Our company has one RB1000 with two networks Sales and Tech. Each network has an individual server Server1(Sales) Server2(Tech). We are unable to login to Server1 from the Tech network and vis versa. We are however able to ping completely across both networks and to both servers from the Sales and Tech network. I was unable to find any type of firewall rule that blocks access from the opposite network within the company. Any Ideas?
Thank you,
Gary
0 ;;; Rules that allow Tech PC’s into the Sales side of the network Rules 1>
chain=forward action=accept src-address=192.168.0.0/16
dst-address=172.16.1.50
1 chain=forward action=accept src-address=192.168.0.0/16
dst-address=172.16.1.4
2 chain=forward action=accept src-address=192.168.0.0/16
dst-address=172.16.1.5
3 chain=forward action=accept src-address=192.168.0.0/16
dst-address=172.16.1.6
4 chain=forward action=accept src-address=172.16.1.4
5 chain=forward action=accept src-address=172.16.1.5
6 chain=forward action=accept src-address=172.16.1.6
7 chain=forward action=accept src-address=172.16.1.50
8 X ;;; blocks Sales from getting into Techs Network
chain=forward action=drop src-address=172.16.0.0/16 out-interface=ether3
9 X ;;; Block Techs from getting into Sales
chain=forward action=drop src-address=192.168.0.0/16
out-interface=ether4
10 ;;; Allow ICMP from INSIDE the network - ether1 is the outside interface
chain=RouterServices action=accept protocol=icmp
11 ;;; Allow DHCP
chain=RouterServices action=accept protocol=udp dst-port=67-68
12 ;;; Allow DNS
chain=RouterServices action=accept protocol=udp dst-port=53
13 ;;; Allow MAC-Winbox
chain=RouterServices action=accept protocol=udp dst-port=20561
14 ;;; If we are running NTP server
chain=RouterServices action=accept protocol=udp dst-port=123
15 ;;; If we are running web-proxy - DEFAULT PORT
chain=RouterServices action=accept protocol=tcp dst-port=3128
16 ;;; Allow localhost comms to work
chain=RouterServices action=accept src-address=127.0.0.1
dst-address=127.0.0.1
17 ;;; Allow TCP bandwidth test
chain=RouterServices action=accept protocol=tcp dst-port=2000
18 ;;; Allow UDP bandwidth test
chain=RouterServices action=accept protocol=udp dst-port=2000
19 ;;; Allow Mikrotik router discovery
chain=RouterServices action=accept protocol=udp dst-port=5678
20 ;;; Allow L2TP
chain=RouterServices action=accept protocol=udp dst-port=1701
21 ;;; Allow L2TP
chain=RouterServices action=accept protocol=tcp dst-port=1701
22 ;;; Allow PPTP
chain=RouterServices action=accept protocol=tcp dst-port=1723
23 ;;; Allow GRE - for PPtP and EoIP
chain=RouterServices action=accept protocol=gre
24 ;;; Add SSH attempts to hacker list
chain=hackertraps action=add-src-to-address-list protocol=tcp
address-list=hacker address-list-timeout=1h1m10s dst-port=22
25 ;;; Add FTP attempts to hacker list
chain=hackertraps action=add-src-to-address-list protocol=tcp
address-list=hacker address-list-timeout=1h1m10s dst-port=21
26 ;;; Add telnet attempts to hacker list
chain=hackertraps action=add-src-to-address-list protocol=tcp
address-list=hacker address-list-timeout=1h1m10s dst-port=23
27 ;;; Add port scanners to hacker list
chain=hackertraps action=add-src-to-address-list protocol=tcp
psd=21,3s,3,1 address-list=portscanner address-list-timeout=1w1d8h
28 ;;; Accept Established
chain=input action=accept connection-state=established
29 ;;; Accept Related
chain=input action=accept connection-state=related
30 ;;; Drop invalid
chain=input action=drop connection-state=invalid
31 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist
dst-port=21
32 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
33 ;;; Router Services
chain=input action=jump jump-target=RouterServices
34 ;;; Attempt to Detect Hackers
chain=input action=jump jump-target=hackertraps
35 ;;; Protect customers from known hackers
chain=traphackers action=drop src-address-list=hacker
36 chain=forward action=add-src-to-address-list p2p=all-p2p
src-address-list=Inside-IPs address-list=Using P2P
address-list-timeout=4h
37 ;;; Check to see if we have detected a hacker
chain=forward action=jump jump-target=traphackers
38 chain=RouterServices action=return
39 ;;; NMAP FIN Stealth scan
chain=hackertraps action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
src-address-list=portscanner address-list=hacker
address-list-timeout=2w4h
40 ;;; SYN/FIN scan
chain=hackertraps action=add-src-to-address-list tcp-flags=fin,syn
protocol=tcp src-address-list=portscanner address-list=hacker
address-list-timeout=2w3d8h
41 ;;; FIN/PSH/URG scan
chain=hackertraps action=add-src-to-address-list tcp-flags=syn,rst
