Hi,
we bought this unit because of upgrade our internet connection from 100/100 to 512/512 . So now i already install the WAN on ether1 and 3 LAN subnets on eth4,5,6.
How can i separate the traffic between the subnets. The idea is to have access into eth5 from eth4 & eth6 but no backward from eth5 to eth4ð6. Also from eth4 to eth6 and no backward from eth6 to eth4.
ether1=WAN
ether4=LAN4(our office network, access to internet already done and to eth5&6 too; access from LAN6 to this one not allowed)
ether5=LAN5(customer network, access to internet for working already done; access to this LAN for customer maintenance needed; no access to our both LANs allowed)
ether6=LAN6(maintenance network, access to internet already done; access to LAN5 for support already done; no access to LAN4 allowed)
How i need to set the rules correctly? Always if i play with the firewall i always drop in both directions…
I know on Lancom Routers it is able to set a Routing Mark from 0 to 1 on a configured LAN Subnet. So if 1 is set i can still access this subnet for maintenance issues but all clients there could not discover outside this LAN. They only have Internet Access… How can i implement this with Microtik?
The key part is first rule which allows reply packets for connections. If you connect from e.g. ether4 to ether5, it will be allowed, because there’s a rule for it. But reply packets would not be, that’s what the first rule takes care of.
Hi,
after i setup these rules and test with ping i get “From x.x.x.x Packet filtered” on all sides… My ether5 should work like a guest LAN with Internet only, but my other LANs should have full access to this one if Customer support (ex. remote access) is needed.
I’m not a fan of interface-based rules in this application.
I’d strongly suggest to segment your network into multiple independent networks.
In case you have all ports bridged with one big network, it will be quite some work. If you already have different networks for your ports, just use the address ranges in your firewall to allow or deny traffic. You have much more granularity.
For the record, I assumed there’s no bridge and each etherX has own IP subnet. Using interfaces in rules is just one way of doing it, addresses (subnets) can be used too. Or even both at the same time, to make sure no one is trying anything funny with spoofed addresses (but that can also be done by RP filter).
All subnets are on different Ports. How to setup the Rules, all i get is still block both directions…
I must correct myself. Sob rules at correct order in my firewall make the deal. now my customer subnet says Packet filtered and my office subnet says ping still available… yey next step taken
^^ the same for the ipv6? As i see, this one is in ipv6 not possible
This rule is optional for IPv4, you only need it when you forward ports, i.e. do dstnat from public address to some internal server. It’s a shortcut to allow them through firewall all at once.
There’s no NAT for IPv6 (in RouterOS so far, and generally it’s not needed), so you don’t need this rule. If you have some internal server, it has public IPv6 address and you can directly allow required port(s). Or just allow all incoming traffic to it and use server’s firewall. It depends on your needs.
@Sob, ok i hope i understood…
So how to setup an ipv6 rule to make my ftp Server available thorugh ipv6 from outside…? f.e. i’m outside (my testserver outsideand type ftp “my ipv6” and enter on console
And is there any “good” Setup to make traffic from inside to outside, on mikrotik, that allow anything from the inside subnets to outside (internet) but not allow anything from outside to inside if not needed… Like known default on Linux
input default drop
forward default drop
output default accept
In the winbox are there any tools or functions or graphs which shows that maybe there is something running weird on the config, maybe someone is inside or something?
It depends. If you have public anonymous-only FTP server without encryption, then you only need to allow control connection (port 21) and rule accepting related connections will take care of the rest.
If you have FTP server with different user accounts, then you want encryption, otherwise passwords are sent in clear text and it’s not good idea. But when you have encryption, then shortcut with related connections no longer works. And since the general idea for default IPv6 setups is to deny incoming connections (and client are likely to have that), you need passive mode and basically treat IPv6 FTP server the same way as FTP server behind IPv4 NAT. So allow control connection (port 21), set fixed range for passive ports in server and allow those through firewall.
RouterOS does not allow to set default policy for chains. But it can be easily solved, just add unconditional drop rule as the very last in each chain.
As i see, this one is in ipv6 not possible