RB2011 different subnets are pingable

jprasad · August 7, 2014, 7:58pm

Hi,
Hope someone can help me with what is probably a very simple problem

I have a few subnet on my router - it is operating as follows
192.168.0.x - Life school - network of about 40 students - can connect to WAN (restricted)
192.168.1.x - tamil uplink - can connect to WAN
192.168.88.x - office network can connect to WAN
wan is a ppoe client on ether 10

I dont want the segments to talk with each other, i have tried fewi’s suggestion to add in:

/ip firewall filter 
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward out-interface=!WAN action=drop

but it doesn’t work at all.
can someone please point out where i have gone wrong?
thank you so much

Jonni

# aug/08/2014 03:57:24 by RouterOS 6.6
# software id = 7H93-B129
#
/interface bridge
add l2mtu=1598 name=bridge-life
add l2mtu=1598 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-server_life
set [ find default-name=ether2 ] name=ether2-up_life
set [ find default-name=ether3 ] bandwidth=1M/2M name=ether3-up_tamil
set [ find default-name=ether4 ] name=ether4-nas1
set [ find default-name=ether5 ] master-port=ether4-nas1 name=ether5-nas2
set [ find default-name=ether6 ] name=ether6-master-up_switch
set [ find default-name=ether7 ] master-port=ether6-master-up_switch name=\
    ether7-slave
set [ find default-name=ether8 ] master-port=ether6-master-up_switch name=\
    ether8-slave-printer
set [ find default-name=ether9 ] master-port=ether6-master-up_switch name=\
    ether9-slave
set [ find default-name=ether10 ] name=ether10-gateway
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no l2mtu=2290 mode=\
    ap-bridge ssid="Grace Shah Alam" wireless-protocol=802.11
/interface vlan
add interface=ether10-gateway l2mtu=1594 name="vlan 500" vlan-id=500
/interface pppoe-client
add add-default-route=yes disabled=no interface="vlan 500" max-mru=1492 \
    max-mtu=1492 name=unifi_internet password=************ use-peer-dns=yes \
    user=whetc@unifibiz
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys wpa-pre-shared-key=44938222 wpa2-pre-shared-key=\
    44938222
/ip dhcp-server
add disabled=no interface=ether3-up_tamil name=dhcp-tamil
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=pool-gcsa ranges=192.168.88.50-192.168.88.200
add name=pool-life ranges=192.168.0.118-192.168.0.250
/ip dhcp-server
add address-pool=pool-gcsa disabled=no interface=bridge-local name=dhcp-gcsa
add address-pool=pool-life disabled=no interface=bridge-life name=dhcp-life
/port
set 0 name=serial0
/queue type
add kind=pcq name=upload pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name=download pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-rate=1M pcq-src-address6-mask=64
/queue simple
add comment="Restricts Life Students laptop to 1M each to WAN" dst=\
    unifi_internet name=queue-life queue=download/download target=\
    192.168.0.0/24
/interface bridge port
add bridge=bridge-local interface=ether4-nas1
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether6-master-up_switch
add bridge=bridge-life interface=ether1-server_life
add bridge=bridge-life interface=ether2-up_life
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.0.1/24 interface=bridge-life network=192.168.0.0
add address=192.168.88.1/24 interface=ether4-nas1 network=192.168.88.0
add address=192.168.1.1/24 interface=ether3-up_tamil network=192.168.1.0
/ip dhcp-server lease
add address=192.168.88.11 client-id=1:0:11:32:31:a4:b6 mac-address=\
    00:11:32:31:A4:B6 server=dhcp-gcsa
add address=192.168.88.10 client-id=1:0:11:32:31:a4:b5 mac-address=\
    00:11:32:31:A4:B5 server=dhcp-gcsa
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.88.0/24 dns-server=\
    8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220
/ip dns static
add address=127.0.0.1 name=www.facebook.com ttl=5m
add address=127.0.0.1 name=glib1.facebook.com ttl=5m
add address=127.0.0.1 name=glib2facebook.com ttl=5m
add address=127.0.0.1 name=mail.facebook.com ttl=5m
add address=127.0.0.1 name=dns.facebook.com ttl=5m
add address=127.0.0.1 name=ns0.facebook.com ttl=5m
add address=127.0.0.1 name=ns1.facebook.com ttl=5m
add address=127.0.0.1 name=ns2.facebook.com ttl=5m
add address=127.0.0.1 name=ns3.facebook.com ttl=5m
add address=127.0.0.1 name=ns4.facebook.com ttl=5m
add address=127.0.0.1 name=www.youtube.com ttl=5m
add address=127.0.0.1 name=www.twitter.com ttl=5m
add address=127.0.0.1 name=mobile.twitter.com ttl=5m
add address=127.0.0.1 name=www.google.com.my ttl=5m
add address=127.0.0.1 name=www.google.com ttl=5m
add address=127.0.0.1 name=www.wikipedia.com ttl=5m
/ip firewall address-list
add address=192.168.88.0/24 list=PrivateSubnets
add address=192.168.0.0/24 list=PrivateSubnets
add address=192.168.1.0/24 list=PrivateSubnets
add address=192.168.88.0/24 list=PrivateSubnets
add address=192.168.0.0/24 list=PrivateSubnets
add address=192.168.1.0/24 list=PrivateSubnets
/ip firewall filter
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward src-address=192.168.0.117
add chain=forward dst-port=443 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=1935 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=5938 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=5938 protocol=udp src-address=192.168.0.0/24
add action=drop chain=forward disabled=yes out-interface=!ether10-gateway
add action=drop chain=forward src-address=192.168.0.0/24
add action=drop chain=forward src-address=192.168.1.0/24
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward src-address=192.168.0.117
add chain=forward dst-port=443 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=1935 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=5938 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=5938 protocol=udp src-address=192.168.0.0/24
add action=drop chain=forward disabled=yes out-interface=!ether10-gateway
add action=drop chain=forward src-address=192.168.0.0/24
add action=drop chain=forward src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=unifi_internet
add chain=srcnat src-address=192.168.0.117
add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address=\
    192.168.0.0/24 to-ports=8080
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=\
    192.168.0.0/24 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=\
    192.168.0.0/24 to-ports=53
add action=dst-nat chain=dstnat dst-port=5001 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=5001
add action=dst-nat chain=dstnat dst-port=5000 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=5000
add action=dst-nat chain=dstnat dst-port=21 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=21
add action=masquerade chain=srcnat out-interface=unifi_internet
add chain=srcnat src-address=192.168.0.117
add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address=\
    192.168.0.0/24 to-ports=8080
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=\
    192.168.0.0/24 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=\
    192.168.0.0/24 to-ports=53
add action=dst-nat chain=dstnat dst-port=5001 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=5001
add action=dst-nat chain=dstnat dst-port=5000 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=5000
add action=dst-nat chain=dstnat dst-port=21 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=21
/ip proxy
set enabled=yes max-cache-size=none
/ip proxy access
add dst-host=learning.eduseeds.com
add dst-host=live.wiziq.com
add dst-host=www.viddler.com
add action=deny
add dst-host=learning.eduseeds.com
add dst-host=live.wiziq.com
add dst-host=www.viddler.com
add action=deny
/ip route
add distance=1 gateway=192.168.88.1
add distance=1 gateway=192.168.88.1
/lcd interface
set sfp1 interface=sfp1
set ether1-server_life interface=ether1-server_life
set ether2-up_life interface=ether2-up_life
set ether3-up_tamil interface=ether3-up_tamil
set ether4-nas1 interface=ether4-nas1
set ether5-nas2 interface=ether5-nas2
set ether6-master-up_switch interface=ether6-master-up_switch
set ether7-slave interface=ether7-slave
set ether8-slave-printer interface=ether8-slave-printer
set ether9-slave interface=ether9-slave
set ether10-gateway interface=ether10-gateway
set wlan1 interface=wlan1
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system ntp client
set enabled=yes mode=unicast primary-ntp=202.71.100.89 secondary-ntp=\
    202.190.183.189
[admin@MikroTik] >

