I have a fairly large network consisting of 26 Mikrotik routers, predominantly RB1200’s.
Not going to use real IP’s below…
Overview
Each router has a 1.1.x.x/22 subnet off it and then we do 2.2.2.x/29 backhaul links off other interfaces and run OSPF. Some sites have redundancy, some do not. I have multiple OSPF areas and run multiple instances.
All the 1.1.x.x/22 subnets consist of customer UBNT devices. Customer routers pull a 1.1.x.x address from the local router at the site they are subscribed from.
The 1.1.x.x/22 traffic works its way back to a core Cloud Core router in our backbone area where it is NAT’d out to the internet.
Question
I’m looking to build firewall rules that allow all our administrative traffic from 3.3.3.x/24 to get to everything. But I want to ensure that each router at each site doesn’t allow 1.1.x.x/22 traffic from other sites.
So, do a simple “dst-address=3.3.3.0/24 , action=accept” and put in other rules to accept whatever else you do want to accept, then at the bottom, put a deny all rule