Firewall rules RB751 v5.23 to separate/isolate 3 subnets

RouterOS Beginner Basics
1

Hello all, really easy for everyone but me i guess :confused:

how do i have to set the firewall when i have 3 subnets

192.168.0.0/24 (LAN)
10.0.0.0/24 (vpn)
10.5.50.0/24 (hotspot)
and i want hotspot subnet to not see the other subnet, so the hotspot user only get in the internet and don´t see or get anything else.
And also of course the other 2 subnets don´t see and get anything from the hotspot subnet.

I have given the ether1-interface a 192.168.0.0/24 adress.

/ip firewall filter
add action=drop chain=output comment=“place hotspot rules here” disabled=yes
dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=drop chain=output disabled=yes dst-address=192.168.0.0/24
src-address=192.168.0.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=yes dst-address=!192.168.0.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no src-address=10.5.50.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no


ANY help or suggestion or idea is highly welcome!

2

Use filters (in IP Firewall) in the forwarding chain to determine which paths are permitted and drop the remaining denied paths.

3

I have done that in

Filter Rules:

add action=drop chain=forward disabled=no src-address=10.0.0.0/24
add action=drop chain=forward disabled=no src-address=192.168.0.0/24

And that in the

NAT:

add action=masquerade chain=srcnat disabled=no src-address=10.5.50.0/24

Works fine now!
Thanks for the hint!

I was confused with all the options i have here, i was used to the simple ‘allow’/‘deny’ options :slight_smile: