Hello!
Suggest tactic to block traffic between subnets!
I have 12 different subnets and without any rulles they can comunicate betwee each other! I need no comunication between subnets!
Thanks!
This is the idea how to stop communication
ie;
This will stop the 192.168.0.x net from communicating with the 10.0.0.x net:
/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/24 dst-addresss=10.0.0.0/24
Change the src-address and dst-address around to block the other way if required.
If it is the right move? Need to write many rulles! I have this way, but i look for shorter (for hardware easyest) way! I think about creating lists?
Make one list of all subnets (ALL_subnets) and make rulle:
/ip firewall filter add chain=forward action=drop src-address-list=ALL_subnets dst-address-list=All-subnets
What about idea? seems right?
yeah try 
and let me know
alll works, but need to test all angles!! Maybe it just seems that works!
but primary job is done - subnets cant comunicate! Internet works!
best of luck 
buddy
Hi Onix,
Blocking by address list is an efficient solution. However, depending on the complexity of your existing network and firewall rules, and how security-minded you are, you may be better off writing rules to:
drop ALL input traffic
drop ALL output traffic
drop ALL forward traffic
I know it seems harsh, but such rules will do the job that you want to get done. Then all you need to do is write allow rules for the good traffic. This will give you a much better grip on what’s coming in and out of your network - because you’ll have to specifically allow it. Again, depending on what you already have in place, this might not be an easy change.
Just thought I would throw the idea out there!
Good luck!
z3r0day
If they are on different physical ports, which is generally a good idea for separate nets or subnets, you can drop traffic between any two interfaces that you want to isolate from each other. This may be more compact than using address lists. For example:
add action=drop chain=forward in-interface=ether2 out-interface=ether3 comment="Isolate port 2 from port 3"
add action=drop chain=forward in-interface=ether3 out-interface=ether2 comment="and port 3 from port 2"
You will need to replace ether2 and ether3 from the example with the appropriate interface names for your router configuration.
Alternately you can allow traffic from each client interface to the uplink interface(s) and drop anything else from that client interface, which may be even more compact.
Hello, coud somebody tell me is it possible to block subnets in only one way? I mean if i have subnet “office” and “guest” (two bridges) how can i block traffic from guest to office subnet, but allow trafic if i want to ping some device in guest subnet from office subnet?
Hi, the way I do it, I create rule to allow traffic from guest to office, but check Connection state established and related. However I do not know, if there are any caveats with this settings, since I do not care that much in my home setup…
Hello.
I implemented this solution to block traffic between my subnets (I have 6 of them) using addresses lists, and it works. However, when I try to make an exception rule to allow traffic between a subnet and a specific IP on another subnet, and I put this rule higher in the firewall filters list, it does not work. Thoughts?
/ip firewall filter
add action=accept chain=forward comment="allow serverx from subnet3" dst-address=10.6.0.151 src-address=10.8.0.0/23
add action=drop chain=forward comment="subnets insulation" dst-address-list=Subnets src-address-list=Subnets
/ip firewall address-list
add address=10.5.0.0/24 list=Subnets
add address=10.6.0.0/24 list=Subnets
add address=10.8.0.0/23 list=Subnets