I have two servers: Ubuntu (ip=192.168.100.75) and Windows Server (ip=192.168.100.76).
I’m going to limit port 3389 in 192.168.100.76 to one IP only 192.168.100.75. I mean connections only from 192.168.100.75 should be able to connect to 192.168.100.76:3389.
How can I do that? Or what did I do wrong?
This is my output:
[admin@MikroTik] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=forward action=accept connection-state=new
connection-nat-state=dstnat in-interface=ether1 log=no log-prefix=“”
[admin@MikroTik] > /ip/firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.100.76 to-ports=3389
protocol=tcp src-address=192.168.100.75 dst-port=3389 log=no log-prefix=“”
You cannot use firewall rules in this case because you are talking about users in the same subnet.
If you want to exercise firewall rules simply move either all users or servers to a different subnet.
This can be be done by putting the server on a port with its own IP address … or you can use vlans etc…
They may be in the same subnet IF you can connect each of the devices/servers onto a different physical port of your Mikrotik. (and these interfaces are members of the same bridge)
Depends on the model you have then.
Then simply adjust your (forward chain) firewall rule to include the “in-interface” reference
Remove the DNAT-rule, it makes no sense. FORWARD-chain filters is what you need for this.
I’ve never seen (so far) IP addressing where 192.168.100.75 and 192.168.100.76 belong to different IP subnets (these two addresses are in @OPs opening post and I have no reason to believe they are entirely made up). Apart from the case when /32 addressing is used, again it doesn’t seem to be in OP’s case.
And as long as that’s it and the connecting ports are made members of same bridge, then traffic will never hit firewall rules.
Unless one starts to complicate things, e.g. by setting bridge property use-ip-firewall to yes and disable (L2) HW offload on at least one of involved ports. And there are other tricks which help to complicate things (in the right direction).
But to keep things simple, suggestion by @anav is the one to follow. Or, alternatively, configure firewall on “server” to block connections to some particular service (this may be easier than the centralized solution, the drawback is that access rules are spread over many servers instead of some central device).
Interesting, I always assumed that if you would physically have 2 different physical ports/interfaces (even under the same bridge) you could at least filter traffic between them by referring to the appropriate “ethernetX” port on your rule.
but, now that I’m thinking about it … these ports are wired to an actual switch-chip so with hw-offload for sure it would be processed “on chip” and you would never hit a rule.
So I agree, an iptables on the server would 100x more predictable & simpler to implement.
I stand corrected
As I indicated: either you have both interfaces bridged … and without setting use-ip-firewall=yes on bridge settings traffic passing between different bridge ports won’t be subject to IP firewall. BTW, if you want to filter according to input and output port, you can’t use “in-interface” (because that’s IP entity), you have to use in-bridge-port or out-bridge-port (or the -list variant).
With CHR at least you don’t have to disable HW offload as there is none.
If you don’t have interfaces bridged, then it won’t really work because both hosts would be in different L2 networks, but according to their IP settings they (most probably) believe they can talk directly without using a gateway. In that case both hosts would have to be explicitly configured as members of different IP subnets and CHR configured as gateway for both subnets. If that was so, firewall rules would be involved without any further ado, /ip/firewall is used for whatever IP packet passing router’s IP layer.
And, BTW, using NAT for controlling this kind of connection is pretty wrong.
JV, what did you put in your waffles, belgian beer???
To the OP, I explained how to solve your issues already. Simply create an additional subnet ( they cost nothing ) on the router.
a. either put the server on its own port with a different subnet
b. create vlans for both subnets.
After your attempt to do so, post here for assistance.
/export file=anynameyouwish (minus router serial number, any public WANIP information etc.)
Another remark, linked to your other post (about CHR running in ESX): I suspect that you have one port intended for WAN (connected to whatever gadget your ISP provided) and another port intended for LAN … and that port is likely to be connected to some kind of a switch (can even be virtual switch of ESX platform to connect other VMs). In that case, LAN-to-LAN traffic likely won’t get to your router because those switches (including ESX virtual switch) will do their job on L2.
If you decide to split your LAN into different subnets (as per suggestion by @anav), you can even do them over single L2 network (skipping VLANs), just configure multiple IP addresses on same router interface (one per IP subnet). In this case you might see some weird traffic (e.g. ICMP redirect) but other than that things should work just fine. You won’t have subnet separation on L2 which is a security feature (so you can deal with it after you cover the basics).
