DHCP Server Routing

fuddel18 · October 9, 2016, 10:53pm

Hello everybody,

I’m new here and need a little help with my Mikrotik RB750Gr2.

For the construction,

I have one DHCP server per Ethernet port.

Lan 2: 10.20.1 / 24
Lan 3: 10.30.1 / 24
Lan 4: 10.40.1 / 24
Lan 5: 10.50.1 / 24

My problem is now when I’m in LAN 4 and the IP 10.0.40.20/24 and has a ping to 10.0.20.1, he arrives. He should not.

Every DHCP server has to run for itself.

There is no routing. Port 3-5 is not included in the master port.

Can someone help me? I hope it is understandable.

greeting
fuddy

k6ccc · October 13, 2016, 1:01am

It’s a router - it will happily route between the LANs unless you put in firewall rules to prevent it.

Sent from my Droid Turbo via Tapatalk, so blame any typos or spelling errors on Android

fuddel18 · October 13, 2016, 6:45pm

Many thanks for your response.

I’ve already tried that.
Unfortunately without success

I have thus proceeded:

Select IP → Firewall
New firewall rule created
Selected for Chain forward
For Src. Enter the source IP address (10.0.20.0/24)
Enter the destination IP address for Dst. Address (10.0.30.0/24)
Action drop selected
Save, OK

What did I do wrong?

ZeroByte · October 13, 2016, 7:40pm

The forward chain blocks traffic that goes THROUGH the router - not traffic TO the router.
Even though 10.0.40.x is not in the same network as 10.0.20.1, this still a packet TO the router.
You block such packets using the input chain.

However, I wouldn’t worry about it too much because if you were to put another device on 10.0.20.X network, they cannot ping each other with the firewall rule you created.

If you want all LANs to be isolated, then you can do this easily with just a few rules in the forward chain:

allow connection-state=established,related
allow out-interface=ether1 (I assume that’s your WAN interface)
drop

These 3 simple rules allow any interface to be forwarded if it’s going out towards the Internet, and allow any packet that is a reply to something that has been previously allowed, but drop everything else. So what if customer on ether4 can ping the router’s IP of ether2? That doesn’t break security, really. It will take many rules to block all of those cases as well, and it’s not worth having these rules for something that really doesn’t enhance the security of the router.

fuddel18 · October 13, 2016, 9:30pm

Thank you very much. Can you please give me a screenshot how it looks in the firewall? Then it is easier for me to understand.

ZeroByte · October 13, 2016, 10:35pm

Screenshots don’t show everything on one screen, which is why we tend to use the command-line syntax here on the forums - but my examples weren’t exact commands either.

Basically, go into IP firewall and select the filters tab. Then filter your view to show only the forward chain (this is a little drop-down selection at the top-right corner of the firewall tabs).

On all three rules, the chain should remain set to “forward”
Make sure the first rule has none of the matching criteria active except for “connection state” - where you have activated the checkboxes for established and for related
The action on this rule should be accept.

The second rule should have only the out-interface=ether1 active, and the action should be accept

The third rule has nothing active at all anywhere except the chain, and the action. The action should be drop.

yerzhl · October 14, 2016, 6:16am

ZeroByte:

The forward chain blocks traffic that goes THROUGH the router - not traffic TO the router.
Even though 10.0.40.x is not in the same network as 10.0.20.1, this still a packet TO the router.
You block such packets using the input chain.

However, I wouldn’t worry about it too much because if you were to put another device on 10.0.20.X network, they cannot ping each other with the firewall rule you created.

If you want all LANs to be isolated, then you can do this easily with just a few rules in the forward chain:

allow connection-state=established,related

allow out-interface=ether1 (I assume that’s your WAN interface)

drop

These 3 simple rules allow any interface to be forwarded if it’s going out towards the Internet, and allow any packet that is a reply to something that has been previously allowed, but drop everything else. So what if customer on ether4 can ping the router’s IP of ether2? That doesn’t break security, really. It will take many rules to block all of those cases as well, and it’s not worth having these rules for something that really doesn’t enhance the security of the router.

Hi ZeroByte,

So it’s not possible to isolate an ip-pool from connect to other ip-pool?
For example I have a range of IP for my guest let say 192.168.100-.192.168.254 and a TV connected to the same router get an IP 192.168.1.20.
I want to isolate the guest ip pool so they don’t have access to the TV. Is it possible?

docmarius · October 14, 2016, 6:47am

What ZeroByte is trying to say is that those forwarding drop rules will prevent subnets talking one to another.
They just will NOT prevent the router to be accessed using the other subnet’s IP.
This should not bother you since it is actually the same thing as accessing it using the proper subnet’s IP.

So yes, you can isolate your TV using the presented methods.

fuddel18 · October 14, 2016, 8:00am

Thank ZeroByte for the instructions and support
Sorry, it does not work. It somehow does not want.
Would it be possible to connect someone via Remotedesktop (Teamviewer) a connection and it shows me?

That would be helpful.

Thank you very much.

ZeroByte · October 14, 2016, 1:35pm

post your current firewall filters here again:
/ip firewall filter export

And I would like to re-iterate that you WILL be able to ping 10.0.40.1 from 10.0.20.x even with the filter rule. You will NOT be able to ping 10.0.40.2-255 from 10.0.20.x though, so make sure that your testing is not trying to ping 10.0.40.1 but some other device in that subnet.

fuddel18 · October 15, 2016, 4:20pm

Hello ZeroByte,
Thank you for your patience. Yes, with the ping I can.

Here are the firewall rules:

add action=accept chain=forward connection-state=established,related
add action=accept chain=forward out-interface=ether1
add action=drop chain=forward

ZeroByte · October 17, 2016, 2:20pm

So those are the only 3 rules in your entire firewall filter now? Or just the forward chain?

Anyway:

If you can ping 10.0.20.1 from 10.0.40.20 - don’t worry about this. It’s not a problem.
If you can ping 10.0.20.2-254 from 10.0.40.20 - then you have not posted your entire firewall rules because the connections are blocked by those rules you posted.

fuddel18 · October 18, 2016, 9:41pm

Yes, these are the only three rules in the firewall.

Yes, I can from the IP 10.0.20.20 to the 10.0.40.2-254.

Unfortunately, I can not find the error. Could you write me the three rules so I can insert them? Then I could definitely find my mistake.

ZeroByte · October 19, 2016, 1:32pm

The rules you posted should be fine - one thing: is ether1 the WAN interface?
The WAN interface is the one which has the public IP address. If you’re using pppoe, then the pppoe1-out interface is the WAN interface, NOT the physical port it lives on.

So rule 2 should say out-interface={your wan interface}
Rule 3 should have everything greyed out except for chain (forward) and action (drop)

If you still can get from lan 20 to lan 40, etc - then execute the commands:
/ip firewall filter export
/ip firewall raw export

and post the results in their entirety

fuddel18 · October 25, 2016, 1:19pm

Yes, the ether1 is the WAN interface. The Internet also works.
All three rules are active in the firewall. Here are the three rules.

/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward out-interface=ether1
add action=drop chain=forward

There is nothing in / ip firewall raw export

And yes finally it works. It is wonderful
Thank you for your patience with me.
Have now only one question. I can ping from the network 20 the gateway 10.0.40.1 but no client (10.0.40.125) from this 40 network.
Can one still create a rule?