Hello everybody,
After me sob and yogender have helped to isolate the VLANs among themselves THANKS !!! I would now like to prevent access to the microtics in the same LAN.
The adminclient is in Vlan5 (= 172.16.5.0 / 24). The microtronic router has the IP 172.16.5.254 in the adminVLAN5. The admin should of course access the microtics but all other VLANs not!
VLAN5 client to 172.16.5.254 → accept
VLAN10 clients to 172.16.10.254 → drop
VLAN20 clients on 172.16.20.254 → drop
.
.
.
VLAN200 clients to 172.16.200.254 → drop
What do you think of these rules and in this order:
/ Ip firewall filter add chain=input in-interface=adminVLAN5 action=accept
/ Ip firewall filter add chain=input in-interface=all vlan action=drop
Yes, if you want to block access like, winbox… you can do it in /ip firewall filter
Assuming that your router (the one you want to prevent access) is the Gateway, you need to create input rules to accept from those you want to grant access.
And after, you deny (action=drop) from everyone else.
Thank you all! @sob - I am doing lot of my testing remote via opvn therefore I am very carefully. I am so glad that I beginn to understand firewall rules
@ploquets
XXX.XXX.XXX.XXX/XX is not a single IP but an expression for a subnet incl. subnetmask? e.g. 192.168.10.0/24
Do I need 172.16.5.254/24 or just the IP 172.16.5.254?
Should I insert your rules before or after the mentioned above rules or is it unimportant?
The XXX.XXX.XXX.XXX/XX is for the Source IP that is allowed to login. If you have a whole subnet that you want to allow, then use with the /24 or the respective mask of your subnet.
If only your computer is allowed to admin the RB, then, you should only use your PC IP (with /32 mask or with no mask at all)
Those rules I’ve mentioned above are to achieve the allowing (exceptions) and blocking everyone (but exceptions on the first rule)
If you use your rules and they worked as you need,then you probably won’t need more rules to do the same thing again.
Order of rules is very important. Once a rule matches packet, further rules are not processed. Exception is “/ip firewall mangle” and rules with passthough=yes. So if you want to play it safe, add accept rule to input chain with your remote address, and put it before all others. Then even if you mess up something down the chain, you’ll still be able to connect.
Hello everybody,
Finally, I would ask you to check my firewall rules. They are there to give the admin access to all VLANs and the Mikrotic. The client VLANs must not have contact with one another and do not come to the microtik router.
For information:
The actual firewall (PFSense) is behind the modem and before the Mikrotic.
Modem-> PFSense (Firewall, DNSResolver, Squid with SquidGuard, NAT) → Mikrotic (no-NAT, Router + DHCPServer,) → VLANs-> Clients
It’s better to post text export (created by “/export” in terminal), because WinBox does not necessarily show all fields. But based on what you asked about, I assume you don’t have any hidden extras and it looks ok. It will do:
Forwarding: Block between VLANs, except when source is VLAN5. Allow everything else.
Input: Block from VLANs, except when source is VLAN5 (any traffic) or 172.16.5.0/24 (just tcp/8291). Block tcp/8291 from ether1. Allow everything else.
When you look at it, it’s really simple, the rules are self-explanatory.
