Hello, I am quite new to routerOS in the scheme of things and I have become very interested in being more advanced at using it.
Currently I have two Mikrotik Devices - my main unit with most of the configuration on it is an RB750GL, and my home router behind that is an RB951G-2HnD.
Currently the RB750GL has two interfaces that I have assigned separate networks for work (Worknet and Worknet2). It also has one interface assigned to the router that my home network is on (the RB951G-2HnD) and the last interface is used to handle my PPPoE connection with my ISP.
Right now Both Work interfaces and my home interface can connect to the internet and appear to be passing through the NAT that I am using to try and make them use the specified DNS server in my firewall.
I think I have my firewall the way I want it for now but the problem I am running into is that I would like to make Worknet and Worknet 2 be able to communicate with each other but unable to communicate Homenet. I also do not want Homenet to be able to communicate with either of the Worknet addresses.
I will post my config below to see if anyone can help me figure out what I need to do. I am not sure if I need to just add some more firewall rules or if this is a route problem or something else.
/interface ethernet
set [ find default-name=ether3 ] name=HomeNet
set [ find default-name=ether1 ] name=Public
set [ find default-name=ether2 ] name=WorkNet
set [ find default-name=ether4 ] name=WorkNet2
set [ find default-name=ether5 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=Public name=pppoe-out2 password=**** user=****
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] name=default-encryption
/ip address
add address=10.7.7.1/30 interface=WorkNet network=10.7.7.0
add address=10.6.6.1/30 interface=HomeNet network=10.6.6.0
add address=10.8.8.1/30 interface=WorkNet2 network=10.8.8.0
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=0.0.0.0/8 comment=“illegal addresses(Bogons)” list=illegal-addr
add address=127.0.0.0/8 list=illegal-addr
add address=224.0.0.0/3 list=illegal-addr
add address=10.0.0.0/8 list=illegal-addr
add address=172.16.0.0/12 list=illegal-addr
add address=192.168.0.0/16 list=illegal-addr
add address=10.7.7.0/30 comment=WorkNet list=local-addr
add address=10.6.6.0/30 comment=HomeNet list=local-addr
add address=10.8.8.0/30 comment=HomeNet2 list=local-addr
/ip firewall filter
add action=jump chain=forward comment=“Sanity Check Forward” jump-target=sanity-check
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment=“Block port scans” protocol=tcp psd=20,3s,3,1
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment=“Block TCP Null scan” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment=“Block TCP Xmas scan” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=sanity-check jump-target=drop protocol=tcp src-address-list=blocked-addr
add action=jump chain=sanity-check comment=“Drop TCP RST” jump-target=drop protocol=tcp tcp-flags=rst
add action=jump chain=sanity-check comment=“Drop TCP SYN+FIN” jump-target=drop protocol=tcp tcp-flags=fin,syn
add action=jump chain=sanity-check comment=“Dropping invalid connections at once” connection-state=invalid jump-target=drop
add chain=sanity-check comment=“Accepting already established connections” connection-state=established
add chain=sanity-check comment=“Also accepting related connections” connection-state=related
add action=jump chain=sanity-check comment=“Drop all traffic that goes to multicast or broadcast addresses” dst-address-type=broadcast,multicast jump-target=drop
add action=jump chain=sanity-check comment=“WorkNet - Drop illegal destination addresses” dst-address-list=illegal-addr dst-address-type=!local in-interface=WorkNet jump-target=drop
add action=jump chain=sanity-check comment=“HomeNet - Drop Illegal Dest Addr” dst-address-list=illegal-addr dst-address-type=!local in-interface=HomeNet jump-target=drop
add action=jump chain=sanity-check comment=“WorkNet - Drop everything that goes from local interface but not from local address” in-interface=WorkNet jump-target=drop src-address-list=!local-addr
add action=jump chain=sanity-check comment=“HomeNet - Drop everything that goes from local interface but not from local address” in-interface=HomeNet jump-target=drop src-address-list=!local-addr
add action=jump chain=sanity-check comment=“Drop illegal source addresses” in-interface=Public jump-target=drop src-address-list=illegal-addr
add action=jump chain=sanity-check comment=“Drop everything that goes from public interface but not to local address” dst-address-list=!local-addr in-interface=Public jump-target=drop
add action=jump chain=sanity-check comment=“Drop all traffic that comes from multicast or broadcast addresses” jump-target=drop src-address-type=broadcast,multicast
add action=jump chain=forward jump-target=restrict-tcp protocol=tcp
add action=jump chain=forward jump-target=restrict-udp protocol=udp
add action=jump chain=forward jump-target=restrict-ip
add action=reject chain=restrict-tcp connection-mark=auth
add action=jump chain=restrict-tcp comment=“anti-spam policy” connection-mark=smtp jump-target=smtp-first-drop
add action=add-src-to-address-list address-list=approved-smtp chain=\smtp-first-drop src-address-list=first-smtp
add action=return chain=smtp-first-drop src-address-list=approved-smtp
add action=add-src-to-address-list address-list=first-smtp chain=smtp-first-drop
add action=reject chain=smtp-first-drop
add chain=input comment=“Allow local traffic (between router applications)” dst-address-type=local src-address-type=local
add action=jump chain=input comment=“Sanity Check” jump-target=sanity-check
add action=jump chain=input comment=“Dropping packets not destined to the router itself, including all broadcast traffic” dst-address-type=!local jump-target=drop
add chain=input comment=“Allow pings, but at a very limited rate (5 packets per sec)” connection-mark=ping limit=5,5
add action=jump chain=input comment=“WorkNet - Allowing some services to be accessible from the local network” in-interface=WorkNet jump-target=local-services
add action=jump chain=input comment=“HomeNet - Allowing some services to be accessible from the local network” in-interface=HomeNet jump-target=local-services
