Cannot block traffic Across subnets

RouterOS General
1

I’m new to Mikrotik - I have 2 Mikrotik Caps Waps in my network and 1 Hex as my router.
I have my Wan on port 2 of the of the Hex and Lan connected on port 1.
I have a Poe+ Switch in my network which everything is plugged in Network wise.
I have CapsMan Running and working I will fix this as needed after I get my main issue resolved.
I want to separate my network a bit I want my tenants on a Separate SSID and Network address with no access to my network. I also want another network to handle my IOT devices.
I have this in a test Phase and will change all the names later.

My Main network is 192.168.1.0/24 my router is .1 I have a network called Segment3 the Ip address is 192.168.10.0/24 GW is .1
I have been tiring to figure how to filter two networks by using the firewall and no matter what rule I set between the networks I can still ping between the 2 networks. I just want the 2 networks not to see each other but still reach the internet. I cannot figure this out if I am doing something wrong or there is something wrong in my configuration. All Help with my Configuration is so much appreciated.

Here is my Configuration - All recommendations to anything it is much appreciated if a network diagram is needed I will create one.

[admin@MainRtr] > export

feb/28/2021 16:06:38 by RouterOS 6.48.1

software id = D2TW-9CRM

model = RB760iGS

serial number = AE370BD7B714

/caps-man channel
add band=2ghz-b/g/n name=Default24
add band=5ghz-a/n/ac name=Default5g
/interface bridge
add name=Bridge_Wireless1 protocol-mode=none
add name=Bridge_Wireless2
add arp=local-proxy-arp fast-forward=no name=Bridge_Wireless3 protocol-mode=none
add name=Main_Network
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Lan
set [ find default-name=ether2 ] name=ether2-Wan
/caps-man datapath
add bridge=Bridge_Wireless1 name=Default
add bridge=Main_Network name=datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1 passphrase=xxxxxxx
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security2 passphrase=xxxxxx
/caps-man configuration
add channel=Default24 country=“united states3” mode=ap name=cfg1 security=security1 ssid=capstest24
add channel=Default5g country=“united states3” datapath=datapath1 mode=ap name=cfg2 security=security2 ssid=segment25g
/caps-man interface
add channel=Default24 configuration=cfg1 configuration.ssid=Segment1_24 disabled=no l2mtu=1600 mac-address=08:55:31:63:AC:4E master-interface=none name=Segment1 radio-mac=08:55:31:63:AC:4E
radio-name=08553163AC4E security=security1
add channel=Default5g configuration=cfg2 datapath=Default disabled=no l2mtu=1600 mac-address=0A:55:31:63:AC:4E master-interface=Segment1 name=Segment2 radio-mac=00:00:00:00:00:00 radio-name=“”
security=security1
add channel=Default24 configuration=cfg1 configuration.mode=ap configuration.ssid=segment3_24 datapath=Default disabled=no l2mtu=1600 mac-address=0A:55:31:63:AC:4F master-interface=Segment1 name=
segment3 radio-mac=00:00:00:00:00:00 radio-name=“” security=security1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Main_Pool ranges=192.168.1.30-192.168.1.254
add name=Segment1_Pool ranges=192.168.5.2-192.168.5.254
add name=wireless ranges=192.168.3.20-192.168.3.254
add name=Segment3_Pool ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254
add name=Segment2_Pool ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=Main_Pool disabled=no interface=Main_Network lease-time=10h name=dhcp1
add address-pool=Segment1_Pool disabled=no interface=Bridge_Wireless1 lease-time=1h name=Wireless_Segment1
add address-pool=wireless interface=Bridge_Wireless1 name=wirelesstest
add address-pool=Segment3_Pool disabled=no interface=Bridge_Wireless3 name=Wireless_Segment3
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20
add address-pool=Segment2_Pool disabled=no interface=Bridge_Wireless2 name=Wireless_Segment2
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled slave-configurations=*5
/interface bridge port
add bridge=Main_Network interface=ether1-Lan
add bridge=Bridge_Wireless1 interface=Segment1
add bridge=Bridge_Wireless2 interface=Segment2
add bridge=Bridge_Wireless3 interface=segment3
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface=ether2-Wan list=WAN
add interface=Segment1 list=LAN
/ip address
add address=192.168.1.1/24 interface=Main_Network network=192.168.1.0
add address=192.168.3.1/24 interface=Segment2 network=192.168.3.0
add address=192.168.5.1/24 comment=“hotspot network” interface=Segment1 network=192.168.5.0
add address=192.168.10.1/24 interface=segment3 network=192.168.10.0
/ip dhcp-client