Rudios · August 8, 2014, 7:30am

First of all you said you are using pppoe connection from ether10
If that is the case, the pppoe-client interface should be used on your firewall drop rule
I also see that all your rules are shown twice, just delete the duplicates.

PS. also remove your username/password from the config you supplied

jprasad · August 8, 2014, 1:58pm

Hi there

I changed:

add action=drop chain=forward disabled=yes out-interface=!ether10-gateway

To

add action=drop chain=forward disabled=yes out-interface=!unifi_internet

But all that happen is no internet access and I can still talk across subnets.

Rudios · August 9, 2014, 4:38am

At least the rule must be enabled.
And I think you have to be more specific and make a role per subnet. Specify the src-address parameter and in-interface.

Kickoleg · August 9, 2014, 6:10am

ip route rule add src-address=192.168.0.x/xx dst-address=192.168.1.x/xx action=unreachebale (if want can use “drop”)
and for other subnet same rule add …

CelticComms · August 9, 2014, 10:19pm

In this instance it seems that the router’s primary role is that of a firewall. In such cases:

A) Place a deny (drop) rule in the forward chain - no qualifications - it is intended to drop all forwarded traffic.
B) Above the rule created in A) place a permit (accept) ruled for each forwarded path that you want to permit.

If the primary role is that of a firewall it is not a good idea to add lots of specific deny/drop rules - save that for when the primary role is that of a router and you just want to block a few paths.

jprasad · August 15, 2014, 9:04am

Hi

Thank you for all the advice. I actually just started again with rudios advice and everything works now.
Thanks again