I have simple question how in firewall drop forward source subnet 192.168.10.0/24 except two outgoing interfaces ETH7 & ETH8 ?
I can configure rule with exclamation “!” Out Interface and can choose only one interface here, and if I divide this rule into two chains so one chain will have ! ETH7 (so it will allow ETH8) and second rule with !ETH8 (so will allow ETH7).
please help me with that.
You can either first allow access from 192.168.10.0/24 to eth7-8 and then block the rest, or in newer RouterOS there are also interface lists (Interface->Interface List).
ohh “Interface list” I didn’t see this before, now it’s all clear,
but digging little more into this, could be this done using jump feature in firewall chain, like here:?
chain=forward action=jump jump-target=vpn src-address=192.168.10.0/24 log=no log-prefix=""
chain=vpn action=drop src-address=192.168.10.0/24 out-interface=!ether7 log=no log-prefix=""
chain=vpn action=drop src-address=192.168.10.0/24 out-interface=!ether8 log=no log-prefix=""
Not exactly like this, because if you have packet to ether8, your second rule will drop it (as it’s not to ether7). But you can have rules in this order:
You can also do it with jump to other chain. And in that case you don’t need to repeat src-address=192.168.10.0/24 in subchain, it’s extra processing for nothing, because if jump rule has that condition, no other packets will get there.