protocol=tcp src-address-list=portscanner address-list=hacker
address-list-timeout=2w3d
42 ;;; ALL/ALL scan
chain=hackertraps action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
src-address-list=portscanner address-list=hacker
address-list-timeout=2w3d
43 ;;; NMAP NULL scan
chain=hackertraps action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
src-address-list=portscanner address-list=hacker
address-list-timeout=2w3d
44 ;;; Jump to Track Hackers Chain to drop hackers
chain=hackertraps action=jump jump-target=traphackers
45 chain=hackertraps action=return
46 ;;; Prevent SSH Attacks
chain=input action=jump jump-target=SSH Attack Prevention protocol=tcp
src-address-list=!Inside-IPs dst-port=22
47 ;;; Process Viruses
chain=input action=jump jump-target=virus
48 ;;; UDP
chain=input action=accept protocol=udp
49 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2
50 ;;; Drop Blaster Worm
chain=virus action=drop protocol=tcp dst-port=135-139
51 ;;; Drop Messenger Worm
chain=virus action=drop protocol=udp dst-port=135-139
52 ;;; Drop Blaster Worm
chain=virus action=drop protocol=tcp dst-port=445
53 ;;; Drop Blaster Worm
chain=virus action=drop protocol=udp dst-port=445
54 ;;; ________
chain=virus action=drop protocol=tcp dst-port=593
55 ;;; ________
chain=virus action=drop protocol=tcp dst-port=1024-1030
56 ;;; ________
chain=virus action=drop protocol=tcp dst-port=1214
57 ;;; ndm requester
chain=virus action=drop protocol=tcp dst-port=1363
58 ;;; ndm server
chain=virus action=drop protocol=tcp dst-port=1364
59 ;;; screen cast
chain=virus action=drop protocol=tcp dst-port=1368
60 ;;; hromgrafx
chain=virus action=drop protocol=tcp dst-port=1373
61 ;;; cichlid
chain=virus action=drop protocol=tcp dst-port=1377
62 ;;; Worm
chain=virus action=drop protocol=tcp dst-port=1434
63 ;;; Bagle Virus
chain=virus action=drop protocol=tcp dst-port=2745
64 ;;; Drop Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=2283
65 ;;; Drop Beagle
chain=virus action=drop protocol=tcp dst-port=2535
66 ;;; Drop Beagle.C-K
chain=virus action=drop protocol=tcp dst-port=2745
67 ;;; Drop MyDoom
chain=virus action=drop protocol=tcp dst-port=3127-3128
68 ;;; Drop Backdoor OptixPro
chain=virus action=drop protocol=tcp dst-port=3410
69 ;;; Worm
chain=virus action=drop protocol=tcp dst-port=4444
70 ;;; Worm
chain=virus action=drop protocol=udp dst-port=4444
71 ;;; Drop Sasser
chain=virus action=drop protocol=tcp dst-port=5554
72 ;;; Drop Beagle.B
chain=virus action=drop protocol=tcp dst-port=8866
73 ;;; Drop Dabber.A-B
chain=virus action=drop protocol=tcp dst-port=9898
74 ;;; Drop Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=10000
75 ;;; Drop MyDoom.B
chain=virus action=drop protocol=tcp dst-port=10080
76 ;;; Drop NetBus
chain=virus action=drop protocol=tcp dst-port=12345
77 ;;; Drop Kuang2
chain=virus action=drop protocol=tcp dst-port=17300
78 ;;; Drop SubSeven
chain=virus action=drop protocol=tcp dst-port=27374
79 ;;; Drop PhatBot, Agobot, Gaobot
chain=virus action=drop protocol=tcp dst-port=65506
80 ;;; Virus
chain=forward action=jump jump-target=virus
81 chain=virus action=return
82 ;;; Allow Admin IPS
chain=input action=accept src-address-list=Admin_IPs
83 ;;; Drop ALL
chain=input action=drop
84 ;;; Allow a few FTP attemps
chain=output action=accept protocol=tcp content=530 Login incorrect
dst-limit=1/1m,9,dst-address/1m
85 ;;; Over login Attemps, add to list
chain=output action=add-dst-to-address-list protocol=tcp
address-list=ftp_blacklist address-list-timeout=3h
content=530 Login incorrect
86 chain=SSH Attack Prevention action=add-src-to-address-list
connection-state=new protocol=tcp src-address-list=ssh_stage3
address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22
87 chain=SSH Attack Prevention action=add-src-to-address-list
connection-state=new protocol=tcp src-address-list=ssh_stage2
address-list=ssh_stage3 address-list-timeout=1m dst-port=22
88 chain=SSH Attack Prevention action=add-src-to-address-list
connection-state=new protocol=tcp src-address-list=ssh_stage1
address-list=ssh_stage2 address-list-timeout=1m dst-port=22
89 chain=SSH Attack Prevention action=add-src-to-address-list
connection-state=new protocol=tcp address-list=ssh_stage1
address-list-timeout=1m dst-port=22
90 chain=SSH Attack Prevention action=return
91 ;;; SYN Flood protect
chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn
connection-state=new protocol=tcp
92 chain=SYN-Protect action=accept tcp-flags=syn connection-state=new
protocol=tcp limit=400,5
93 chain=SYN-Protect action=drop tcp-flags=syn connection-state=new
protocol=tcp