block cross traffic

menace · June 19, 2024, 10:36pm

hey

as we all know mikrotik networks tends to grow, and so do mine also but how to block cross traffic

I have my main lan, IoT and guest network

the way i have done it so far is to drop package in firewall from:

lan to IoT
lan to guest
guest to lan
guest to IoT
IoT to lan
IoT to guest

but with a incomming of 2x VPN(work and (change my ip geo-block)) is going to take it to 20 block rules i the firewall, isn’t there an easier way to do it?

mkx · June 20, 2024, 5:54am

Might be easier (or not, depending on particular situation) to explicitly allow only what should be allowed and drop everything else. In principle safer as well (one can hardly ‘forget’ to
block something as missing “allow” tends to be much more obvious).

anav · June 20, 2024, 2:09pm

mkx is suffering from timidness today.

Much better to for example at the end of the forward chain put
add action=drop chain=forward comment=“drop all else” above this as follows:

/ip firewall
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{ admin rules for allowed traffic }
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action= accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add actio=accept chain=forward comment=“access to shared printer” in-interface-list=SharedPrinter dst-address=192.168.88.34
add action=accept chain=forward comment=“admin to all subnets” src-address-list=Authorized out-interface-list=LAN
add action=drop chain=forward comment="drop all else"

Allowed traffic is identified all else is dropped, most efficient and clear communication of requirements.

/interface list
add name=WAN
add name=LAN
add name=SharedPrinter

/interface list members
add interface=ether1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add interface=vlan20 list=SharedPrinter
add interface=vlan30 list=SharedPrinter

In general for firewall rules:
single address: use IP address .88/32
single subnet: use Address .0/24
Multiple Local Subnets: use interface lists
Multiple users, less than a subnet, could be across subnets: use firewall address list.
Multiple users AND subnet or subnets: use firewall address list
Remote subnets: use firewall address list.