Controlling traffic between two connected subnets

satman1w · April 15, 2026, 4:47pm

I want to separate two subnets on the same router in a way that I can connect from subnet A to subnet B, but not from subnet B to subnet A.

I have blocked traffic A -> B

I have blocked traffic B -> A

I have created a NAT for all traffic that wants to go out through the interface behind which Subnet B is. Of course, this does not work, so I wonder why?



/ip pool
add name=dhcp_pool0 ranges=10.100.100.1-10.100.100.253
add name=dhcp_pool1 ranges=192.168.100.1-192.168.100.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether3 name=dhcp1
add address-pool=dhcp_pool1 interface=ether5 name=dhcp2
/ip address
add address=10.100.100.254/24 interface=ether3 network=10.100.100.0
add address=192.168.100.254/24 interface=ether5 network=192.168.100.0
/ip dhcp-client
add interface=ether1 name=client1
/ip dhcp-server network
add address=10.100.100.0/24 dns-none=yes gateway=10.100.100.254
add address=192.168.100.0/24 dns-none=yes gateway=192.168.100.254

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

//this part is relevant

/ip firewall filter
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=10.100.100.0/24
add action=drop chain=forward disabled=yes dst-address=10.100.100.0/24 src-address=192.168.100.0/24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 src-address=10.100.100.0/24
or
add action=masquerade chain=srcnat out-interface=ether5

So if either or both forward drop rules are enabled - the trafic between subnets - STOPS

If either of masquerade rules is enabled the trafic from 10... to 192... does not start

jprietove · April 15, 2026, 4:53pm

This makes traffic from 10.100.100.0/24 (i.e. 10.100.100.1) goes to 192.168.100.0/24 changing source address to 192.168.100.254. So the rule …

should be

or put the rule in raw:

Edit: typo on IP address

anav · April 15, 2026, 6:12pm

why did you remove the default firewall rules?

rextended · April 15, 2026, 6:17pm

Two things need to be considered:

Generally, even if this isn't entirely the case, only TCP should be used, not the rest, since all non-TCP packets would be blocked regardless, because any non-TCP responses wouldn't be part of an already open connection...
Do you want B to understand which A is contacting it, or do you want to mask the entire As as a router, so that B doesn't understand which A is purposely contacting it?

satman1w · April 15, 2026, 7:32pm

I don't understand the question....

if I contact a host on network B from network A through NAT, how could the host on network B know who is hiding behind the NAT?

satman1w · April 15, 2026, 7:33pm

what default firewall rules??

do you think that's why this doesn't work?

anav · April 15, 2026, 8:01pm

satman1w:

ip firewall filter
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=10.100.100.0/24
add action=drop chain=forward disabled=yes dst-address=10.100.100.0/24 src-address=192.168.100.0/24

Because, there are no other rules and that is highly unusual.

satman1w · April 15, 2026, 8:41pm

Again, do you thing that is the problem and reason why this does not work?

satman1w · April 15, 2026, 8:55pm

No… remains the same…

anav · April 15, 2026, 9:19pm

full config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dhcp lease lists)

And if helpful a network diagram including type of ISP connection (static, dynamic, public or private IP etc.)

CGGXANNX · April 16, 2026, 5:26am

You'll need a rule that accept forwarding for packets with the connection state established or related (and also untracked to follow the defconf firewall) first, this rule should be placed above the other drop rules in the forward chain.

/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked

Communication is two-way. You want A to connect to B, but not B to A, so you instinctively added the forward drop rule from B to A. However, don't forget that when A connects to B, it would want to receive the answers that B send back to it too. If you immediately blocks all packets from B to A, then these answers will never arrive.

That's why you need the established,related rule placed in front. Its purpose is to catch those response packets that B sent back to A and allow them before the drop rules below block them.

Here you can find the MikroTik default firewall rules used on their home router, which is a sane and safe configuration:

Implement those rules (don't forget the interface lists, add ether3 and ether5 to LAN and ether1 to WAN), THEN add the

/ip firewall filter
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=10.100.100.0/24

at the bottom to achieve what you need.

CGGXANNX · April 16, 2026, 5:31am

jprietove:

This makes traffic from 10.100.100.0/24 (i.e. 10.100.100.1) goes to 192.168.100.0/24 changing source address to 192.168.100.254. So the rule …
satman1w:
/ip firewall filter
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=10.100.100.0/24
should be
satman1w:
/ip firewall filter
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=192.168.100.254
or put the rule in raw:

I don't think that's the case. The masquerade rule is a SRCNAT rule that happens after filter. See The ultimate Mikrotik iptables flowchart. When you properly apply the accept established,related rule first, then the other filter rules normally only affect packets in connection-state=new, which means before SRCNAT masquerade. Which means the src-address is still the original one.

It's different when the NAT rule is a DSTNAT rule, because DSTNAT is in prerouting and comes before filter

So, when the filter rules are reached, the destination address already changed.

jprietove · April 16, 2026, 7:34am

Correct, my mistake.

satman1w · April 16, 2026, 7:40am

I have alredy posted full configuration in my original post…

satman1w · April 16, 2026, 7:45am

That is exactly I was affraid of…

..because configuration cannot be simpler and it still does not work..

So it is probably best to solve it with alowing and droping connection by type (related, established, new…)

Thanks

satman1w · April 16, 2026, 7:45am

Thanks!

anav · April 16, 2026, 12:49pm

If you have made any changes to the config since the original post, it is not the same config and thus always ask for the latest rendition. It seems once again people making changes or deviating from the default rules without knowing what they do/how they work, leads to issues.

satman1w · April 16, 2026, 5:12pm

to my original question you asked 5 new ones!

…none related to the solution, but to spend a little time and not only for yourself…

In the meantime (while you were spamming the forum) we came to a result and a solution, for which I thank people with a constructive approach...

greeting

anav · April 16, 2026, 10:00pm

Glad you learned something and issue is resolved! The fact that it took so many posts was due to the lack of information you provided in the first place besides your ‘special’ changes to default config that cocked things up. It is actually arrogant if you have an issue which you cannot solve, magically then know which parts of the config we need to see.

satman1w · April 17, 2026, 8:09am

The fact that it took so long is not a fact at all.

It took a long time and unnecessarily with you who did not contribute in any way to the solution. I will repeat once again, IN THE ORIGINAL POST IS THE WHOLE AND COMPLETE ROUTER CONFIGURATION and there is no arrogance in it, you are just a little curious snoop who I see in the thread of every post but with very little useful contribution.

The people who wanted to help - I thank them once again - immediately understood what it was about without asking questions or setting conditions.

Please get off my case and let us part in peace..

Get a life