Hello
I have router rb4011igs+rm witch does not support VLAN table, so that i can not create normal VLANs.
I want to divide my home network into two segments: LAN1: 192.168.1.10/24 and LAN2: 192.168.1.20/24. These two networks must be separeted, but I want to use same Internet connection for both networks with NAT (internet connected to port ETHER1 on this rb4011igs+rm router)
Thank you for your help. I use your reference and I succeed to do what I wanted. Can you plese take a look at my config, and comment if something needs to be done differently.
Yes, opinions are free LOL.
I dont like your firewall rules!!
INPUT CHAIN
I like your management rule thats good!
However how do your users get DNS, normally I put in a rule to allow the LAN interface to access DNS, as most use the router as a conduit for DNS.
By the WAY I also reallly like the last rule in the input chain which is DROP everything else!! But why oh why didnt you apply that to the forward chain LOL>
The problems are in the Forward Chain… too many don’t rules.
Just make the rules you wish to allow and drop all else at the end as well.
I have only included the rules I would have a closer look at the rest you have there are default and super!
/ip firewall filter
add action=drop chain=forward comment=
“Drop tries to reach not public addresses from VLAN10” dst-address-list=
not_in_internet in-interface=vlan10 log=yes log-prefix=!public_from_LAN
out-interface=!vlan10
add action=drop chain=forward comment=
“Drop tries to reach not public addresses from VLAN20” dst-address-list=
not_in_internet in-interface=vlan20 log=yes log-prefix=!public_from_LAN
out-interface=!vlan20
add action=drop chain=forward comment=“VLAN Internet Access only”
connection-state=“” in-interface=vlan10 out-interface=vlan20
add action=drop chain=forward in-interface=vlan20 out-interface=vlan10
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment=
“Drop incoming from internet which is not public IP” in-interface-list=
WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=
“Drop packets from LAN that do not have VLAN20 IP” in-interface=vlan10
log=yes log-prefix=VLAN10_!VLAN10 src-address=!192.168.10.0/24
add action=drop chain=forward comment=
“Drop packets from LAN that do not have VLAN20 IP” in-interface=vlan20
log=yes log-prefix=VLAN20_!VLAN20 src-address=!192.168.20.0/24
They can all be replaced with ONE rule at the end of the forward chain. add action=drop chain=input comment=“defconf: drop ALL”
So you have default rules…blah blah blah
+++++
And last rule (drop all)
in the sandwich ++++ you put all the rules you wish to add (what traffic is permitted)
Here I would put which VLAN traffic is allowed to access the internet.
Here I would put for example if there was a shared printer on vlan B, all users on VLAN A have access to single IP (the printer) on VLANB etc…
I think you see intuitively how much easier that is to read in terms of a configuration!!!
12 ;;; VLAN10 to WAN
chain=forward action=accept in-interface-list=VLAN10 out-interface-list=WAN log=no log-prefix=“”
13 ;;; VLAN20 to WAN
chain=forward action=accept in-interface-list=VLAN20 out-interface-list=WAN log=no log-prefix=“”
14 ;;; drop ALL
chain=forward action=drop log=yes log-prefix=“drop_all”
