Firewall on same subnet

onimusha · February 28, 2013, 2:09pm

Hi,

I have a server on 192.168.1.0/24 subnet with IP 192.168.1.2 and I want only my PC 192.168.1.10 allow to access the server, but not other host on the same network.

server + my PC + other host → switch → RB1000U → internet

the firewall on the RB1000U will not work if the hosts are on the same subnet with the rules as below:

ip firewall filter add chain=forward src-address=192.168.1.10 dst-address=192.168.1.2 action=accept
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.1.2 action=drop

Just wondering is there any way that I can get this work?

Thanks.

SurferTim · February 28, 2013, 2:12pm

Put the firewall rule in the server firewall, not the router.

onimusha · February 28, 2013, 11:19pm

Hi SurferTim,

thanks for your post.

server is just a example but what I really want is limit particular users to use/access the printer.

Printer doesn’t have firewall.

is this do-able on the router?

Thanks.

CelticComms · March 1, 2013, 1:46am

You should show your network layout but the most likely reason that your rules had no effect is that the traffic between the clients and server are not going through the router. If for instance you have a switch on that subnet the router probably never sees intra-subnet traffic.

Figure a way to get your server/printer on its own routerboard interface or VLAN or subnet or similar so that you can isolate it physically and/or logically and thus control the traffic to/from the device.

ronix · March 1, 2013, 10:36am

the server, your pc and other host are connected to switch so if you use a static ip then the RB can’t do any thing to you in your local network…
to solve the problem you must use DHCP server in your RB to control the traffic between the IPs..

SurferTim · March 1, 2013, 4:16pm

If you haven’t figured it out on your own by now, put your common devices that you want to restrict (server, printer, etc) on their own ethernet interface. Then you can block them with a chain=forward rule.

cupis · March 1, 2013, 4:39pm

DHCP would not help force the traffic to go via the router, in your example.

ronix · March 2, 2013, 2:42pm

ok what about the PPPoE server…
the pool will be controled by the router

cupis · March 3, 2013, 11:35am

In this respect it would be no different to DHCP. The OPs problem is not to do with IP allocations, it is to do with trying to force the traffic between two devices to go through the router (where it can be firewalled) rather than directly between the two devices (because they on the same subnet and the traffic can/will flow via the switch).

rjickity · March 3, 2013, 12:34pm

The best option is a vlan access map on the switch.

I guess if you must use a router then you could bridge ports on the router and connect the printer via that bridged port, you could then control traffic via the bridge…

Sent from my GT-I9100 using Tapatalk 2

ronix · March 3, 2013, 5:05pm

I agree with you in DHCP but not in PPPoE …

I think it will be controlled by the router only because the ip is in PPPoE tunnel
the switch can’t connect them directly without the Router and you can test it by drop the traffic between the clients in firewall and you will not be able even to ping them

cupis · March 4, 2013, 11:20am

Yes, you are right, but I suspect PPPoE is a bit overkill for the OPs situation.