Hi guys. Firstly, thanks to all of you who give back to this forum and make it an awesome resource of knowledge. I’ve spent a great deal of time reading up on how to separate my networks so that my wifi users cannot access my LAN, etc.
After having configured most everything, I have come to the point that I would like to allow certain users/IPs/MACs through the firewall to the lan for printing and file sharing purposes. I’m toying with doing this at a MAC level for added security, but if IP filtering makes more sense (and I’m using static dhcp assignments via mac), then I’m fine with that. In short, I have the following config:
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-gateway
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=WiFi
set [ find default-name=ether4 ] comment="Living Room"
set [ find default-name=ether5 ] comment=Jenn
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
/ip address
add address=10.x.x.254/24 comment=LAN interface=ether2 network=10.x.x.x
add address=192.168.x.1/24 comment=WiFi interface=ether3 network=192.168.x.0
add address=192.168.xx.1/24 comment=LivingRoom interface=ether4 network=192.168.xx.0
add address=192.168.xxx.1/24 comment=Jenn interface=ether5 network=192.168.xxx.0
I also have DHCP servers on all interfaces and the following NAT rule which captures traffic from all networks and masquerades it.
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
I then have the following firewall rules enabled for blocking traffic between networks and allowing only specific hosts/MACs:
add chain=forward comment="Macbook Allow to LAN" dst-address=10.x.x.x/24 src-mac-address=3C:xx:C2:E1:xx:B8
add chain=forward dst-address-list=local-networks src-address=10.x.x.x/24
add action=drop chain=forward dst-address-list=local-networks src-address-list=local-networks
/ip firewall address-list
add address=192.168.x.0/24 list=local-networks
add address=192.168.xx.0/24 list=local-networks
add address=192.168.xxx.0/24 list=local-networks
add address=10.x.x.x/24 list=local-networks
My primary goal for this post is to ask if there is another solution for allowing traffic to and fro between the networks. I’m basically blocking based on source and destination IP, and then I have a blanket allow rule for the 10.x.x.x network allowing it full access to the other networks (which is fine, as thats my personal zone) and this seems required for return traffic in order for the Macbook Allow to LAN rule to function.
Is there another way to achieve this with a single rule, or are you guys also placing a full allow rule for return traffic after the block rule?