Good day

First sorry my English, but I will try to be as simple as possible.

I have a RB750G with two interfaces internal LANs,
network 10.x
network 20.x

And each internal network, has its respective DHCP server, DNS, QoS,

I created two internal interfaces, just to split the traffic between the two networks. Each Mikrotik interface is attached to a respective VLAN (layer 2) with my Switch HP.

The problem I am facing is that being in the 10.x network, I can communicate with other computers on the network 20.x. With the use of Vlans this could not be happening.

It seems that the internal interfaces of Mikrotic, are allowing routing between themselves. Does anyone know how ressolver this?

I thank you for this space and excuse the spelling errors.
k19ylx.png

Of course. It’s a router; that’s what routers do.

No, it would only not happen if you had the VLANs configured on a switch with no router in the picture. The 750G is a router, it knows about both networks and is probably even set up to act as the default gateway for machines on both networks, so it will happily route traffic between the two networks, just as it is designed to do.

If you don’t want the two networks to be able to have traffic routed between each other, you need to create firewall rules in the router to prevent it.

– Nathan

Thanks for the reply friend
And how can I create a firewall rule for this scenario? Sorry but I am beginner.

I created this rule between interfaces (LAN) Mikrotik. The communication between the computers of the two networks were rejected, and this is very good that happened. But now, I have another problem. Because a computer in the 20.x network could perform a successful ping to the gateway network 10.x?

One comment - when you want to completely stop LAN1 from talking to LAN2, I would not put IP addresses in the rules - the interfaces are enough to block the traffic. The IP addresses “open a hole” in your security - suppose a host on LAN1 sends a spoofed-source packet to LAN2. Spoofed replies would forward as well.

Besides the router can process the rule faster with less fields to compare.

As for "no pings to 192.168.10.1 from 192.168.20.x - those blocks go in the INPUT chain because such packets are talking to the Mikrotik itself. (INPUT = to the mikrotik regardless of interface, FORWARD means through the Mikrotik like a router)

Add these two rules to the input chain:
drop dst-address = 192.168.10.1 in-interface ! ether1-LAN (the ! means ‘not’ and is a checkbox next to the interface name field in winbox)
drop dst-address = 192.168.20.1 in-interface ! ether2-LAN

Now yes I did.
Thank you my friend. That’s what I needed

Good night,
I think I’m in trouble again between routing subnets

I did this the way down, I do not know if it’s right.
Lately I’ve noticed that I can access my services on the network 10 even when connected to the network 20. I find it strange that the IPScan in the network 20, finds no network address 10, and also the ping between the two networks (10 and 20) do not communicate. So how I can access a Web server that is on the network 10? This could not happen. Anyone have any tips?

Best,

I would suggest that you remove the src/dst IP addresses from your rules - just use the interface names.

Probably what’s happening to you is that you have some other rule earlier in the filter chain which allows forwarding traffic between these two networks.

I did what you said to me, removed the address of the network of rules and yet still have access to network 10.x.

What I find strange is that I can access my server on the network 10, but the ICMP protocol does not work. I do not understand, I could not access this server (192.168.10.250). I do not have another rule that allows routing between networks.

Any tips to resolve this?

192.168.10.250 is probably blocking pings. You probably can’t ping it from other 10.x hosts either.
(there are other possibilities)

Open a terminal and issue this command:
/ip firewall export compact

Post the results here.
(feel free to hide public IPs by changing them to x.x.x.101 - and if you have multiple public IPs from different providers, be sure it’s still obvious which is which, so make the second y.y.y.94, etc…)

No problem dude!
below is the output of the export command. Unfortunately, the comments of the rules are in Portuguese, but I think you can understand the logic of the rules.

