blocking subnets from each other totally

horstkevin · February 23, 2017, 1:07am

hello there,

I have a little problem with separating 2 subnets from each other totally.

The setup:
RB750GL
ether1 = internetgateway
ether2 = company lan
ether3 = vlan10 with company lan and vlan11 with guest wlan.

there is bridge1 with vlan10 and ether2
there is bridge2 with vlan11 only

i want bridge1 and 2 to be seperated totally.
bridge2 is for internet use only.

so i drop input from src-address bridge2-subnet with dst-address ether2-subnet
and i drop input from src address ether2-subnet with dst-address bridge2-subnet
and i drop forwarding from bridge2 that has NOT ether1 as outgoing interface. (block everything that is not internet)

The problem: an ip scanner in vlan11 can scan the ip-subnet of ether2. i dont want that.
i think it has to do with the fact, that filter rules work on layer3, and ip scanner works von layer2 (MAC). is that right?
how can I block layer2-traffic between two different interfaces or ip-subnets?

greetz,
horstkevin

Sob · February 24, 2017, 2:24pm

To prevent guests from going anywhere else except internet:

/ip firewall filter
add action=drop chain=forward in-interface=bridge2 out-interface=!ether1

If you also want to prevent company LAN from accessing guest LAN:

/ip firewall filter
add action=drop chain=forward in-interface=bridge1 out-interface=bridge2

If you want to protect router from curious guests (allow only DNS if router serves as resolver for guests):

/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=bridge2 protocol=udp
add action=accept chain=input dst-port=53 in-interface=bridge2 protocol=tcp
add action=drop chain=input in-interface=bridge2