I juat setup a routerboard where 5 companies are sharing 1 internet connection. I have created each business a Vlan interface with there own network (natted).
What is the best way to create a firewall rule so each network is protected from each other?
Thank you
http://forum.mikrotik.com/t/let-4-ports-share-the-1-internet-port-but-not-see-each-othr/49486/1
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward out-interface=ether1 action=accept
add chain=forward action=drop
That means, in English:
- allow all packets in connections that are already established
- allow all packets in connections that are related to already established ones (FTP data, etc.)
- drop all invalid packets
- allow hosts to establish new connections to hosts behind ether1
- drop all packets
This will essentially allow hosts behind ether2-5 to establish connections to the Internet behind ether1, but not to each other.
Same applies to VLAN interfaces.