Let’s say I have two networks: Computer LAN, 10.10.1.1/24 on ether1 and Camera LAN, 10.10.2.1/24 on ether2
I want to create a firewall rule that only allows traffic from 10.10.2.0/24 (ether2) to 10.10.1.0/24 (ether1) after a connection from ether1 has been initiated to ether2
Another way to say it is that I only want traffic from a camera on ether2 to be allowed to ether1 after a computer on ether1 initiates a connection.
I believe the firewall automatically does connection tracking for srcnat. How would it be implemented without NAT?
That’s just for two interfaces you mentioned. If it’s router connected to internet, you’d also want to allow at least access from computers to internet, maybe some limited access from cameras to internet, or forwarded ports, if you have any.
Thanks for that. I believe its the established state that allows this. From the MikroTik wiki:
ESTABLISHED - The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. ESTABLISHED connections are fairly easy to understand. The only requirement to get into an ESTABLISHED state is that one host sends a packet and that it, later on, gets a reply from the other host. > The NEW state will upon receipt of the reply packet to or through the firewall change to the ESTABLISHED state> ;
