Hello everybody,
I have an IPv4 network at different locations connected via VPN. The IP addresses use the schema 10.X.Y.Z, where X is the location and Y is the usage type.
So generally I want complete routing for all addresses, but I would like to add firewall filter rules by usage Y. For example 10.X.192.Z to 10.X.255.Z are used for management and I would like to block these. What’s the best way with Mikrotik RouterOS?
Thanks a lot!
I can’t get a routerboard to accept non-contiguous (255.100.0.0 or 255.0.255.0). It’s a bad idea anyway; your ip scheme will be crazy, just for acl convenience.
non-contiguous netmasks are not supported in Linux for a long time, and therefore also not in the MikroTik routers.
You will need to specify each subnet separately, either in different firewall rules or in an address list that you use
in firewall rules.
An address list can contain multiple subnets of the form 10.1.192.0/22 for example.
So you can have 10.1.192.0/22 10.2.192.0/22 10.3.192.0/22 etc all in a single list and use that list to block/allow things.
This carries over into your IP layout strategy in IPv6 even more, and there’s definitely no such thing as wildcard bits in IPv6.
You just have to figure out which is worse - lots of acl entries or many blocks of IPs in your routing tables.
I personally prefer your strategy in heirarchy-based addressing: 10.site.use.host → 2001:db8:site:use::
But I have more sites than policy-types and firewalls, so it makes the most sense to repeat the rules in a few places in order to have tight address aggregation.
Otherwise, you’ll need to have 10.use.site.host addressing so that your rules can be simpler, and just accept that you’ll have nSites * nPolicies routes in your tables.