 1 local admin vlan connected by 4 bridges to port 1
Port 1 is PTP has Vlan’s (a + b + c + d )
Port 2 has AP1 Vlan a - Bridge A (port 1 + 2)
Port 3 has AP2 Vlan b - Bridge B (port 1 + 3)
Port 4 has AP3 Vlan c - Bridge C (port 1 + 4)
Port 5 has local admin Vlan d - Bridge D (port 1 + 5)
Each AP has VRF route mark on Vlan interface then connecting to RB750 at this point do I need to additional VRF route marks as the 4 vlans become on port 1 of Rb750?