Communication between two subnets

ytrewq · May 23, 2014, 7:30am

Hi.

I have created two subnets, each on a seperate Interface

LAN1: 10.10.1.0/24
LAN2: 10.10.2.0/24

How do I allow communication from LAN1 → LAN2, but drop from LAN2 → LAN1?
I have created Firewall Rules, but can’t seem to figure out what is wrong.

Here is the config:

1  address=10.10.2.1/24 network=10.10.2.0 interface=LAN_2 
     actual-interface=LAN_2 
2   address=10.10.1.1/24 network=10.10.1.0 interface=LAN_1 
     actual-interface=LAN_1 



/ip firewall filter
add chain=forward in-interface=LAN_2 out-interface=LAN_1
add action=drop chain=forward in-interface=LAN_1 out-interface=LAN_2

The ping drops on either side. Can someone help me figure this out?
Thanks in advance.

noib · May 23, 2014, 10:27am

Routing from LAN1 to LAN2 is automatic, you have nothing to do to allow communication (except adding routes to the clients)

Your blocking firewall rule is nice, but it blocks all.. including the response of the ping, that’s probably why you never receive it.
Try to replace by

/ip firewall filter
add action=drop chain=forward in-interface=LAN_1 out-interface=LAN_2 connection-state=new

in order to block only the new connections from LAN1 to LAN2

Rudios · May 23, 2014, 3:09pm

In proper firewall setup there is a drop rule at the end. So create two rules. One for allowing lan2 to lan1, and create a rile the other way around with connection-state=established for returning traffic.