Hi,
Is there any smart firewall (or otherwise?) filter I can make to select traffic within the same subnet, without explicitly specifying the exact subnet? For example, I have a number of local networks, and I would like to allow ICMP input, but clients should only be allowed to ping their own gateway address, not that of other networks.
Typically there is absolutely no harm for any body to ping Router addresses, these could be the gateway of the subnet in, or the gateway of another subnet.
Firewall rules in the forward chain are used to stop users from accessing users, and correct one would have to use input chain to stop pinging other gateways.
```/ip firewall
add chain=input action=drop in-interface=vlan10 \
dst-address-type=local
```
Now this would cut off access for that subnet from pinging other subnet gateways. If you needed to add more subnets to this rule, make it an address list.
There might a safer or more elegant way to do it. Keep in mind this also cuts off access to the router for configuration purposes from that subnet.
Thanks, but I’m not seeing that dst-address-type=local distinguishes between same and different source subnets. The documentation describes the option as matching if the destination address exists on any router interface, so that seems expected.
The better you explain the exact requirements the better the answers. If you use the rule provided as applied to a specific interface, or group of interfaces, in-interface-list=NoPing, the goal of not being able to ping other subnets is achieved.
If you are talking about within the same subnet, then no, you cannot control traffic between users within the same subnet as that is layer two traffic and firewall rules deal with layer 3 traffic.
It seems like VRRP addresses are not considered belonging to the same subnet, which I suppose is true, in a way, but means this solution won’t work for me. If I use the physical address, it seems to do what I want.
The documentation on the option does not seem correct then.
local- if dst-address is assigned to one of the router's interfaces
It does not say anything about subnets.
Post an example of the filter rules that you are using with "physical address" and that work.
When I ping the physical address rather than the virtual one, is what I meant.
add action=drop chain=input dst-address-type=local in-interface-list=LAN protocol=icmp
I like the fact that you narrowed the rule down to ping, the other rule would have prevented access to the router itself, but I figured it was not a trusted subnet we were talking about!
This is a twist in the story. Some background on problem might help. But if we're spitballing here... perhaps add the VRRP to the LAN interface-list solve the underlying issue.
I am not yet sure to have understood fully the question, but if you have a rule that works with a single, physical dst-address, cannot you use a dst-address-list with all your "no-ping" addresses?
No, the physical address is irrelevant. It is not the gateway address. All I’m saying is that pinging the physical address demonstrates that the filter initially proprosed by anav works, and does exactly what I asked for. The problem is that I did not consider the fact that using VRRP would thwart my plans.
As far as I now understand, dst-address-type=local means something like matching if the source address is in the same subnet as the destination address. (which also happens to exist on any router interface) Since VRRP addresses are /32, that’s of course never going to be the case.
Nope, your interpretation is not correct:
So setting dst-address-type=local means "dst-address is one of router's own addresses" ... but that doesn't try to relate ingress interface with dst-address.
We have previously established that the documentation is not correct.
I don't see a post in this thread which would show that documentation is not correct. There were other forum threads which did touch the same function and I don't remember seeing proof about documentation being wrong in those threads either.
No, it matches all IP addresses listed under /ip address (and /ipv6 address for the IPv6 firewall).
Ok, my bad. I’ve made a mistake in my most recent test. So that option does work like I originally thought, which is what the documentation describes. In other words, I’m back to square one, but the VRRP thing is still probably going to be an issue, as its network won’t encompass the source addresses.
Well, as you realized, the dst-address-type filter works as described in the manual.
What you want is kind of straightforward with one rule per interface (or some variation.) I don't think there is a simple version with only one (or a few) general rules.
I would take a closer look at what you want to accomplish. Usually gateways (routers) are ping-reachable and participate in traceroute, send ttl exceeded, redirect, fragmentation required, adm unreachable, no route etc. messages. Most of these they send even when the packet is ultimately not forwarded. Some, I would say less than smart, admins disable these functions altogether.
I really can't imagine where this would be useful.
But I still don't understand the need for preventing the other gateway addresses from being pingable. Do you allow the clients to ping google.com or 1.1.1.1? If yes, then who care if clients in 192.168.10.0/24 can also ping 10.20.30.1?
Although it's possible to have the isolation you want without firewall rules, by placing the subnets in different VRF:
But using VRF just for the sake of disallowing ping to local addresses is very wrong!
This boils down to requirements that make sense.
Requirements are about needed traffic flow for users or devices.
Perhaps you are making up a requirement that has no basis in real usage???
