hi @all.
Again, network isolation problem. I have a some networks in my organisation, some of them needs to be isolated from all other networks. Now I on some routers I have a bunch of similar rules, such as:
ip firewall filter add chain=forward src-address=10.0.0.0/24 dst-address=192.168.1.0/24 action=drop
ip firewall filter add chain=forward src-address=10.1.1.0/24 dst-address=192.168.1.0/24 action=drop
ip firewall filter add chain=forward src-address=10.15.12.0/24 dst-address=192.168.1.0/24 action=drop
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=10.0.0.0/24 action=drop
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=10.1.1.0/24 action=drop
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=10.15.20.0/24 action=drop
...
#all combinations of paired networks
Because of variety of networks it is hard enough to make /8 or /16 rules. But, is it OK to use /0 rules to isolate network from all others, or I will block forward traffic also inside network too?
I mean:
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=0.0.0.0/0 action=drop
ip firewall filter add chain=forward src-address=0.0.0.0/0 dst-address=192.168.1.0/24 action=drop
Okay then. More advanced situation. If I have more networks to be isolated, I should use Address Lists, so my complex rules should be:
ip firewall filter add chain=forward src-address-list="isolated" dst-address=0.0.0.0/0 action=drop
ip firewall filter add chain=forward src-address=0.0.0.0/0 dst-address-list="isolated" action=drop
So if Iwill need a hole to address in isolated network, I should use:
ip firewall filter add chain=forward src-address=10.0.0.54/0 dst-address=192.168.1.54 action=allow comment="1-way hole to isolated"
Should I put this rule before or after. Is it enough to use only one rule, or I need more of them or change existing somehow?
Or this solution is completely wrong?
I’ll challenge you with another approach.
If the networks that you are trying to isolate are more than the networks that you want to allow, you might want to use ACL to whitelist the networks you want to allow forwarding, and drop everything else.
I would build a firewall like this (in the forward chain):
1 Allow established, related
2 Allow forward traffic from WAN interface
3 Allow forward traffic to WAN interface
4 Allow forward traffic from “AllowedNetworks”
5 Allow forward traffic to “AllowedNetworks”
6 Block all forward traffic
In address list AllowedNetworks put any network or single IP address you want to whitelist
Of course if you want to make it more granular, such certain networks whitelisted to certain others but not all of them, the rules will be a little bit more complex, but I would follow the same principle.
A quick solution is to use VRF.
/ip route vrf
add every interface to a new vrf (routing mark) and they will have a separate routing table and will be isolated from other networks.
clean solution without firewall.
Assume you have plenty firewall filters for combinations of public host, internal address and protocol (e.g. chain=forward action=allow proto=tcp ports=80 src-address=1.2.3.4 dst-address=192.168.42.42) and the last rule drop all. These allow connection from wan host to lan server but block replies, so there should be another filter rule allowing connections in the other direction. If (one of first) rules allows related, then also replies from lan server to wan host get allowed (but not new connections).
The established is (if I uderstand correctly) more a shortcut so that packets of already established connections don’t have to pass whole filter list but get allowed as soon as possible.
If there was a filter accepting new connections without other filter peculiarities (such as src address, dst address, proto and port), that rule would allow all new connection initializations (that’s TCP SYN packets) and if there was the usual established,related rule enabled, firewall would not block any connection what so ever. There’s rarely a reason to allow new connection packets and not the rest, so state=new is used almost never.