I have Vlan for clients (192.168.80.0/24) and Management Vlan (192.168.55.0/27) I want to isolate traffic from client to manage vlan but manage vlan client have access to client vlan.
add action=drop chain=input dst-address=192.168.55.0/27 src-address=192.168.80.0/24
add action=accept chain=input dst-address=192.168.80.0/24 src-address=192.168.55.0/27
What am I doing wrong?
“Input” chain is for traffic coming to the router. Change it to “forward” as you want to manage “forwarding” between IP subnets.
Firewall chain input handles traffic to the router itself. To handle transit traffic (from one interface to another), you have to use chain forward.
Also have a look what a stateful firewall means. Your rules, if placed in the correct chain, would drop any packets from the client subnet to the management subnet, including responses to requests sent from the management subnet. What you actually need is to accept or drop the initial packet of each conversation (connection, session); if the initial packet gets dropped, the conversation never starts, if it gets accepted, the responses in that conversation must get accepted as well. This is what a stateful firewall will do for you.
The firewall rules in the default configuration of the SOHO models of Mikrotik are an example of a stateful firewall, all you need is to modify them to support multiple LANs and policy the traffic among them.
If I change to “forward” I lost connection from both site
I think the accept rule is unnecessary as by default all inter VLAN traffic is allowed. But it depends on any other rules you have.
Instead of using IP ranges I prefer to use it like this (check the name of the interfaces you have used):
add action=drop chain=forward in-interface=CLIENT_VLAN out-interface=MGT_VLAN
Haveing access to user subnet UIP=192.168.80.0/24 from MIP=192.168.55.0/27 with IP implies that any traffic originated from MIP to UIP should be allowed no matter what. On the other hand only related or established traffic from OIP should be accepted. Any new, invalid or untracked packets from UIP to MIP should be forbidden as they mean that someone from UIP wants to access devices on MIP.
So … the idea is:
# Managemet -> users allowed - not strictly needed but you can watch counters if any traffic passes that direction
add action=accept chain=forward dst-address-list=UIP src-address-list=MIP
# allow all returning traffic started from MIP to OIP device
add action=accept chain=forward connection-state=established,related dst-address-list=MIP src-address-list=UIP
# any traffic different that returnig one (defined previously) is blocked
add action=drop chain=forward connection-state=!established,related dst-address-list=MIP src-address-list=UIP
The other method could be mangling to set connection mark on any traffic started from MIP and then rules should be based
on that mark to not allow to pass traffic from UIP to MIP without that mark instead of IP lists
Without seeing the full config, not able to provide any useful info.
/export hide-sensitive file=anynameyouwish just ensure you dont use real numbers for WANIP or WANIP IP gateway (public side info).
This config helped to me, and it working correctly! Thank you so much))
I already tried by this way, but in my case, this is not working.
add action=drop chain=forward in-interface=CLIENT_VLAN out-interface=MGT_VLAN