drop forward between 5 subnets

sarenos · October 30, 2017, 7:37pm

HI, I have 5 subnets in the same interface, and I need to drop traffic between them. I have the option of doing drop forward between one another subnet for example
0 chain=forward action=drop src-address=192.168.1.0/24
dst-address=192.168.2.0/24 log=no log-prefix=“”

1 chain=forward action=drop src-address=192.168.2.0/24
dst-address=192.168.1.0/24 log=no log-prefix=“”
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24

Is there any simple configuration, for dropping all subnets between them, but not doing all the combinations manually, by address list or something like that?

Anumrak · October 31, 2017, 6:28pm

Maybe like this:
ip fire fil
add action=drop chain=forward dst-address=192.168.0.0/21 src-address=
192.168.0.0/21
This will block the batch from 192.168.0.0 to 192.168.7.254 in both directions, because whoever request a connection, other host have to reply.

eXS · October 31, 2017, 8:00pm

Does this not also block traffic between their own subnets? such as 192.168.1.0/24 communicating with 192.168.1.1 ?

Anumrak · November 1, 2017, 11:24am

If 192.168.1.1 is router itself, then not, because it should be input chain.