i have two clients who have internet and want to use my base station to link the two. i dont want to allow them to get access to my setting,internet which is on the ether1 of my base station.
it look like anytime their internet like goes down they will use mine but will not pay so we have to have control over that.
pl help
In the below, 1.1.1.0/24 represents customer A and 1.1.2.0/24 represents customer B.
In the forward chain, permit traffic from A to B and from B to A, then drop everything else sourced from either network. In the input chain, drop all traffic from them.
/ip firewall filter
add chain=forward src-address=1.1.1.0/24 dst-address=1.1.2.0/24 action=accept
add chain=forward src-address=1.1.2.0/24 dst-address=1.1.1.0/24 action=accept
add chain=forward src-address=1.1.1.0/24 action=drop
add chain=forward src-address=1.1.2.0/24 action=drop
add chain=input src-address=1.1.1.0/24 action=drop
add chain=input src-address=1.1.2.0/24 action=drop
This can be simplified with address lists if you feel like it:
/ip firewall address-list
add list=CustomerToCustomer address=1.1.1.0/24
add list=CustomerToCustomer address=1.1.2.0/24
/ip firewall filter
add chain=forward src-address-list=CustomerToCustomer dst-address-list=CustomerToCustomer action=accept
add chain=forward src-address-list=CustomerToCustomer action=drop
add chain=input src-address-list=CustomerToCustomer
Make sure you place the rules at a sensible place in your ruleset.
i have used the first coding but then i cant reach them both
If you’re trying to reach their networks from a third network that is neither 1.1.1.0/24 or 1.1.2.0/24 then you’ll have to add rules for that, or the return traffic back to you will be dropped due to those rules. The first set permits all traffic from 1.1.1.0/24 to 1.1.2.0/24 and vice versa, and drops all traffic from them to anywhere else.
we are all on the same network. the base station is 10.1.95.1/24 and they are using 10.1.95.200/24 and 10.1.95.201/24. so it is rare for me not to reach them after putting the codings even though they appear in the registration table.
Post a network diagram and your firewall rules.