DHCP client can not run on slave interface!

add comment=defconf disabled=no interface=Segment1
add disabled=no interface=ether2-Wan
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.68.1.1,1.1.1.1 gateway=192.168.1.1
add address=192.168.3.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.3.1
add address=192.168.5.0/24 comment=“hotspot network” gateway=192.168.5.1
add address=192.168.10.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall address-list
add address=192.168.1.0/24 list=support
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment=“6to4 relay Anycast [RFC 3068]” list=not_in_internet
add address=192.168.1.0/24 list=Main_network
add address=192.168.10.0/24 list=Segment_3_Network
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment=“Add Syn Flood IP to the list” connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment=“Drop to syn flood list” src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=“Port Scanner Detect” protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=“Drop to port scan list” src-address-list=Port_Scanner
add action=jump chain=input comment=“Jump for icmp input flow” jump-target=ICMP protocol=icmp
add action=drop chain=input comment=“Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST” disabled=yes dst-port=8291
protocol=tcp src-address-list=!support
add action=jump chain=forward comment=“Jump for icmp forward flow” jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=“Drop to bogon list” dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment=“Add Spammers to the list for 3 hours” connection-limit=30,32 dst-port=25,587 limit=30/1m,0
protocol=tcp
add action=drop chain=forward comment=“Avoid spammers action” dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment=“Accept DNS - UDP” port=53 protocol=udp
add action=accept chain=input comment=“Accept DNS - TCP” port=53 protocol=tcp
add action=accept chain=input comment=“Accept to established connections” connection-state=established
add action=accept chain=input comment=“Accept to related connections” connection-state=related
add action=accept chain=input comment=“Full access to SUPPORT address list” src-address-list=support
add action=drop chain=input comment=“Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED” disabled=yes
add action=accept chain=ICMP comment=“Echo request - Avoiding Ping Flood, adjust the limit as needed” icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment=“Echo reply” icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment=“Time Exceeded” icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment=“Destination unreachable” icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment=“Drop to the other ICMPs” protocol=icmp
add action=jump chain=output comment=“Jump for icmp output” jump-target=ICMP protocol=icmp
add action=drop chain=input src-address=157.100.174.188
add action=drop chain=input src-address=187.235.40.8
add action=drop chain=input src-address=77.0.213.160
add action=drop chain=input src-address=101.255.149.166
add action=drop chain=input src-address=190.237.16.76
add action=drop chain=input src-address=173.249.19.24
add action=drop chain=input src-address=177.13.253.238
add action=drop chain=input src-address=103.238.228.117
add action=drop chain=input comment=“Segment 3 Block Firewall Access” dst-address=192.168.10.1 protocol=tcp src-address-list=Segment_3_Network src-port=80,21,22,23,9291
add action=drop chain=forward dst-address=192.168.1.0/24 in-interface=Bridge_Wireless3 out-interface=Main_Network src-address=192.168.10.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet address=192.168.1.0/24 disabled=yes
set ftp address=192.168.1.0/24 disabled=yes
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set www-ssl address=192.168.1.0/24
set api address=192.168.1.0/24
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24
/ip upnp
set enabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=MainRtr

Revision: Network Diagram added

Revision: I resolved my issue the rule on my filter was to low on my priority list. I moved it up and now it works properly I cannot pass traffic between the subnets.

2

What I would call a freakin mess.
I also abhor capsman and no need with only two capacs, so I wouldnt touch that part of the config.
If your willing to change the rest of the config I am willing to have a look.
If not, someone else may chime in.

