So lets say I have 3 networks
172.16.1.0/24
172.16.2.0/24
172.16.3.0/24
I want to block any subnet from reaching another
Is there a way to define
/ip firewall address-list
add name=locals value=172.16.0.0/22
/ip firewall filter
add chain=forwarding dst-address!=172.16.x.x/24 src-address-list=locals dst-address-list=locals action=drop
So a device may reach any other device in its own subnet but any other of the included subnets would be dropped.
Or do i need to write 3 rules?
My understanding is that FW rules ( a layer 3 function) do not apply to/within the same LAN subnet ( a layer two entity). In other words, within a LAN, you cannot block IPs from each other using FW rules. Taking it a step further if you have two or more LANS on the same bridge (layer2) you will not be able to separate them. Separation has to occur at both layer2 and layer3. Hence the popularity of VLANs. But you can have one LAN on a bridge and the other two NOT, or none on a bridge.
You pose a good question because you would need 6 rules that I can see for both directions between the 3 LANS
assume ether1 = LAN1 ether2 = LAN2 ether3 = LAN3 and ether 5 is your WAN.
My first attempt at being more efficient would be the use of address list.
Address List
name=Group1 consists of - LAN1, LAN2
name=Group2 consists of - LAN2, LAN3
name=Group3 consists of - LAN3, LAN1
/ip firewall filter
add chain=forward, action=drop in-interface=ether1(LAN1) dest-address-list=Group2
add chain=forward, action=drop in-interface=ether2(LAN2) dest-address-list=Group3
add chain=forward, action=drop in-interface=ether3(LAN3) dest-address-list=Group1
HOwever, you may not need to create any block rules…
On my router I have {forward chain}
-accept established connected untracked
-drop invalid
-allow LAN to WAN
-allow dstnated connections
-drop all else
In my setup I dont think I need to make drop rules because my default is drop everything!!
I only have to make allow rules if necessary. For example If I wanted to be able to route between subnets I would have to make an allow rule.
Or put them on the same bridge…
???
gotsprings; I block my vlan subnets the long way, i’d be curious of something shorter, i’ve seen a couple shortened suggestions around that appear to inadvertently block within
I have a situation like you. Even, if they are in the same bridge and same “physical” networks, they have separated subnet, then for reaching each other the need to pass trough the “router”.
Simple add 2 rules for each network blocking the nat
add action=drop chain=forward dst-address=172.16.2.0/24 src-address=172.16.1.0/24
I think something like that will work…
But, is you want all networks to have internet but not connecting between them, the best is making the NAT only available when “going out”
If you do that, the condition must be exactly…
look the difference
add action=masquerade chain=srcnat
This is a FULL NAT between ALL interface, bridge and everything
but if you say:
add action=masquerade chain=srcnat out-interface=ether1-gateway
You are allowing only NAT with OUT in eth1… not between subnet in eth2 master or something like that.
Try and comment
What I am saying eXS is that one cannot use FW rules fiter rules to block traffic between any two devices that are connected via layer2. It could two pcs within the same subnet or PC on two different subnets but that are on the same bridge. To effectively block devices from different subnets one should ensure they are on different interfaces (eth1 and eth2 for example) and ensure they are not on the same bridge. Then, they are not associated at layer2 and FW rules can be applied to ensure the router doesnt find a route between them.
Your use of VLANs ensures the devices on different VLANS dont see each other at layer 2 but unless your FW rules prevent it, the router will route between the devices at layer 3.
In any case, without explicitly allowing LAN to LAN traffic for separate interfaces(networks), and having a forward drop rule at the end of the forward chain, should prevent any connection between separate network devices. Hopefully the OP remembers this thread and can respond…
No need to play with NAT or anything else to screw up the configuration.
Next time I get bored… I am thinking maybe a jump chain that ends in drop. Will have to give that a try.