firewall and nat related help required

RouterOS Beginner Basics
1

RB750GL
RouterOS 5.26

okay

  1. eth1 have 172.21.16.72/24 (this subnet have internet present)
  2. eth2 have 10.0.0.1/24
  3. eth3 have 172.18.1.1/27
  4. a route created with destination address 0.0.0.0/0 gateway 172.21.16.1 (172.21.16.1 is the next router of that network)

now i want:

  1. my RB can access internet itself
  2. eth3 can access internet through eth1
  3. eth3 can access eth1 and eth2 subnet
  4. eth2 cannot access internet but can access eth1 and eth3 subnet

please help me

2

I suggest you to upgrade the RouterOS to 6.11 and BIOS [firmware] to 3.1x

  1. It can already do, if 172.21.16.1 is the right gateway, and have internet access, just set DNS, paste this on Terminal:
/ip dns
set allow-remote-requests=yes max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4
  1. you intend: “all the devices on ether3”? paste this on terminal:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=172.18.1.0/27

the devices linked to ether3 must have one IP on range 172.18.1.2-172.18.1.29 subnet 255.255.255.224 (/27) gateway and DNS 172.18.1.1

3 and 4) Whit this configuration, working in this way:
ether3 to internet OK
ether3 to local pc on ether1 OK
ether3 to ether2 OK
ether2 to internet KO
ether2 to one local pc on ether1 OK
ether2 to ether3 OK
ether1 to internet OK
communications started on local pc on ether1 to ether2 KO (depend on configuration of 172.21.16.1*)
communications started on local pc on ether1 to ether3 KO (depend on configuration of 172.21.16.1*)

  • for working you must ser two route on 172.21.16.1 gateway:
    destination address 10.0.0.0/24 gateway 172.21.16.72
    destination address 172.18.1.0/27 gateway 172.21.16.72
    and on previous NAT rule add dst-address=!172.21.16.0/24

If I have helped you, remember to add Karma!

3

To control traffic between the subnets/interfaces use filters in the forward chain of IP Firewall.

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

4

rextended,

are sure about out-interface=ether3, i am thinking about out-interface=ether1

5

Yes, are ether1 the right ethernet, I have fixed the post, sorry.