I need help understanding a firewalls filter / nat problem. I have a Mikrotiik CCR1016-12G router, by the way is the best I have found. I am running 5 separate networks and 5 separate external IP address. My ISP is cable and I have 5 IPs with the network being xxx.xxx.xxx.16/29. So my addresses are 17 – 21 with the gateway is xxx.xxx.xxx.22. I have one connection to the cable modem connected to port 12 of the router. My 5 separate networks are on ports 1 – 5 of the router using the following subnets respectively.
1 = 10.26.5.0/24
2 = 10.26.6.0/24
3 = 10.26.7.0/24
4 = 10.26.8.0/24
5 = 10.26.3.0/24
Just for reference, I use the #5 network as my private or house network , where all the others are for specialized uses such as network #1 is my host network for my web site where I have several servers on this network. Network #3 is our guest network that we allow visitors to have access to the internet when on site, but it should be isolated from all our other networks, especially network #5.
I have everything natted correctly and the system is running fine with the exception that the networks can currently talk to each other. There is no cross broadcast, but if you are on the guest network, if you know an address on our private network (#5), you can access it. Yes I know there is a firewall rule to basically isolate the networks.
I am using the following:
/ip address
add address=10.26.5.1/24 comment=“Web-1” interface=“1 Web-1” network=10.26.5.0
add address=10.26.6.1/24 comment=“Web-2” interface=“2 Web-2” network=10.26.6.0
add address=10.26.7.1/24 comment=“Web-3” interface=“3 Web-3” network=10.26.7.0
add address=10.26.8.1/24 comment=“Web-4” interface=“4 Web-4” network=10.26.8.0
add address=10.26.3.1/24 comment=“Private” interface=“5 Private” network=10.26.3.0
add address= xxx.xxx.xxx.17/29 comment=“Web-1” interface=“12 Gateway” network=xxx.xxx.xxx.16
add address= xxx.xxx.xxx.18/29 comment=“Web-2” interface=“12 Gateway” network= xxx.xxx.xxx.16
add address= xxx.xxx.xxx.19/29 comment=“Web-3” interface=“12 Gateway” network= xxx.xxx.xxx.16
add address= xxx.xxx.xxx.20/29 comment=“Web-4” interface=“12 Gateway” network= xxx.xxx.xxx. 16
add address= xxx.xxx.xxx.21/29 comment=“Hallstead” interface=“12 Gateway” network= xxx.xxx.xxx.16
/ip firewall nat
add action=src-nat chain=srcnat comment=“Web-1 nat to Wan17” src-address=10.26.5.0/24 to-addresses= xxx.xxx.xxx.17
add action=src-nat chain=srcnat comment=“Web-2 nat to Wan18” src-address=10.26.6.0/24 to-addresses= xxx.xxx.xxx.18
add action=src-nat chain=srcnat comment=“Web-3 nat to Wan19” src-address=10.26.7.0/24 to-addresses= xxx.xxx.xxx.19
add action=src-nat chain=srcnat comment=“Web-4 nat to Wan20” src-address=10.26.8.0/24 to-addresses= xxx.xxx.xxx.20
add action=src-nat chain=srcnat comment=“Private nat to Wan21” src-address=10.26.3.0/24 to-addresses= xxx.xxx.xxx.21
I am leaving out all of the port forwarding and other rules and nats but use the following to isolate the separate lans:
/ip firewall address-list
add address=10.26.3.0/24 list=Subnets
add address=10.26.5.0/24 list=Subnets
add address=10.26.6.0/24 list=Subnets
add address=10.26.7.0/24 list=Subnets
add address=10.26.8.0/24 list=Subnets
/ip firewall filter
add chain=forward action=drop src-address-list=Subnets dst-address-list=Subnets
OK now this all works fine and there is no more cross over traffic between ports 1 -5 or the 5 different subnets (lans). But now something else happens. I can not reach my web site from any of my computers connected to any of my lans. The web site still works from outside my network, in fact all of my services are accessible from outside my network, but if I am on any of my lans in my network, I can not see my web site. I have tried using my direct outside IP access and also the domain name. I can ping my external IP addresses such as ping xxx.xxx.xxx.17 from say my .21 network, (ping web site address from private network). But I can not see the web site. Also any of my other services I have running on my other networks can not be accessed from inside my network either. And I should clarify this, if I am on lan 1 with a computer which is my web site lan, yes I can access my web site, but it is not accessible on any of the other 4 lans. Same goes for other services running on the other lans, I can access those services using the external IP address if I am on that lan, but not from any of the other 4 lans.
I am confused here, shouldn’t I be able to go out to the internet and then back into my network on the IP address of my web site using it’s domain name and still access it even if I have the above firewall rule in place?
I take it I need to add some firewall rule exceptions but am lost at this point, any help please?