So I have several different LANs setup on my Tik. If I do not want any of the LANs to see each what is the quickest Firewall rule to make this happen?
Bump?
As you do not give any hints how your lans are configured then the quickest way is
add action=drop chain=forward comment="BLOCK: ANY INTERFACE "
but you must manually allow traffic to WAN etc.
If they aren’t on a bridge, you should use firewall filter rules as BartosZ pointed. If they are on a bridge, you should set the same horizon value on the ports of the bridge you don’t want to communicate with each other.
This way you are totally isolatings interfaces and there will be no way to enable particular trafic but I admit that it is quick and easy solution.
Here are some ideas:
- This is my recommended one - if you have only 1 wan interface, your forward chain in the filter table should be like this:
- allow established,related (no interfaces specified, no addresses - just allow anything that’s already been permitted)
- allow out-interface=wan1
- deny all
This is a simple set of 3 rules which will allow any arbitrary number of LANs to access the Internet, but block all from each other. You can add more LANs later and you won’t need to touch these rules - they’ll automatically work for new lans too. If you add a second WAN for backup, load sharing, policy routing, whatever, then just insert another rule before deny all, which allows out-interface=wan2
If you want to allow inbound connections for internal addresses (NAT pinholes) then you allow these before the deny-all, but after the established,related rule…
e.g. allow protocol=tcp, dst-port=80 in-interface=wan1
- If you use 192.168.x.0/24 as your LAN addresses, then you can match on that:
- allow established,related
- deny src-address=192.168.0.0/16 dst-address=192.168.0.0/16
I prefer to use interface names and not addresses. The LAN is plugged into this interface - anything “this way” is LAN, and should be subject to LAN rules… so why compare addresses? This allows you to change IP addressing, or even add routes via some gateway in the LAN direction - and it will all have the policy. Even spoofed IP addresses will be subjected to the same rule, because the IP doesn’t matter.