I have three physical networks on my mikrotik 10.2.0.x 192.168.1.x 172.16.0.x all going out to the internet through a masquerade rule in the NAT portion of the firewall. Up until recently I thought they were segregated and could not communicate between each other, now however a client of mine has put a windows domain controller on our 10.2.0.x network and we are able to reach it from the 192.168.1.x network. what would be the easiest way to completely segregate the three networks from each other so there would be no crosstalk.
put some firewall rules in disallowing traffic. are these all on the same physical interface, or each on their own interface ?
each is on thier own physical interface, what kind of rules would I need to put in to disallow traffic? if you could point me to a wiki or a tutorial or help me out in any other way that would be great too.
Set rule to drop every packet that is not coming from internet interface AND not going to internet interface.
If your internet interface is named wan then set in-interface= !wan and out-interface=!wan in the same rule.
I tried
add chain=forward in-interface=!zone1 out-interface=!zone1 src-address-list=zone2 action=drop
I thought that would drop everything coming from zone2 to zone1 but all it did was drop everything from zone2 including internet, could someone point out what I’m doing wrong here please?
I found my answer if you put in a rule that goes like so
ip firewall filter add chain=forward action=drop src-address=192.168.1.0/24 dst-address=10.2.0.0/24
and another that is the opposite it blocks the traffic between them without blocking them from the main broadband connection.