Firewall rules between two LAN help

patrickmkt · August 17, 2012, 5:13am

Hi, I have the following setup:

ether1-gateway : WAN 192.168.1.1/24
ether2-LANA: LAN A 192.168.20.1/24
ether3-LANB: LAN B 192.168.30.1/24

With the default setup, there is no access from the WAN to any LAN, but each LAN can connect to the other LAN or WAN.

Now I want to isolate both LAN:
chain=forward action=drop in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=drop in-interface=ether3-LANB out-interface=ether2-LANA

so far, so good.

Now I want to add two servers on LAN A and two servers on LAN B that should be accessible from both LAN

I created the following rules before the previous drop

Address list: listA: server A1, A2; listB: server B1, B2.
chain=forward action=accept dst-address-list=listA in-interface=ether3-LANB out-interface=ether2-LANA
chain=forward action=accept dst-address-list=listB in-interface=ether2-LANA out-interface=ether3-LANB

It doesn’t work unless I’m disabling the drop rule.
I thought that maybe I had to add a return path rule for established & related connections, I then added:

chain=forward action=accept connection-state=established src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=accept connection-state=related src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=accept connection-state=established src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA
chain=forward action=accept connection-state=related src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA

but still no joy, the returning packets are still hitting the drop rule.

What am I doing wrong here?

CelticComms · August 17, 2012, 1:57pm

It would be helpful to see the rules in context and in the order in which they are installed - order matters.

I would encourage you to rethink the logic on the forwarding rules. Your last forwarding rule should be a drop all rule. Anything you want to forward should be covered by an accept rule above the “drop all”. In other words forwarding should be the exception and dropping should be the default.

patrickmkt · August 17, 2012, 2:27pm

Ok I was maybe not clear enough in my prose, here’s the order of my rules:

;;; from A to B
     chain=forward action=accept dst-address-list=listB in-interface=ether2-LANA out-interface=ether3-LANB
     chain=forward action=accept connection-state=established src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
     chain=forward action=accept connection-state=related src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
     chain=forward action=drop in-interface=ether2-LANA out-interface=ether3-LANB

;;; from B to A
     chain=forward action=accept dst-address-list=listA in-interface=ether3-LANB out-interface=ether2-LANA
     chain=forward action=accept connection-state=established src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA
     chain=forward action=accept connection-state=related src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA
     chain=forward action=drop in-interface=ether3-LANB out-interface=ether2-LANA

;;; default configuration
     chain=input action=accept protocol=icmp
     chain=input action=accept connection-state=established
     chain=input action=accept connection-state=related
     chain=input action=drop in-interface=ether1-gateway

but when I’m trying to connect to the server from the other LAN, my drop rule block all returning traffic from the server.

patrickmkt · August 26, 2012, 1:00pm

nobody?

Zavi · August 26, 2012, 8:01pm

Is conntrack enabled? It’s required by “established” and “related” rules.

patrickmkt · August 26, 2012, 8:43pm

Yes I just checked.
I’m probably doing something blatantly stupid here but I can’t point my finger on it. Could it be on the established rule? Should the dest and source address been from the inbound point of view or the return path? Maybe I’ve put it the wrong way?
I haven’t found in the wiki any sample examples for this simple configuration: Block all traffic between two LAN except for a server with multiple services.

Zavi · August 26, 2012, 9:18pm

I think i figured it out: you allow established connections, but to establish TCP connection you already need link in both directions.

So i think you should allow all traffic from server to second network, so he can respond and establish the connection, then the established rule isn’t needed.

sirEgghead · August 28, 2012, 4:26pm

/ip firewall address-list add list="servers" address=192.168.20.100
/ip firewall address-list add list="servers" address=192.168.20.101
/ip firewall address-list add list="servers" address=192.168.30.100
/ip firewall address-list add list="servers" address=192.168.30.101


/ip firewall filter add comment="allow servers" disabled=no chain=forward src-address-list="servers" action=allow
/ip firewall filter add disabled=no chain=forward dst-address-list="servers" action=allow

/ip firewall filter add comment="dropLANa-LANb" disabled=no chain=forward in-interface=ether2-LANA out-interface=ether3-LANB action=drop
/ip firewall filter add comment="dropLANb-LANa" disabled=no chain=forward in-interface=ether3-LANB out-interface=ether2-LANA action=drop

Since the “allow servers” rules come first, connections to and from the servers are allowed before the drop rules are even checked. The “established” and “related” are not needed in this case. Simplifies things. You can narrow the server access rules if you like. For instance adding another address list and changing the 2 “allow server” rules would look something like:

/ip firewall address-list add list="LANs" address=192.168.20.0/24
/ip firewall address-list add list="LANs" address=192.168.30.0/24

/ip firewall filter add comment="allow servers" disabled=no chain=forward src-address-list="LANs" dst-address-list="servers" action=allow
/ip firewall filter add chain=forward src-address-list="servers" dst-address-list="LANs" action=allow

Let’s say you want to allow access to your servers to everyone on both LANs except for a computer that is used exclusively for guests. Let’s call this guest computer’s address 192.168.30.200. You can add these 2 drop rules above your existing allow filter rules:

/ip firewall filter add comment="no guest access to server" disabled=no chain=forward src-address=192.168.30.200 dst-address-list="servers" action=drop
/ip firewall filter add disabled=no chain=forward dst-address=192.168.30.200 src-address-list="servers" action=drop

Or you could combine it with your existing filter rules:

/ip firewall filter add comment="allow servers" disabled=no chain=forward src-address-list="LANs" dst-address-list="servers" src-address=!192.168.30.200 action=allow
/ip firewall filter add disabled=no chain=forward src-address-list="servers" dst-address-list="LANs" dst-address=!192.168.30.200 action=allow

I hope this helps!

Thomas

patrickmkt · August 29, 2012, 11:16am

Thanks. makes things a little bit more clear in my head

sirEgghead · August 29, 2012, 1:41pm

Get everything sorted out?

rixon · November 9, 2012, 12:39pm

Hi everyone,

I have three separated LANs, witch are blocked by firewall rules to drop packages between them.
I want to add exception for two servers from two separated LANs, so they can communicate between each other.

Any suggestions?

y0d4 · November 3, 2013, 12:04am

same question here
any help?

CTrain · November 10, 2013, 1:52am

As what has been stated above you will need a rule that allows the servers to communicate with all lans, a rule that allows all lans to communicate with the servers and finally a rule that drops all packets not meeting these rules. the drop rule needs to be last.

y0d4 · November 10, 2013, 3:14pm

i resolve this by:
http://forum.mikrotik.com/t/port-forwarding-by-ip/71189/1