3

I am most willing to change the config. I fussed around with this thing so much I am not sure what I can remove or keep. I just want it to work perfectly and leave it alone!!! If you have the time to look it over and tell me know what I need to change I will change and test it.

4

I am most willing to change the config. I fussed around with this thing so much I am not sure what I can remove or keep. I just want it to work perfectly and leave it alone!!! If you have the time to look it over and tell me know what I need to change I will change and test it.

5

Usually, when I’ve made a whole bunch of changes to a thing to try to make it work, I just start from scratch and make the simplest changes I can, rethinking my basic assumptions. Is that possible for you to do in this situation?

6

I cannot always start from scratch and fiddle with my network. I have my kids and my tenant kids remote schooling from 8am until 3pm Eastern. My fiancé works from home at nights so I can’t touch it at all at night unless my changes won’t affect them. My window for messing with my network is early Mornings or if I let everyone know in the afternoon that I am making changes. If I can get a Clean Config I will take a Saturday Morning wipe it and put it up. I am willing to take all suggestions. I am new to Mikrotik but not networking.

7

Hey nsmamuel, I feel your pain brother, I am in the same boat.
I have day users and when others get home they need it and even worse up to a little while ago I had two poker players going at all hours, it was nightmare to make a change and even worse during a power outage or other issues.

I will take a look today to see if I can clean it up for you as I am a sucker when it comes to making sure the kids have their internet for school.
One thing I will recommend off the bat is not to use the stable version but instead use the longer term version of firmware, it typically has less issues compared to the stable version.
Another thing I do is load new firmware reboot and then go to system ‘routerboard’ upgrade that to the same version and reboot;

QUESTIONS. I need to know your physical network layout. (aka a diagram would be helpful)
Its too difficult to know how many ports you are using on the RB4011.
It looks like just ether1 thus far? Does it go to a managed switch, aka is their any wired distribution in the house,
how do you get to other access points? (is the the wired only version of the RB4011)?

8

This may be the biggest source of the trouble, as the firewall philosophy on Mikrotik is the Linux iptables’ one, which is quite different from the philosophy of Cisco ip access list matching.

First, in IOS, the access list rules are typically bound to an interface and don’t distinguish between packets sent/received by the router itself and the forwarded ones (you have to set the rules to match on router’s own IP addresses if you want to distinguish between these cases); in RouterOS, the firewall rules are applied on all traffic regardless the in-interface or out-interface (unless the particular rule itself matches to in-interface[-list] and/or out-interface[-list]), and the relationship of the packet to the router itself determines which rule chain the packet will traverse: packets generated by the router itself are handled in output, packets received by the router itself in input, and packets routed from one interface to another in forward.

Second, the default handling of packets not matching any rule is drop in Cisco but accept in RouterOS. So in RouterOS, you have to use a “drop the rest” rule at the end of each chain if you prefer the “drop everything but a few exceptions” approach to building the firewall (like I do).

If the above theoretical analysis doesn’t help you find the trouble on your own, let me know, I’ll look through your complicated firewall structure in detail.

9

Theory or not, there are no forward chain rules of any significance at all.
Lets just start from scratch LOL.
I have configed up a new start but not complete due to many unanswered questions.
Best to contact me via my signa, and perhaps we can skype/whatsapp/ or whatever medium to chat as typing takes too long LOL.
Question marks, need discussion for sure.

