Hi, this is my first post. I’m quite new to advanced networking, I did configure some linux firewall’s on virtual hosts before, but never did a router firewall setup. So newbie alert here.
So first, this is my setup:
----> ether2 one machine directly hooked up
Internet with static ip ---- > Mikrotik router (ether 1) —> ether3 subnet 1 with internet access (tp-link hub)
----> ether5 subnet 2 without internet access (tp-link router)
-----> wlan
So basically what I want to do is to make subnet 2 machines, hard drives and databases accessible to everyone, but keep subnet 2 isolated from internet.
My first attempt was to connect subnet 2 to the microtik router directly as if the router was a client (to a lan output instead of wan on the tp-link). Afterwards I tried internet on subnet 2. It wasn’t working, as expected. But I switched the dns on my wifi dongle to google’s dns and to my surprise internet was working.
Afterwards I tried to disable internet access with firewall rules, following a guide that proposed the opposite to what I was trying to achieve. I added a masquerade to subnet 2. After this I was getting an ip generated directly from mikrotik router instead of the subnet 2 and internet was available without the need to specify working dns.
I also tried disabling the master-port on the interface configuration, but it didn’t worked for what I was trying to do.
I’m kind of lost in which would be the simplest and best approach for this.
This are my firewall rules right now:
/ip firewall filter
add chain=input comment=“default configuration” connection-state=related
add chain=forward comment=“default configuration” connection-state=
established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add chain=input comment=“Accept established connections” connection-state=
established
add chain=input comment=“Accept related connections” connection-state=related
add action=drop chain=input comment=“Drop invalid connections”
connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment=“Allow limited pings” limit=50/5s,2 protocol=icmp
add action=drop chain=input comment=“Drop excess pings” protocol=icmp
add chain=input comment=“SSH for secure shell” dst-port=22 protocol=tcp
add chain=input comment=winbox dst-port=8291 protocol=tcp
add chain=input comment=“From Mikrotikls network” src-address=192.168.88.0/28
add chain=input comment=“From our private LAN” src-address=192.168.88.0/24
add action=drop chain=input comment=“Drop everything else” disabled=yes
add chain=input comment=“Private LAN” in-interface=ether5-slave-local
src-address=192.168.0.0/24
add action=log chain=input comment=“Log everything else” log-prefix=
“DROP INPUT”
add action=drop chain=input comment=“Drop everything else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway
add action=masquerade chain=srcnat src-address=192.168.0.0/24
I mainly placed the basic firewall configuration and tried to block on top of that internet access to ether 5 whose addresses are 192.168.0.0/24.
The setup is on my office and I won’t be able to test much until monday, but I’m hoping I can study how to solve this over the weekend so I can set it up correctly afterwards. I can connect to the router from home, but I can’t try to see if subnet 2 has internet access or not.
Subnet 2 handles sensitive information on outdated os’s with exploidable databases and software, that’s why I want to keep it isolated from the internet. I don’t want to try to fix this issue without being certain that the network is completely isolated, so that is why I would like to wait untill monday so I can fisically corroborate that it is indeed working. I could leave everything prepared though with ether5 disabled to test it when I get back here.
Also if you think I should add more rules to the firewall they will be welcomed.
I will appreciate any guidelines or help on this matter.
Thanks!