Hello ,
I have two subnets in my mikrotik router: Network 1 : 192.168.1.0/24 and Network 2:192.168.5.0/24
I want to allow Network1 to access Network2 , but to deny Network2 access Network1 !!!
By using the rule : /ip firewall filter chain=prerouting src-address=192.168.5.0/24 dst-address=192.168.1.0/24 action=drop
It blocks two networks accessing each-other.
Is there any solution that allows one network to access another one but denies the second one to access the first network ???
Thank you!
There’s an elegant solution: default firewall filter rules contain (among other rules) this one:
add action=accept chain=forward comment="defconf: accept established,related, untracked"\
connection-state=established,related,untracked
If you add another rule below the above quoted one:
add action=accept chain=forward src-address=192.168.1.0/24 dst-address=192.168.5.0/24 [connection-state=new]
then it should work as you wanted. The part inside square brackets is optional if you maintain rule order as I indicated. You can, however, use that part as well (just omit the square brackets, the opening and closing one).
Explanation:
the quoted default rule passes all packets that belong to already allowed connections. And that’s true for both directions because RB features state-full firewall that actually knows which packets belong to which connection. Then the rest of rules (placed below this rule) deal only with new connections. This is where the additional rule comes into play: it allows packets originating from Network1 targeting Network2 (but not the other direction). When initial packet passes firewall, the rest of packets will be considered as part of “established” connection (and direction doesn’t matter any more).