Isolating networks

rafin · August 8, 2017, 6:58pm

Hi Guys

I’m new to Mikrotik routers and was wondering if someone can help me properly configure my router.
All I need to do is so isolate 3 different networks so they cannot communicate with each other
I also want only some Wifi Client access all networks routing in to proper interface
I also attache picture

Thanks for help

Raf

steinbergs · August 9, 2017, 5:46am

You can use firewall filters to drop traffic from one subnet to another:

/ip firewall filter add action=drop chain=forward src-address=192.168.10.0/24 dst-address=192.168.20.0/24

Create this rule for each subnet.

To allow traffic from some wifi users you should bind the users mac to a ip address and then create a address list with these ip’s. Than you can use this address list in firewall filters.

rafin · August 9, 2017, 10:39am

Hi steinbergs

Thanks for replay and advice.
I have done this and traffic is blocked except users that are on allowed list.
What I need to do is also I need to make sure that traffic is going through specific interface and I’m not sure how to route that.
Also should i use bridge in that scenario ?

Thanks
Raf

k6ccc · August 9, 2017, 9:15pm

If I understand your question, you don’t have to do anything. The router will automatically set up routing tables based on the interfaces that it has. If you look at IP Routes, you will see that they are already there.
And no, a bridge is not what you want in this situation.

ZeroByte · August 9, 2017, 10:50pm

Assuming you have a single WAN interface, this simple filter forward chain can isolate all LANs from each other, while allowing outbound connections to the Internet:

/ip firewall filter 
add chain=forward connection-state=established,related action=fasttrack-connection
add chain=forward connection-state=established,related action=accept
add chain=forward in-interface=!wan out-interface=wan action=accept
add chain=forward action=drop

These 4 rules make a multi-lan with inter-lan isolation quite easy to do. In fact, you can add as many LANs as you like and none of them will be allowed to communicate with any other network except the WAN.

Don’t forget that the INPUT chain is still needed to protect the router itself from accesses from the Internet. In fact, if you want to allow management only from the LAN on ether2…

/ip firewall filter
add chain=input connection-state=established,related action=accept
add chain=input protocol=icmp action=accept
add chain=input in-interface=ether2 action=accept
add chain=input in-interface=wan action=drop
add chain=input protocol=udp dst-port=53,67-68 action=accept
add chain=input action=reject reject-with=icmp-admin-prohibited

Your NAT table only needs 1 rule in the srcnat chain:

/ip firewall nat add chain=srcnat action=masquerade out-interface=wan

or, if the wan IP is static:
/ip firewall nat add chain=srcnat action=src-nat to-address=x.x.x.x out-interface=wan
(where x.x.x.x is your router's WAN IP address)