/ip firewall export compact

feb/18/2016 14:40:07 by RouterOS 6.34.1

software id = HV9H-JURH

/ip firewall layer7-protocol

add name=facebook regexp="^.+(facebook.com).$"
add name=youtube regexp="^.+(facebook.com).$"
/ip firewall address-list
add address=65.49.0.0/17 list=UltraSurfServers
add address=204.107.140.0/24 list=UltraSurfServers
add address=192.168.20.0/24 list="bloqueia Ips"
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=10m
/ip firewall filter
add chain=forward comment="Porta de controle Autenticacao" dst-port=1561 in-interface=HSPOT-1 out-interface=ADM protocol=tcp
add chain=forward comment="Porta de controle Business" dst-port=3050 in-interface=HSPOT-1 out-interface=ADM protocol=tcp
add action=log chain=forward log-prefix=log_hspot out-interface=HSPOT-1
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=forward comment="Regra valida para Block sites por palavras dentro do menu Layer 7 Protocols" disabled=yes layer7-protocol=facebook src-address=
192.168.20.7
add action=drop chain=forward comment="Regra para bloquear o site por horario baseado no layer7" disabled=yes layer7-protocol=facebook src-address=192.168.10.3 time=
11h-12h,sun,mon,tue,wed,thu,fri,sat
add chain=forward comment="Permite que Hosts de dentro da rede local 20.x acessem via domain externo, servicos como DVR, FTP e outros." connection-nat-state=dstnat
dst-address=192.168.10.0/24 in-interface=HSPOT-1 out-interface=ADM protocol=tcp src-address=192.168.20.0/24
add action=drop chain=forward comment="Bloqueia o roteamento entre Gateways (Vlan 10 e Vlan 20)" in-interface=ADM out-interface=HSPOT-1
add action=drop chain=forward in-interface=HSPOT-1 out-interface=ADM
add action=fasttrack-connection chain=forward comment="Optimize CPU Mk" connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Smurf Attack block o broadcast dos pack ICMP Echo Request com DoS" in-interface="ETH1-Wan Virtua" src-address=
add action=drop chain=input comment="Flood Attack ICMP Ping - Block Ping e Flood do mundo pra dentro" protocol=icmp
add action=drop chain=input protocol=icmp src-address-list="bloqueia Ips"
add action=drop chain=input comment="Regra bloqueio do WEB PROXY para o mundo" dst-port=8080 in-interface="ETH1-Wan Virtua" protocol=tcp
add chain=input comment="Regra pra bloquear Web Sites dos clientes via definidos em Access dentro de Web Proxy " dst-port=8080 protocol=tcp
add action=drop chain=forward comment="Prevent Rogue DHCP Server TEST" dst-port=68 protocol=udp src-address=!192.168.20.1 src-port=67
add action=add-src-to-address-list address-list=Block-DoS address-list-timeout=1d chain=input comment="Ataque DoS" connection-limit=10,32 protocol=tcp
add action=tarpit chain=input connection-limit=10,32 protocol=tcp src-address-list=Block-DoS
add action=jump chain=forward comment="Ataque DDoS" connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=block-ddos
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add chain=SYN-Protect connection-state=new limit=400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1 src-address=
!192.168.20.8
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Block Spammers and User Infectados" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=drop chain=input comment="Dropping port scanners" src-address-list="port scanners"
add action=drop chain=forward comment="Dropar Conexoes invalidas" protocol=tcp src-port=0
add action=drop chain=forward dst-port=0 protocol=tcp
add action=drop chain=forward protocol=udp src-port=0
add action=drop chain=forward dst-port=0 protocol=udp
add action=drop chain=forward connection-state=invalid disabled=yes
add chain=forward connection-state=established disabled=yes
add chain=output connection-state=established disabled=yes
add chain=output connection-state=related disabled=yes
add action=drop chain=output connection-state=invalid disabled=yes
add action=drop chain=input comment="Bloqueio Wimbox Discovery" dst-port=5678 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Address" dst-port=20561 protocol=udp
add action=drop chain=input comment="Regra bloqueio de ataque de DNS Reverso" dst-port=53 in-interface="ETH1-Wan Virtua" protocol=udp
add action=drop chain=input dst-port=53 in-interface="ETH1-Wan Virtua" protocol=tcp
add action=drop chain=forward comment="Regra de Bloqueio - Telnet e FTP" connection-state=invalid
add action=drop chain=input dst-port=23 in-interface="ETH1-Wan Virtua" protocol=tcp
add action=drop chain=input dst-port=21 in-interface="ETH1-Wan Virtua" protocol=tcp
add action=drop chain=input comment="Drop ftp brute forcers logins dentro de 10 minutos" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="Regra de bloqueio - SSH" dst-port=22 in-interface="ETH1-Wan Virtua" protocol=tcp
add action=drop chain=input comment="Block DHCP External do mundo pra para dentro" dst-port=67,68 in-interface="ETH1-Wan Virtua" protocol=udp
add action=drop chain=input comment="Drop ssh brute force 10 dias banido" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment="Block UltraSurf" dst-port=443 protocol=tcp src-address-list=UltraSurfUsers
add action=drop chain=forward comment=
"Block um Mac-Address na rede inteira ou indo em IP / DHCP SRV setando Block Access no end ou em Hotspot / Host / Make Binding / Type Blocked" src-mac-address=
B0:35:8D:FA:E6:D5
add action=drop chain=forward comment="Bloqueia qualquer acesso a rede administrativa." in-interface=HSPOT-1 out-interface=ADM
/ip firewall mangle
add action=add-src-to-address-list address-list=UltraSurfUsers address-list-timeout=5m chain=prerouting comment=UltraSurfUsers dst-address-list=UltraSurfServers dst-port=443
protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="Direciona Porta Autenticao" dst-port=1561 in-interface=HSPOT-1 protocol=tcp to-addresses=192.168.10.150 to-ports=1561
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.20.0/24
add action=redirect chain=dstnat comment="logs MK Web Proxy" dst-port=80 protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat comment="Acesso Servidor Camera DVR via APP e via Browser- DNAT" dst-port=2000 protocol=tcp to-addresses=192.168.10.20 to-ports=2000
add action=dst-nat chain=dstnat dst-port=8070 protocol=tcp to-addresses=192.168.10.20 to-ports=8070
add action=dst-nat chain=dstnat comment="Acesso Servidor DC2 AD Audit" dst-port=8085 protocol=tcp to-addresses=192.168.10.15 to-ports=8085
add action=masquerade chain=srcnat comment="REDE 10.0 LAN VLAN 1" src-address=192.168.10.2
add action=masquerade chain=srcnat src-address=192.168.10.3
add action=masquerade chain=srcnat src-address=192.168.10.4
add action=masquerade chain=srcnat src-address=192.168.10.4
add action=masquerade chain=srcnat src-address=192.168.10.5
add action=masquerade chain=srcnat src-address=192.168.10.19
add action=masquerade chain=srcnat src-address=192.168.10.6
add action=masquerade chain=srcnat src-address=192.168.10.7
add action=masquerade chain=srcnat src-address=192.168.10.8
add action=masquerade chain=srcnat src-address=192.168.10.9
add action=masquerade chain=srcnat src-address=192.168.10.10
add action=masquerade chain=srcnat src-address=192.168.10.11
add action=masquerade chain=srcnat src-address=192.168.10.12
add action=masquerade chain=srcnat src-address=192.168.10.13
add action=masquerade chain=srcnat src-address=192.168.10.14
add action=masquerade chain=srcnat src-address=192.168.10.15
add action=masquerade chain=srcnat src-address=192.168.10.16
add action=masquerade chain=srcnat src-address=192.168.10.17
add action=masquerade chain=srcnat src-address=192.168.10.18
add action=masquerade chain=srcnat src-address=192.168.10.20
add action=masquerade chain=srcnat src-address=192.168.10.21
add action=masquerade chain=srcnat src-address=192.168.10.22
add action=masquerade chain=srcnat src-address=192.168.10.23
add action=masquerade chain=srcnat src-address=192.168.10.24
add action=masquerade chain=srcnat src-address=192.168.10.25
add action=masquerade chain=srcnat src-address=192.168.10.26
add action=masquerade chain=srcnat src-address=192.168.10.220
add action=masquerade chain=srcnat src-address=192.168.10.150
add action=masquerade chain=srcnat src-address=192.168.10.250
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Nat VPN L2TP" src-address=10.2.2.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="NETWORK VPN" src-address=10.2.2.2
add action=masquerade chain=srcnat src-address=10.2.2.3
add action=masquerade chain=srcnat src-address=10.2.2.4
add action=masquerade chain=srcnat src-address=10.2.2.5
add action=masquerade chain=srcnat src-address=10.2.2.6
add action=masquerade chain=srcnat src-address=10.2.2.7
add action=masquerade chain=srcnat src-address=10.2.2.8
add action=masquerade chain=srcnat src-address=10.2.2.9
add action=masquerade chain=srcnat src-address=10.2.2.10

