How to isolate the network?

dwz63 · October 11, 2013, 8:51am

Hi,
Previously, I had questions about VLAN and guest network. http://forum.mikrotik.com/t/two-wireless-networks-via-the-bridge/70024/1
I did not understand how to properly isolate/separate/insulated guest network.
I decided to continue in this topic general questions about the routing and firewall ..

How to block access to the network2 (192.168.12.0/24) to other networks. To have access only to the Internet.

            R2---R1---R3
        /                  \
 network1	              network1
network2                   network2

network1 - 192.168.11.0/24
network2 - 192.168.12.0/24

Router 1: RouterBOARD 750UP - R1
port1 - “WAN” 192.168.10.10/24
port2 - “LAN” 192.168.11.1/24
Ports 2-5 are combined bridge1.
vlan12(bridge1) - 192.168.12.1

Router 2: RouterBOARD 951G-2HnD - R2
wlan - “Wi-fi”
port1 - “WAN” 192.168.11.20/24
port2 - “LAN”
wlan2 - VirtualAP
vlan12(bridge1) - 192.168.12.10
Port1, port2 and wlan are combined bridge1.
vlan12, wlan2 are combined bridge2.

Router 3: RouterBOARD 951G-2HnD - R3
wlan - “Wi-fi”
port1 - “WAN” 192.168.11.30/24
port2 - “LAN”
wlan2 - VirtualAP
vlan12(bridge1) - 192.168.12.20
Port1, port2 and wlan are combined bridge1.
vlan12, wlan2 are combined bridge2.

samsung172 · October 11, 2013, 9:06pm

just make a firewall rule. make a address list, lets say called “private” and have your private address in this. Add a drop rule, if dst address is in private list. Also possible to have a. Its also possible to have more complex setup, routing rules etc.

dwz63 · October 14, 2013, 9:54am

Hi,
Thanks for the help.
I configured a firewall and blocked all private network to guest network (inbound and outbound traffic).
Terminal: /ip firewall filter print

 0   chain=forward action=drop src-address-list=net12 dst-address-list=private_IPv4 
 1   chain=forward action=drop src-address-list=private_IPv4 dst-address-list=net12

Terminal: /ip firewall address-list print

 
#   LIST		ADDRESS                        
 0   private_IPv4	10.0.0.0/8                     
 1   private_IPv4	172.16.0.0/12                  
 2   private_IPv4	192.168.0.0/16                 
 3   net12		192.168.12.0/24

All right? Is that enough?

samsung172 · October 14, 2013, 10:27pm

dwz63:

samsung172:

just make a firewall rule.

Hi,
Thanks for the help.
I configured a firewall and blocked all private network to guest network (inbound and outbound traffic).
Terminal: /ip firewall filter print
 0   chain=forward action=drop src-address-list=net12 dst-address-list=private_IPv4 
 1   chain=forward action=drop src-address-list=private_IPv4 dst-address-list=net12
Terminal: /ip firewall address-list print
 
#   LIST		ADDRESS                        
 0   private_IPv4	10.0.0.0/8                     
 1   private_IPv4	172.16.0.0/12                  
 2   private_IPv4	192.168.0.0/16                 
 3   net12		192.168.12.0/24
All right? Is that enough?

Without me reading it all once agane, and doble check, YES, this should be about it.