Firewall rules - Isolating two networks

Hello masters of Mikrotik,

please i would like to be adviced.

Having two networks 192.168.2.0/24 and 192.168.20.0/24.

I would like to have those network isolated as i run some virtuals on 20.0/24 network.


BUT in some case i need to access from 192.168.2.17 to 192.168.20.200:8006.

There are my rules:

11 chain=forward action=accept protocol=tcp dst-address=192.168.20.200
dst-port=8006 log=yes log-prefix=“”

12 chain=forward action=drop src-address=192.168.2.0/24
dst-address=192.168.20.0/24 log=yes log-prefix=“”

13 chain=forward action=drop src-address=192.168.20.0/24
dst-address=192.168.2.0/24 log=yes log-prefix=“”

But its not working. I suppose the reason is that when 20.200 is trying to reply to “initiaiton” port its being dropped. What is the best practise to keep this working?

Thanks!

One of default firewall filter rules is similar to this:

add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked

And it’s placed very high in the forward chain. This rule takes care of all packets which belong to already established connections (including return packets) so subsequent rules only deal with packets which are establishing new connections.

I can see the rule you mentioned but for input chain. Shall i create the same for forward?

Connection state: “established” “related” ? Anything else? There is also a “new”.

Thank you.

You need it for chain=forward … and connection-state at least “established,related” … untracked most often doesn’t hurt (but doesn’t help in your particular case either). But most definitely not “new”, you’re trying to block new connections by using your rules. And push this new rule high on the list of rules for chain=forward, definitely above the rules which will selectively block traffic between both subnets.

Thank you friend. It works!