add action=redirect chain=dstnat comment="logs MK Web Proxy" dst-port=80 protocol=tcp to-ports=8080

This rule means that web traffic is going to be redirected to the local proxy.
This is why your forward rule isn’t blocking web traffic, because technically, the traffic isn’t forwarding through the router.
The router is intercepting www traffic, and then generating a new request to the .20 network using its own IP address.
You would need to block such requests in the proxy configuration.

You’re right, my friend, I disabled this rule and communication between subnets does not happen, but I need this active rule because this rule is used to generate access logs of my web proxy. I use this application to export the websites accessed for other management software. Follow this tutorial below:

https://www.youtube.com/watch?v=84keY6KOw2I

This is actually a time where you DO want to use the dst-address in your rule.


Change the rule to look like this:

add action=redirect chain=dstnat comment="logs MK Web Proxy" dst-port=80 protocol=tcp to-ports=8080 dst-address=!192.168.20.0/24

The ! means NOT, so the proxy will be avoided for anything whose IP address is in the 20 network, and then it will just get blocked by the filter table.

Unfortunately this exception that you gave me does not work. With this rule above, the connectivity between the two networks turn to speak. The connectivity between the two networks does not work if I disable this rule, this is very good, It was what I really wanted to thank , but the problem is that if I disable this rule below my web proxy filter no longer captures the pages browsed.

add action=redirect chain=dstnat comment=“logs MK Web Proxy” dst-port=80 protocol=tcp to-ports=8080

Does anyone have any light to this problem above? I am with this rule below disabled, thanks to the help of my friend ZeroByte

add action=redirect chain=dstnat comment=“logs MK Web Proxy” dst-port=80 protocol=tcp to-ports=8080
The traffic between the two subnets are not talking, that’s great, but I’m not capturing traffic on browsed pages on my Web Proxy because without this rule disabled, I can not check the pages accessed by my customers.

This rule below will not work.

I think I’ll have to replace the door of my apache server to another port other than 80.
Maybe this way, I will not be able to access more of my servers on the network 10, standing on 20 network.

Sorted out!!

Just changed the default ports of my apache servers in 8012 and 8013. Before the default port was 80 and I believe that was giving conflicting with web proxy. Now I can use the transparent proxy web, filtering all traffic entering the two subnetworks (10.x and 20.x), without the risk of talking to the network servers 10.x