Hi,
I am beginner in Miktorik router. In my lab I have RouterBOARD 750G r3. I have created 4 VLANs and I want to allow only certain communication among them. At bottom I have FW rule which blocks communication among all VLANS:
chain=forward action=drop in-interface=all-vlan out-interface=all-vlan log=no log-prefix=“”.
Above this rule I have individual rules for allowing specific ports on specific IPs from diferent VLANs.. example for allowing RDP:
(192.168.10.0 /24 is VLAN20)
(192.168.15.0/24 is VLAN30)
FW:
chain=forward action=accept protocol=tcp src-address=192.168.10.100 dst-address=192.168.15.100 port=3389 log=yes log-prefix=“rdptest”
chain=forward action=accept protocol=tcp src-address=192.168.15.100 dst-address=192.168.10.100 port=3389 log=yes log-prefix=“rdptest”
this works OK, but QUESTION is, that how can I setup this rule to work in one way? I need to allow RDP just from VLAN20 to VLAN30, and from forbid it from VLAN30 to VLAN20..
If I setup rule like:
chain=forward action=accept protocol=tcp src-address=192.168.10.100 dst-address=192.168.15.100 port=3389 log=yes log-prefix=“rdptest” (VLAN20)
the communication to 3389 will come to VLAN30 but no communication is returning.. I read something about connection state established related.. but I am lost a bit.. Could someone please help me with this?
I use a premise of DROP ALL ELSE at the end of my input and forward chains.
So for the most part, nothing is allowed and I use mostly allow rules for what is permitted (the exception being drop invalid packets).
Conceptually speaking
{forward chain}
allow established, related
drop invalid
allow lan to wan
allow vlan20 to wan
allow vlan30 to wan
allow admin to vlans
allow vlan20 subnet to vlan30printer (as an example of what is possible)
allow vlan30 IP to vlan20 IP (another example, where one computer on vlan30 needs access to one device in vlan20)
allow dst-nat connections to LAN
Drop ALL ELSE
/ip firewall address list
add address=192.168.20.0/24 =myvlans
add address=192.168.30.0/24 =myvlans
example of allow admin to vlans forward filter rule:
add action=accept chain=forward src-address=adminIP in-interface=bridge dst-address-list=myvlans
Note: Allowing device A on vlan20 to access device B on vlan30 implies one way traffic. In other words requests ORIGINATING on vlan20 pc, will reach vlan30 pc and any return traffic associated will be permitted. Traffic ORIGINATING on VLAN30 pc will not be able to reach VLAN20 pc if that is your concern.
Thank you, I add {forward chain} allow established, related and its working as required. This was the missing part. I tried it before, but probably wrong settings..