I think my understanding of bridges and networks on Mikrotik is flawed and I hope you can help me out. Here is my current setup:
I have this mode: RB2011UiAS-2HnD-IN on software version 6.43.11
In my bridge interface I have all ports and wlan, except for ethernet port 9 and 10.
My wlan has network 192.168.88.0/24 with gateway 192.168.88.1, and port 9 has network 10.0.0.0/26 with gateway 10.0.0.1
(There are other virtual wlans as well, but the below applies to all of them so I will try and keep it simplified)
I dont have any custom routes set up. The only routes I have are the ones Mikrotik added by default when I created the networks.
But my question now is: I can ping devices on my 10.0.0.0/26 range from my 192.168.88.1/24 range (and vice versa). I thought that when you take a port out of the bridge, and put it on its own network, that one would have to set up custom routing if you wanted these networks to be able to talk to one another? Somewhere I must be missing something…please let me know what configs you would like me to export.
Your help, as always, will be greatly appreciated.
Its router basic task to route networks. Since it knows where each network is located, it can route between neworks. If you want to limit this, you need to add forward rules with drop action.
Upon further reading I think I now understand more how Mikrotik works.
If I add a forward rule block from subnet 10.0.0.0/26 to 192.168.88.0/24, I can still telnet to 192.168.88.100:80 from 10.0.0.2. How can I block all traffic from 10.0.0.0/26 going to 192.168.88.0/24? (I used input chain then I cannot connect to that IP on port 80 anymore. Is this correct?)
You have to use chain=forward …chain=input deals with connections targeting router itself. And you need a pair of drop rules because the replies are treated by “related” rule after connections they pass firewall in the forward direction.
Edit: actually this is dependant on rules order. If the drop rule comes before default “accept related”, then single drop rule effectively takes care of TCP connections in both directions. It doesn’t prevent from some DOS attack using UDP packets though.