Firewall setup

Dear all,

can somebody suggest me on the firewall setup for my network? At the moment, I have none but masquareade srcnat on ether1-gateway and with source address the vpn (I think added automatically by quick setup).

my topology is like this,

My home network connected to internet using router/modem ZTE F660. Since I also use the home network for cable tv, I cannot make my modem as modem only.
My home network is in 192.168.1.x subnet

My mikrotik is connected to port 1 on the modem. I give IP for my modem 192.168.1.111. My mikrotik is setup only using quick setup and in subnet 192.168.88.x (mikrotik default).

I setup VPN on my mikrotik and already working.

I have a server with IP 192.168.88.211 connected to my mikrotik. With this setup :

  • my server(192.168.88.211) can connect to the internet
  • my server(192.168.88.211) can access another server with IP 192.168.1.90
  • all devices on 192.168.1.x cannot access 192.168.88.x

Now, what I have want to do is adding firewall to

  1. my server(192.168.88.211) and all devices on 192.168.88.x cannot access any devices on 192.168.1.x except the modem as the gateway on 192.168.1.1
  2. I do not want anyone who connect via VPN to be able to connect any devices on 192.168.1.x
  3. Any other suggestion?

Thank you in advance.

Kind regards,

Daniel

Winbox > IP > Firewall, add rule.
Chain=Forward
out-interface = ether1-gateway
dst-address = 192.168.1.0/24
Action = drop

Move that rule to the top of the rule list. Now 88.0/24 clients can’t connect to 1.0/24 network (including accessing the internet).
So create another rule.
Chain = Forward
out-interface = ether1-gateway
dst-address = 192.168.1.1/32
Action = accept

Move that rule above the first rule. Now the 88.0/24 clients can access the modem/router and they should have internet access.

To allow 88.211 to access 1.111:
Create another rule
Chain = Forward
out-interface=ether1-gateway
src-address: 192.168.88.211
dst-address: 192.168.1.111
Action = accept

An again move that rule above the first rule.

To block 88.0/24 clients from accessing your ISP’s modem/router web admin:
Create another rule
Chain = forward
out-interface = ether1-gateway
dst-address: 192.168.1.1
protocol: TCP
dst-port: 80
Action = drop

Do the same if your modem listens for for HTTPS (443).

These rules will apply to the VPN users as well.