Firewall Filter Rule

Hello,

This is my network:

In my adsl modem/router i have put a static route: 10.0.0.0/8, Gateway: 192.168.0.251, LAN.
In Router_A i have put a rule chain=src-nat , src-address=192.168.0.0/24 action=masquarade.

So, i can ping the wlan1 of Router_B from My_PC.

Router_B cannot ping My_PC, but if i put a static route 192.168.0.0/24 Gateway: 10.229.4.253 then it can.

Also, if i give internet to Router_A with static route 0.0.0.0/0 Gateway: 192.168.0.1 and then add a static route in Router_B 0.0.0.0/0 Gateway: 10.229.4.253 the Router_B has internet access from my modem/router.

So, i want to have access in Router_B (and the entire 10.0.0.0/8 network) from my lan 192.168.0.0/24, but i want Router_B (and the entire 10.0.0.0/8 network) not to be able to have access in my private Lan 192.168.0.0/24 and no internet access with static routes.

What should i do for these 2?

I add a new Filter Rule in Router_A chain=forward, Src.Address=10.0.0.0/8, Dst.Address=192.168.0.0/24, action=drop, but then i don’t have access to Router_B neither.

Thank you,
Tasos

So, i want to have access in Router_B (and the entire 10.0.0.0/8 network) from my lan 192.168.0.0/24, but i want Router_B (and the entire 10.0.0.0/8 network) not to be able to have access in my private Lan 192.168.0.0/24 and no internet access with static routes.

That doesn’t make sense as a request. If you want to access to devices within 10/8 they need to be able to send you back reply packets, after all.

Do you want them to just not be able to establish new connections?

Yes probably this is what i want.

I want someone from 10.0.0.0/8 cannot have access (no ping, no http etc.) in my adsl modem/router, my local APs, IP Cameras, cannot see my shared folders and files in local PCs etc.

Thank you for the reply.

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward src-address=192.168.0.0/24 action=accept
add chain=forward action=drop

Of course make sure that this works within your existing firewall rule set if you have one, and make sure all routers involved have routes to all networks - either via static routes, or via a routing protocol.

Thank you fewi, it works!

I can ping Router_B from my PC, but Router_B cannot ping anything in 192.168.0.0/24.

Also with these rules Router_B has no internet access from my adsl modem/router with static routes as i told you before.

PS1. I don’t have any other firewall rules. We are using BGP within the routers.
PS2. Karma added

One more thing.

In ether2 of Router_A i want to connect a device (for example an ftp server) that will have IP 10.229.4.x.

Also in wlan2 i will connect my Router_A with another Router_C and in wlan3 maybe i will have an AP for clients.

In order to make this work, i added on more rule before the last one.

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward src-address=192.168.0.0/24 action=accept
add chain=forward dst-address=10.0.0.0/8 action=accept
add chain=forward action=drop

I connected a laptop in ether2 with IP address 10.229.4.62 for testing and it worked ok.

Edit: I think that in this case i don’t need this rule at all:

/ip firewall filter
add chain=forward src-address=192.168.0.0/24 action=accept

/ip firewall filter
add chain=forward src-address=192.168.0.0/24 action=accept

That lets your local network establish connections to everywhere else. You want that rule to stick around.

Your description of what you’re trying to add to the network is fairly confusing, but just add more firewall filter rules below the connection-state=invalid rule for all networks that are allowed to establish connections to one another, listing either src-address, dst-address, or both.

Ok fewi, now i understand how it works.

Thanks again for your help.

Thanks fewi…