Blocking traffic between interfaces - Can't figure it out

RouterOS Beginner Basics
1

Good afternoon,

I am setting up a RB951 that our local ISP gave us (awesome ISP!) with a custom configuration, as it needs to manage two different ‘halfs’ so to speak.

One half is what we use personally. The other half has a wireless AP hooked, to give public access to guests. Arranged like this:

eth1 is Gateway.
eth2-4: Private use interface. Has a wireless AP extending the inner wireless adapter network (this works fine).
eth3 is empty, I plan to set it up as the management port
eth4 has an IP-analog telephone adapter (Cisco something): this works fine
eth5 is where the guest AP is hooked.


The interfaces have IPs assigned like this:

eth1 is DHCP (IP assigned by the modem)
eth2-5 are assigned like so: 192.168.88.2 for eth2, and so on until eth5 which has 192.168.88.5


Now, what I want to do is prevent eth5 from accessing any other interface but eth1 (gateway), to prevent any possible access to our network.

I have tried creating the following rule for the firewall:

rule type: forward
in port: eth5
out port: !eth1
protocol: any
action: drop

And placed it atop the list, even before the one allowing icmp packets. But I can still ping hosts, and access inner Microsoft networks.

What am I doing wrong?

Please note I am an absolute newbie to Mikrotik stuff, as all I have used is Cisco equipment.

Thank you!

2

First of all, ether5 should be removed from bridge or slave.
Then put separate ip address and DHCP server on ether5.

Post your current export, I will give recommendations later tonight.

3

Rudios,

Thanks for answering. I will test later tonight or tomorrow, as I don’t have immediate access to the router.

I did find a difficulty when freeing eth5 from its ‘slavery’. I cannot seem to route traffic from the interface to the gateway. There is surely something I am overlooking (due to my inexperience with Mikrotik most assuredly!)


What is the ‘export’, if I might ask?

Thanks again!

4

Export is the way to show the current configuration.

Connect to the Routerboard via SSH or telnet for command line access, or click the “new terminal” button from Winbox.
There you can type export to give an overview of the configuration.
If you are on RouterOS 6.x export shows all configured items different from their default values.
If you are on RouterOS 5.x (which I doubt) you have to type export compact

5

Okay, understood. Here goes the export:

[admin@MikroTik] > /export
# jun/02/2014 21:15:39 by RouterOS 6.11
# software id = KJV2-2NPB
#
/interface bridge
add l2mtu=1598 name=bridge-clients
add admin-mac=D4:CA:6D:F2:32:CD auto-mac=no l2mtu=1598 name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-ht-above country=spain disabled=no distance=indoors l2mtu=2290 \
    mode=ap-bridge ssid=FGR wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether5 ] bandwidth=unlimited/512k name=clients
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-voip
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-ap
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    wpa-pre-shared-key="***" wpa2-pre-shared-key=\
    "***"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.88.130-192.168.88.254
add name=clients ranges=192.168.10.10-192.168.10.128
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=12h name=\
    default
add address-pool=clients disabled=no interface=bridge-clients lease-time=1h \
    name=clients_server
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-clients interface=clients
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether2-master-local network=192.168.88.0
add address=192.168.88.2/24 interface=ether3-voip network=192.168.88.0
add address=192.168.88.3/24 interface=ether4-slave-ap network=192.168.88.0
add address=192.168.88.10/24 interface=wlan1 network=192.168.88.0
add address=192.168.10.1/24 interface=clients network=192.168.10.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.88.1 gateway=192.168.10.1 \
    netmask=24
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=drop chain=forward disabled=yes in-interface=clients \
    out-interface=ether2-master-local
add action=drop chain=forward disabled=yes in-interface=clients \
    out-interface=ether3-voip
add action=drop chain=forward disabled=yes in-interface=clients \
    out-interface=ether4-slave-ap
add action=drop chain=forward disabled=yes in-interface=clients \
    out-interface=wlan1
add chain=forward disabled=yes in-interface=clients out-interface=\
    ether1-gateway p2p=!all-p2p
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
/ip route
add disabled=yes distance=1 gateway=ether1-gateway
/ip upnp
set allow-disable-external-interface=no
/system clock manual
set time-zone=+01:00
/system leds
set 0 interface=wlan1
/system routerboard settings
set cpu-frequency=400MHz
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-voip
add interface=ether4-slave-ap
add interface=clients
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-voip
add interface=ether4-slave-ap
add interface=clients
add interface=wlan1
add interface=bridge-local
[admin@MikroTik] >

I’ve masked the passwords, but the rest is as-is.

Also, I’ve got another question. The ‘clients’ interface doesn’t have internet connection. I wonder what is that due to? I have poked around the config, but I still cannot manage to get internet to it.

Thank you very much!

6

I see some weirdness in your config.
You put IP addresses on interfaces 3/4 and wlan1.
This is not needed since these interfaces are part of the bridge. You can remove them.
Also on your DHCP server for your clients interface, change the DNS entry to be 192.168.10.1
I also would advise different firewall rules, but it is also a matter of taste.
I happen to allow the wanted traffic, and then block all others.
So in forward chain, it could look like this.
add chain=forward comment=“Accept established connections” connection-state=established
add chain=forward comment=“Accept related connections” connection-state=related
add chain=forward comment=“Allow traffic from Local network to go outside” in-interface=bridge-local out-interface=ether1-gateway src-address=192.168.88.0/24
add chain=forward comment=“Allow Guest network going outside” in-interface=bridge-client out-interface=ether1-gateway src-address=192.168.10.0/24
add action=log chain=forward comment=“Log everything else” disabled=yes log-prefix=“IPv4 Drop forward RR:”
add action=drop chain=forward comment="Drop everything else"In this case you just allow the traffic to go from ehter5 (via bridge-client) to exit to ether1-gateway

Also keep in mind that since your interfaces are bridged, creating firewalls on the specific interfaces will not work.

7

Rudios,

Thank you very much! I will be testing these changes in a few hours, I’ll edit the message to post the results.

So, if I have understood right, this is what I should do:

-Remove the addresses from the interfaces that share a bridge with the parent interface.
-Change the DNS in the clients DHCP to be the router itself (192.168.10.1)
-Change the firewall rules to your suggested ones (I will evaluate and adapt them to my ideas if necessary)
-Change the firewall rules so they aren’t checked against interfaces, but bridges (?)

Thanks again!
-M

8

You’re all correct.

9

Rudios,

I forgot to post back! Just wanted to thank you for the help, it is now working! Traffic is blocked as desired, and the router is showing so, as well.

Thank you again!
-M