add action=jump chain=input comment=“Allowing some services to be accessible from the Internet” in-interface=Public jump-target=public-services
add action=jump chain=input jump-target=drop
add chain=local-services comment=“SSH (22/TCP)” connection-mark=ssh
add chain=local-services comment=DNS connection-mark=dns
add chain=local-services comment=“HTTP Proxy (3128/TCP)” connection-mark=proxy
add chain=local-services comment=“Winbox (8291/TCP)” connection-mark=winbox
add action=log chain=local-services comment=“Log & Drop Other Local Services”
add action=drop chain=local-services
add action=log chain=public-services comment=“Log & Drop Other Public Services”
add action=drop chain=public-services
add action=jump chain=restrict-udp connection-mark=other-udp jump-target=drop
add action=jump chain=restrict-tcp connection-mark=other-tcp jump-target=drop
add action=jump chain=restrict-ip connection-mark=other jump-target=drop
add action=drop chain=drop log=yes
/ip firewall mangle
add action=jump chain=prerouting connection-state=new jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=udp-services protocol=udp
add action=jump chain=prerouting connection-state=new jump-target=other-services
add action=mark-connection chain=tcp-services comment=“SMTP Request” dst-port=25 new-connection-mark=smtp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“DNS TCP Request” dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“HTTP Request” dst-port=80 new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“HTTP Proxy” dst-port=8080 new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“HTTPS Proxy” dst-port=8443 new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“POP3 Request” dst-port=110 new-connection-mark=pop3 passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“Auth TCP 113 (Reject for Formality)” dst-port=113 new-connection-mark=auth passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“IMAP4 Request” dst-port=143 new-connection-mark=imap passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“SNMP Request” disabled=yes dst-port=161-162 new-connection-mark=snmp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“HTTPS Request” dst-port=443 new-connection-mark=https passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“SMTPoverSSL Request” dst-port=465 new-connection-mark=smtps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“IMAP4overSSL Request” dst-port=993 new-connection-mark=imaps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“POP3overSSL Request” dst-port=995 new-connection-mark=pop3s passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“HSHoW TCP 1119” dst-port=1119 new-connection-mark=game passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“MS PPTP Request” dst-port=1723 new-connection-mark=pptp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“HTTP Proxy” dst-port=3128 new-connection-mark=proxy passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“Eve-HSHoW TCP 3724” dst-port=3724 new-connection-mark=game passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=HipChat dst-port=5222 new-connection-mark=chat passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=HipChat dst-port=5223 new-connection-mark=chat passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=GuildWars2 dst-port=6112 new-connection-mark=game passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=GuildWars2 dst-port=6600 new-connection-mark=game passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=Winbox dst-port=8291 new-connection-mark=winbox passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“Clash of Clans” dst-port=9339 new-connection-mark=game passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“Eve-Online 26000” dst-port=26000 new-connection-mark=game passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=Mumble dst-port=51694 new-connection-mark=game passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“Steam Downloads” dst-port=27014-27050 new-connection-mark=game passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment=“Unidentified Port Request (TCP)” new-connection-mark=other-tcp passthrough=no protocol=tcp
add action=mark-connection chain=udp-services comment=“DNS UDP Request” dst-port=53 new-connection-mark=dns passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=NTP dst-port=123 new-connection-mark=ntp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=Steam dst-port=3478 new-connection-mark=game passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=“HSHoW UDP 3724” dst-port=3724 new-connection-mark=game passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=Steam dst-port=4379 new-connection-mark=game passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=Steam dst-port=4380 new-connection-mark=game passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=TS dst-port=9987 new-connection-mark=TeamSpeak passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=TS dst-port=3945 new-connection-mark=TeamSpeak passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=TS dst-port=11317 new-connection-mark=TeamSpeak passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=“Steam Game Client Traffic” dst-port=27000-27015 new-connection-mark=game passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=“Steam Matchmaking and HLTV” dst-port=27015-27030 new-connection-mark=game passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment=“Unidentified Port Request (UDP)” connection-state=new new-connection-mark=other-udp passthrough=no protocol=udp
add action=mark-connection chain=other-services comment=ICMP icmp-options=8 new-connection-mark=ping passthrough=no protocol=icmp
add action=mark-connection chain=other-services comment=GRE new-connection-mark=gre passthrough=no protocol=gre
add action=mark-connection chain=other-services comment=“Unidentified Port Request (Other)” new-connection-mark=other passthrough=no
/ip firewall nat
add action=redirect chain=dstnat comment=“Transparent DNS Cache (WorkNet)” connection-mark=dns in-interface=WorkNet
add action=redirect chain=dstnat comment=“Transparent DNS Cache (HomeNet)” connection-mark=dns in-interface=HomeNet
add action=masquerade chain=srcnat comment=“Internet Masquerade” out-interface=pppoe-out2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=gStik
/tool romon port
add disabled=no