hopefully someone can gude me how to archive the following result:
At the moment I have a default configuration with a subnet 10.0.0.0/24 and a wireguard Interface 10.0.99.0/24.
I want to setup a new “semi-isolated” subnet (10.11.1.0/24) on port 5 with internet access.
The Clients of the subnet 10.11.1.0/24 should have internet access but they MUST NOT have access to all other subnets.
The Clients of the subnet 10.0.0.0/24 and 10.0.99.0/24 should have access to the clients of the subnet 10.11.1.0/24
As I understood, the following tasks must be performed:
Remove Port 5 from default bridge
Setup subnet on Port 5
2a. Create new bridge oder VLAN on for port 5?
Setup Adresspool dhcp_tigo (10.11.1.50-10.11.1.100) for Subnet on Prot 5
Setup DHCP Server for Subnet on Port 5 with adresspool dhcp_tigo
Firewall config
Maybe I´m something missing.
It would be great if someone can guide me step-by-step how to archive this scenario via command-line.
(1) This is not correct for wireguard. Not required. WG only gets an IP address not any other noise… /ip dhcp-server network
…
add address=10.0.99.0/24 comment=defconf dhcp-option=domain-search-list
dns-server=10.0.0.254 domain=intra.xxxxxxxxxxxx.de gateway=10.0.0.254
netmask=24
(2) Assuming you have this rule so that the admin can come over WG to config the router… add action=accept chain=input comment=“allow WireGuard traffic” src-address=
10.0.99.0/24
(3) Curious as to where is located 192.168.50 its not a subnet identified on the router? ( probably another ipsec?) add action=accept chain=input comment=“allow WireGuard traffic” src-address=
192.168.50.0/24
Note: In general access to config the router should be specific IPs, not entire subnets but thats an ADMIN choice.
(4) Missing Wireguard peer settings ??? Maybe I am blind…
Add ether5 to the LAN interface list… /interface list member
add interface=ether5 list=LAN
add comment=defconf interface=bridge list=LAN
…
+++++++++++++++++++++++++++++++++++++++++++
Then the firewall rules…
REMOVE THIS AND REPLACE add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN log-prefix="44444: "
WITH
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward src-address-list=LAN dst-address=10.1.11.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept Drop chain=forward comment=“drop all else” edit action should be drop!!!
you get lan to wan access for all LAN interface list members
both vpn and LAN subnet get access to new subnet.
port forwarding is allowed.
all other traffic is dropped.
after setting up and changing the IP adresses in your post to the correct one (10.1.11.x → 10.11.1.x) the DHCP server runs properly on ether5.
I also changed the DNS Server and Gateway IP from 10.0.0.254 to 10.11.1.1 as defined in the Adress List because 10.0.0.254 was not reachable.
Issues I´m facing now:
No internet access from the subnet on ether5
cannot ping a client from the subnet 10.0.0.0/24 in the subnet 10.11.1.0/24
ping is possible from subnet 10.11.1.0/24 to 10.0.0.0/14. for example 10.0.0.150
Do you have any ideas?
Should the command
add action=accept chain=forward comment=“drop all else”
not be changed to ‘drop’ instead of ‘accept’?
Please be advised, that any interface on the MT can ping any other interface, just the way MT works even with layer 3 blocking rules in the forward chain.
It does NOT mean however that anyone can access any devices behind that interface. It is safe.
Try it to prove it to your self!!
If you want to block pinging of interfaces to happen there is a way to do this on the input chain rule set I believe…
Here is how to do it…
In the default rules one has a general allow ping rule so that the admin can easily troubleshoot and ping interfaces on the LAN and from the external when testing VPN or connectivity etc…
Therefore what needs to be done is to stop the pinging of users to a particular subnet interface address… Remember as stated just because you can ping a subnet interface address doesnt mean you can reach the users/devices on that subnet.
So the key here is before the allow all ICMP rule we block what you desire…
yes only the interface addresses should be pingable, as they are considered part of the router ( Router=input chain).
Thus the rules I provided will block anyone on the “BAD” subnet from pinging any other interfaces. This is separate from access to users and devices which we blocked in the forward chain.
Note its not a usual request or additional rule needed but sometimes admins need it due to company policies or expectations…
Now, I have a last challenge. Hopefully you can also help me here.
In the Subnet 10.11.1.0/24 i have a webserver running wich only accepts access from clients located in his subnet.
I have clients on subnet 10.0.0.0/24 that has to get access to the webserver.
So I need a solution, where the webserver “thinks” that the client with the IP 10.0.0.1 (Subnet 10.0.0.0/24) has an IP of the Subnet 10.11.1.0/24 for example 10.11.1.1
Now the question: Is It possible to configure a rule (maybe src-nat) to archive that goal?
a. firewall rules that essentially block 10.0 to 10.1 traffic.
b. you have a server on 10.1 that will only accept 10.0 IP address as source addresses.
Can you not change the server why so inflexible? One can punch holes through the firewall easily for specific IP, or groups of IPs and thus the firewall rules are not a show stopper.
In other words, you should do this work on the server…
I am not savvy enough to set this one up, perhaps someone else knows a way???
a. 10.0.0.0/24 has access to 10.11.1.0/24
b server on 10.11.1.0/24 accepts only from IP 10.11.1.x
c. client on 10.0.0.0/24 with IP 10.0.0.1 must be able to connect the server in the subnet 10.11.1.0/24 and the server should think that the client is located in 10.11.1.0/24
Imho for example I have to nat the 10.0.0.1 IP to an 10.11.1.1 IP Adress
yeah. Its n ugly server form a monitoring device. Access is additionally limited to specific IP ranges. But i have to access from 10.0.0.0/24 with iobroker to get necessary realtime data.