Fresh start…

# model = RB760iGS
/interface bridge
add name=bridge_single
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Lan
set [ find default-name=ether2 ] name=ether2-Wan
/interface list
add name=WAN
add name=LAN
add name=allowedsubnets
/interface vlan
add interface=Bridge_Single name=Main_Network vlan-id=99
add interface=Bridge_Single name=Segmentone vlan-id=11
add interface=Bridge_Single name=Segmenttwo vlan-id=12
add interface=Bridge_Single name=Segmentthree vlan-id=13
add interface=Bridge_Single name=Grouptwenty vlan-id=20
add interface=Bridge_Single name=WirelessTest vlan-id=3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Main_pool ranges=192.168.1.30-192.168.1.254
add name=Segment1_pool ranges=192.168.11.2-192.168.11.254
add name=Segment2_pool ranges=192.168.12.2-192.168.12.254
add name=Segment3_pool ranges=192.168.13.2-192.168.13.254
add name=Group20_pool ranges=192.168.20.2-192.168.20.254
add name=Wifitest_pool ranges=192.168.3.20-192.168.3.254
/ip dhcp-server
add address-pool=Main_pool disabled=no interface=Main_Network name=dhcp_main
add address-pool=Segment1_pool disabled=no interface=Segmentone name=dhcp_s1
add address-pool=Segment2_pool disabled=no interface=Segmenttwo name=dhcp_s2
add address-pool=Segment3_pool disabled=no interface=Segmentthree name=dhcp_s3
add address-pool=Group20_pool disabled=no interface=Grouptwenty name=dhcp20
add address-pool=Wifitest_pool interface=WirelessTest name=dhcp_wifitest
/interface bridge port ?????
add bridge=bridge_single interface=ether1-Lan
add bridge=bridge_single interface= ??????
add bridge=bridge_single interface= ??????
add bridge=bridge_single interface= ??????
add bridge=bridge_single interface= ??????
/interface bridge vlan ????????
add bridge=bridge_single taggged=bridge_single,ether1-Lan untagged=?? vlan-id=??
add bridge=bridge_single taggged=bridge_single,ether1-Lan untagged=?? vlan-id=??
add bridge=bridge_single taggged=bridge_single,?? untagged=?? vlan-id=??
add bridge=bridge_single taggged=bridge_single,?? untagged=?? vlan-id=??
/interface list member  ?????????
add interface=ether2-Wan list=WAN
add interface=bridge_single list=LAN
add interface=Main_Network list=allowedsubnets
add interface=WirelessTest list=allowedsubnets
/ip address
add address=192.168.1.1/24 interface=Main_Network network=192.168.1.0
add address=192.168.11.1/24 interface=Segmentone network=192.168.11.0
add address=192.168.12.1/24 interface=Segmenttwo network=192.168.12.0
add address=192.168.13.1/24 interface=segmentthree network=192.168.13.0
add address=192.168.20.1/24 interface=Grouptwenty network=192.168.20.0
add address=192.168.3.1/24 interface=WirelessTest network=192.168.3.0
/ip dhcp-client
add disabled=no interface=ether2-Wan
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.68.1.1,1.1.1.1 gateway=192.168.1.1
add address=192.168.11.0/24 comment="hotspot network" gateway=192.168.11.1  (dns server ????)
add address=192.168.12.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.12.1
add address=192.168.13.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.13.1
add address=192.168.20.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.20.1
add address=192.168.3.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall address-list ???????
add address=192.168.1.x list=adminaccess comment=admindesktop
add address=192.168.1.y list=adminaccess comment=adminipad
add address=192.168.3.z list=adminaccess comment=adminlaptop_wifitesting
add address=157.100.174.188 list=external_users  ?????
add address=187.235.40.8 list=external_users
add address=77.0.213.160 list=external_users
add address=101.255.149.166 list=external_users
add address=190.237.16.76 list=external_users
add address=173.249.19.24 list=external_users
add address=177.13.253.238 list=external_users
add address=103.238.228.117 list=external_users
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface-list=allowedsubnets\
    src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop anything else! # ONLY ENABLE WHEN ADMIN RULE ABOVE IN PLACE
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="ENABLE Internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL other  FORWARD traffic"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service ????
set ssh address=192.168.1.0/24, 192.168.3.0/24  port={non-standard port#}
set winbox address=192.168.1.0/24  192.168.3.0/24  port={non-standard port#}
/ip upnp
set enabled=yes  ?????????
10

Anav - I attached a pic of my network to my original post. I hope you can see it. I used my google drive. I am out of the Forum Posting game it’s been a loong while!! I sent you an email regardless hope you received it.