Routing Assistance requested, please help

jacauc · January 30, 2011, 3:29am

Hi,

I would like to ask for some assistance in a fairly complex (IMO ) network setup I have with my mikrotik RB433UAH.
I have attached a pdf drawing of what the network looks like.

Right now, most of this already works, but I am not sure how to do access control to the internet or route depending on source.

I would like to find out how to set up routing rules so that the following prerequisites are met:

Anyone on Michael’s Home network should be able to access the WUG, the Internet and Johnny’s RB (I can do the NAT Translations)
Anyone on Johnny’s Home Network should be able to access the WUG, the Internet and Michael’s RB (I can do the NAT Translations)
Anyone on the WUG network should be able to access Michael’s RB and Johnny’s RB (I can do the NAT Translations)
No one on the WUG network should be allowed to use Michael’s Internet unless manually specified by source IP.
I need a method to allow individual source IPs on the WUG to access Michael’s internet.
Anyone on the internet should be able to reach or ping Michael’s RB (I can do the NAT Translations)

Can anyone help me on how to properly configure these routing rules on Mikrotik Winbox and do routing based on the source address?

What I have now is more or less the following:

add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1  
add disabled=no dst-address=172.16.0.0/12 gateway=172.24.12.65 
add disabled=no dst-address=172.24.46.7/28 gateway=JohnnyGrid

..but that allows everyone on WUG to connect to my internet

Any help would be greatly appreciated
Thanks!
Visio-Drawing1.pdf (94.5 KB)

fewi · January 31, 2011, 3:21pm

That PDF opens empty for me.

That said, don’t solve that with routes, solve it with firewall filter rules. Any network attached to the router can by default route to any other network attached to the router. Make firewall filter rules that drop traffic between networks based on source and destination IP addresses. Only NAT when you absolutely have to (when you’re going out to the Internet, usually).

jtroybailey · January 31, 2011, 3:35pm

Hi,

I would start by making Michaels and Johnnys networks different. EG:

Michael = 192.168.1.0/24
Johnny = 192.168.0.0/24

Then I would only nat on the RB433UAH.

With your pppoe you should be able to select add default route so it does that for you.

doing that you then have routable addresses which you can firewall properly. Also i cant see Chris’s network on you diagram.

you can then use firewall rules to drop all traffic heading for pppoe interface from WUG

Does that get you started/make sense?

jacauc · February 1, 2011, 10:53am

Thank you!
I’m currently mobile therefore the short reply, but could you give me some examples of what the firewall rules would look like while still allowing traffic to masquerade through the rb433?

I will post a proper reply once I am at a computer again
thanks for the prompt responses.

jacauc · February 5, 2011, 1:29am

Any network attached to the router can by default route to any other network attached to the router.

That explains a lot to me, I will follow your advice and use firewall rules instead.

I would start by making Michaels and Johnnys networks different. EG:
Michael = 192.168.1.0/24
Johnny = 192.168.0.0/24
Then I would only nat on the RB433UAH.

I really don’t want to do that for various reasons. The NAT setup as it is works quite well, and we would like both of them to be the exact same when viewed from the WUG.
The WUG and the internet are untrusted networks, so want to NAT with both of them.

Also i cant see Chris’s network on you diagram.

Sorry my mistake, original post edited. Should be Johnny.

These are the ip firewall rules Michael has at the moment:

add action=accept chain=forward comment="Allow All" disabled=no
add action=accept chain=forward comment="Allow established connections" connection-state=established disabled=no
add action=accept chain=forward comment="Allow related connections" connection-state=related disabled=no
add action=accept chain=forward comment="Allow new connections" connection-state=new disabled=no
add action=accept chain=input comment="Allow established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow related connections" connection-state=related disabled=no
add action=accept chain=input comment="Allow new connections" connection-state=new disabled=no
add action=log chain=input comment="Log everything else" disabled=no log-prefix=""

and then of course I have numerous NAT rules to pinhole traffic into my network

Could you give me some examples on how to effectively do the firewall rules please?
Should I use packet marks or anything like that?

Thank you!