I’m sure someone has already answered this but here it goes again.
I’ve got a RB951 set up in the following way:
eth1=192.168.1.0/24
eth2=10.10.10.0/24
What I want to do is isolate traffic in one direction. I want to block access from eth1 to eth2. However I still want eth2 to have access to eth1.
Here is what I have tried.
add action=drop chain=forward comment=
“FW rule to block traffic to LS LAN (Testing 1 to LS)” disabled=no
dst-address=10.10.10.0/24 src-address=192.168.1.0/24
This seems to block access both ways.
add action=drop chain=input comment=
“FW rule to block traffic to LS LAN (Testing 1 to LS)” disabled=no
dst-address=10.10.10.0/24 src-address=192.168.1.0/24
You should mark packets that start at eth1 and go to eth2 in prerouting mangle rule, then make an allow rule in firewall with these marked packages included, else=drop.
Obviously the second is not blocking at all, because the input chain is traffic towards the router.
The first one looks ok, but I think it is better to create an allow rule (or multiple if you have multiple accepted traffic) and finally create a explicit drop (drop everything).
Therefor you also should allow established traffic. By creating this, the allowed network can setup communication to the other traffic, and with the established rule will allow the returning traffic to forward traffic