Normally when I do a port forward on a simple single network setup I don’t need to add anything else to make it work but recently I’ve had to setup a solution for a multi tenanted building using a CCR with each tenant in their own VLAN and each VLAN is isolated from one another with the exception of a management VLAN that has full access. I went down the approach of (other rules have been missed out):-
/ip firewall filter
add action=accept chain=forward comment="Allow Management to any Subnet" \
src-address=192.168.88.0/24
add action=drop chain=forward comment="Drop VLAN to VLAN"
This is fine and all works the way I want. But when I then want to port forward to one of the VLAN’s which are NAT’d I have to add the NAT rule and a firewall rule for it to work.
/ip firewall filter
add action=accept chain=forward comment="Phone System tcp/8081" dst-address=\
192.168.200.2 dst-port=8081 in-interface-list=WANs protocol=tcp
/ip firewall nat
add action=netmap chain=dstnat comment="Phone System tcp/8081" dst-port=8081 \
in-interface-list=WANs log=yes log-prefix=Voice protocol=tcp to-addresses=\
192.168.200.2 to-ports=8081
Now I understand why I need the filter rule due to my ‘Drop VLAN to VLAN’ rule above but is there a more efficient yet still equally secure way so that port forwards to be allowed without having to add a separate filter rule for each port forward?
Would the following be safe:-
/ip firewall filter
add action=accept chain=forward comment="Allow Port forwards to VLAN 200" dst-address=\
192.168.200.0/24 in-interface-list=WANs
and repeat this for each VLAN that needs port forwards or will this add a gaping security hole? If it wasn’t NAT’d I would never do this but does the NAT add the protection to only allow the specified ports to the specified IP’s?
If this is not right, how best can I set this up so all I have to do is just add the NAT rule or do I just have to put up with the way it is now?