I have a Routing/Firewall Problem and I am a beginner with Firewall/Routing.
Situation:
Fritzbox 7390 with DSL Connection to ISP. Internal Network is Standard (192.168.178.0/24). I added 2 RB750GL with 2 different nets (192.168.100.0/24=RB750GL1,192.168.200.0/24=RB750GL2). IP adresses for these 2 RB are static (192.168.178.201 and 192.168.178.202). Added 2 static routes in fritzbox. Everything is working fine so far. Each net can communicate with each other and also have access to internet. Now I want that the 2 nets of the RB750GL should only communicate internally. Net 192.168.100.0 should be able to communicate with 192.168.200.0 and 192.168.178.0. Net 192.168.200.0 should be able to communicate with 192.168.100.0 and 192.168.178.0. Net 192.168.178.0 should be able to communicate with 192.168.100.0 and 192.168.200.0. That is working but net 192.168.100.0 and 192.168.200.0 shouldn’t have Internet except one single IP adress in these nets (192.168.100.10 and 192.168.200.10). Net 192.168.178.0 should have internet as usual.
OK, I will try to help you. I think you’re doing it very complicated… I think, you don’t need two MikroTik for this… But I will answer your question. If you think you’re maybe doing it complicated write next post with what you exactly need from your network such as I have 2 servers and 10 PCs they must go to internet and also i have printer and so on…
RB750GL1
IP address: 192.168.178.201
Network behind RB: 192.168.100.0/24
Network 192.168.100.0/24 can communicate with: 192.168.200.0/24 and 192.168.178.0 except IP 192.168.100.10
IP 192.168.100.10 can communicate with: all
/ip firewall filter
add chain=forward commnet=“Allow 192.168.100.10 → everywhere”
src-address=192.168.100.10 action=accept
add chain=forward comment=“Allow 192.168.100.0/24 → 192.168.200.0/24”\
dst-address=192.168.200.0/24 src-address=192.168.100.0/24 action=accept
add chain=forward comment=“Allow 192.168.100.0/24 → 192.168.178.0/24”\
dst-address=192.168.178.0/24 src-address=192.168.100.0/24 action=accept
add chain=forward comment=“Drop 192.168.100.0/24 → all”\
src-address=192.168.100.0/24 action=dropRB750GL2
IP address: 192.168.178.202
Network behind RB: 192.168.200.0/24
Network 192.168.200.0/24 can communicate with: 192.168.100.0/24 and 192.168.178.0 except IP 192.168.200.10
IP 192.168.200.10 can communicate with: all
/ip firewall filter
add chain=forward commnet=“Allow 192.168.200.10 → everywhere”
src-address=192.168.200.10 action=accept
add chain=forward comment=“Allow 192.168.200.0/24 → 192.168.100.0/24”\
dst-address=192.168.100.0/24 src-address=192.168.200.0/24 action=accept
add chain=forward comment=“Allow 192.168.200.0/24 → 192.168.178.0/24”\
dst-address=192.168.178.0/24 src-address=192.168.200.0/24 action=accept
add chain=forward comment=“Drop 192.168.200.0/24 → all”\
src-address=192.168.200.0/24 action=dropBetter but for you more complicated solution (after some years i prefer this):
your defined networks in firewall address list
if you need add more IP address or nets you simply add them to address list
you can simply remove and add ip address and subnets and firewall rules are still same
RB750GL1
IP address: 192.168.178.201
Network behind RB: 192.168.100.0/24
Network 192.168.100.0/24 can communicate with: 192.168.200.0/24 and 192.168.178.0 except IP 192.168.100.10
IP 192.168.100.10 can communicate with: all
/ip firewall address-list
add address=192.168.100.10 list=INTERNET-ALLOWED comment=“Internet allowed”
add address=192.168.100.0/24 list=LOCAL-NET comment=“Local network”
add address=192.168.200.0/24 list=INTERNAL-NETS comment=“LAN RB750GL2”
add address=192.168.178.0/24 list=INTERNAL-NETS comment=“LAN Fritzbox”
/ip firewall filter
add action=accept chain=forward src-address-list=INTERNET-ALLOWED
comment=“Allow when source address list is INTERNET-ALLOWED”
add action=drop chain=forward dst-address-list=!INTERNAL-NETS src-address-list=LOCAL-NET
comment="Drop all from LOCAL-NET list when that is not traffic to INTERNAL-NETS list"RB750GL2
IP address: 192.168.178.202
Network behind RB: 192.168.200.0/24
Network 192.168.200.0/24 can communicate with: 192.168.100.0/24 and 192.168.178.0 except IP 192.168.200.10
IP 192.168.200.10 can communicate with: all
/ip firewall address-list
add address=192.168.200.10 list=INTERNET-ALLOWED comment=“Internet allowed”
add address=192.168.200.0/24 list=LOCAL-NET comment=“Local network”
add address=192.168.100.0/24 list=INTERNAL-NETS comment=“LAN RB750GL1”
add address=192.168.178.0/24 list=INTERNAL-NETS comment=“LAN Fritzbox”
/ip firewall filter
add action=accept chain=forward src-address-list=INTERNET-ALLOWED
comment=“Allow when source address list is INTERNET-ALLOWED”
add action=drop chain=forward dst-address-list=!INTERNAL-NETS src-address-list=LOCAL-NET
comment=“Drop all from LOCAL-NET list when that is not traffic to INTERNAL-NETS list”
First of all thank you for your help. Maybe my environment is a bit complicated but i got these 2 RB’s for nearly nothing and i thought it will be good for a lab environment. these 2 IP’s are Servers which must have Internet Access. All other severs are usual Clients or Servers where i want to test Software.
Anyway my head was “empty” yesterday and so i didn’t find the correct idea. So i say thank you again for your help and I will try and tell about results later.