I am starting to host virtual servers for customers and would like to prevent them from using private subnets on my network that are not assigned to them. I’ve configured VLANs that isolate each customer’s traffic on the switches so they can’t get to anything else on the network without going through the router, if they change an IP to something outside what I’ve assigned they won’t be effecting anything other than their own system.
The problem I’m encountering is that RouterOS is performing exactly how I expect a router to function, i.e. the individual private subnets that I assign to VLANs can all see each other because they’re all part of the same routing table. The firewall rules on each subnet appear to be working correctly, but I’d really like to prevent one private subnet from seeing the private IPs of a different subnet.
Example: VLAN10 has a subnet of 192.168.20.0/24 with a netmap to 66.254.9.0/24, VLAN20 has a subnet of 192.168.30.0/24 and simply uses masquerade to get out to the internet through the router’s IP. The firewall rules allow pinging to all hosts on VLAN10. The computers on VLAN20 can ping those on VLAN10 using public IPs but they cannot telnet into them (there is no rule allowing it). The trouble is that the computers on VLAN20 can also ping the private IPs on VLAN10.
I realize that this is normal behavior, but I would really like to put a stop to it. Customers will be connecting to their virtual servers through a VPN and they will have admin access to their own machines (obviously) and to their virtual server (if they want it). To head off any potential problems, even if it is just the customer’s perception of privacy, I want to completely isolate each private subnet from those on different VLANs/interfaces without preventing access to public addresses that may be assigned on other interfaces.
I know that I could probably solve this problem with RouterOS Beta 4, but I’m not very comfortable with the idea of putting customers on an unproven beta product. Is there a way to accomplish my goal on v3.17 without having to use separate physical routers for each customer who wants us to host a virtual server?