Re: Multiple routers; Do i need firewall on each router?

imaljko4 · January 29, 2017, 3:01am

Hello,
If i have multiple mikrotik routers in my network, do i need to setup the firewall on each router or just on the main router?
All routers are in the same subnet, i have created firewall, dhcp, nat, routing etc… only on the main router.
On each other connected router(acces points) i have just created a bridge interfaces and put the needed ports into this bridge. (Also i have setup the router/user password)
Will the main router still do the firewalling for these other routers(access points)? or do i need to setup firewalls on each router?
Also will the ip 192.168.5.11 be able to comunicate with 192.168.5.12, or will the main routers firewall block this communications (on the main router firewall i have enabled forward only to pppoe, all other forwarding is blocked)?

Below is the drawing of the network, thanks for help:

rextended · January 29, 2017, 3:10am

if the rules do that, the rule in forward section of the first router act also for router 2 and 3.
if the rules are too specific for router 1 (like block form wan any DNS to ip fo router 1) it work only for router 1
if router 2 and 3 are behind NAT, there is no rule required from incoming wan traffic, if the “session” are not initiated from router 2 or 3, nothing happen

if the router 2 and 3 are connected to two switched port without any other particular config, router 2 “see” router 3

if you put the ethernet interface of router 2 and 3 on same bridge (on router 1), router 2 “see” router 3

if you put the ethernet interface of router 2 and 3 on same bridge (on router 1) AND activate “use-ip-firewall” and create adequate rules on forwarding, router 2 CAN NOT “SEE” router 3

imaljko4 · January 29, 2017, 3:28am

ok thanks.
On Router 1 i have enabled forwarding only to pppoe, all other forwarding is blocked, (also on bridge interface “ip firewall” is enabled, and i have created rule for Masquerade-Nat in firewall).
So i guess that is enough.
Or should i still create following rules on router 2 and router 3:

Router 2:
Allow input from 192.168.5.0/24
Block all other input
Allow forward to 192.168.5.1
Block all other forward

Router 3:
Allow input from 192.168.5.0/24
Block all other input
Allow forward to 192.168.5.1
Block all other forward

Or would this rules on router 2 and 3 be useless?

Thanks

rextended · January 29, 2017, 3:32am

Be sure the router 1 still accessible or you lost control…

imaljko4 · January 29, 2017, 3:34am

Ok thank you.
Grazie

rextended · January 29, 2017, 3:35am

Prego.