Guest AP - firewall config to separate networks

RouterOS Wireless Networking
1

Hi,

I am trying to create a guest wireless network (192.168.2.0/24) such that it shouldn’t be able to access the home network (192.168.1.0/24).

I followed the steps at http://www.wirelessinfo.be/index.php/mikrotik/pages/vap1 including creating the firewall. I am using RB951G-2HnD. I have pasted my export config at http://pastebin.com/raw.php?i=K80Em8p4

When I get on the guest network (ssid mehmaan), I am able to reach both wireless and wired hosts on 192.168.1.0/24 network, which is not expected. The counter of the firewall rules to drop traffic is not going up which makes me think that something is wrong in configuration.

Please help me by looking at the config and guiding on what am I doing wrong.

2

I’ll look when I get to my laptop.

Sent from my SCH-I545 using Tapatalk

3

Post /export compact

4

Hi,

What exactly do you mean by “reach both wireless and wired hosts”?

In case you talk about reaching the devices via ping, this rule

add chain=input comment="default configuration" protocol=icmp

grants all ICMP traffic, even accross your two networks since it is the very first rule.

Zap.

5

Actually that’s wrong. The input rule will only reach the router. If it were in the forward chain you would be correct.

6

I mean that a computer on 192.168.2.0/24 network is able to reach (via http/tcp port 80) a host on 192.168.1.17 (which is connected to ether2 port of router/switch. The computer on guest network is also able to reach a host on 192.168.1.12 (which is connected via wireless on 192.168.1.0/24 ssid) on SMB share.

7

The current config has rules (full config at http://pastebin.com/raw.php?i=K80Em8p4)

add action=drop chain=input comment=“guest wlan” dst-address=192.168.2.0/24
src-address=192.168.1.0/24
add action=drop chain=input comment=“guest wlan” dst-address=192.168.1.0/24
src-address=192.168.2.0/24

Should I change the chain to forward (from input) to ensure that 192.168.2.0/24 and 192.168.1.0/24 can’t talk to each other?

8

Yep, that should work. You could also do it based off in and out interfaces. But that will work fine.

9

Should be forward and not input. Input is to the mikrotik… forward is through it.

10

Thanks for the help. I was able to fix the situation by making 2 changes

  • Changing the chain to forward instead of input.
  • Moving the rules up in priority so that they are run before default configuration rules.

Here is the output of firewall config which is working for me

/ip firewall filter
add action=drop chain=forward comment="guest wireless" dst-address=\
    192.168.2.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="guest wireless" dst-address=\
    192.168.1.0/24 src-address=192.168.2.0/24
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway

Thanks for all the help

11

NP. Also FYI I generally actually invert the rules. My last rule on input and forward is just to drop everything. Then I allow only the stuff I actually want. You are much more likely to notice when something doesn’t work and fix it than to notice a gaping security hole.