RB800
I am going to put 130 different subnets on vlans than push the subnets and dhcp through switches.
192.168.1.1 - 192.168.131.1
I do not want any of the subnets to talk to each other.
Is there a way to do this with out making firewall rules for each subnet? I feel like 300+ firewall rules may bog down the router a little.
Thanks.
You can just add firewall rule that stops all forwarding (/ip firewall filter add chain=forward action=drop) and above it you can add rules that allow forwarding between specific subnets (if needed).
Doing that drops all connections completely. It keeps those subnets from reaching the internet.
Added firewall rule chain=forward Src Address 192.168.1.0/24 Dst Address (everything but checked) 192.168.1.0/24 Action Drop
It drops packets to items on the different subnets but not to the subnets gateway (router). To drop those I put in the same rule just Chain=input.
This has limited it to 2 rules per subnet. Which is still 260 rules.
Anyone know of a better way?
/ip firewall filter
add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop
try this one
This completely dropped all traffic to the gateway including DNS and DHCP basically making it unusable.
I have also tried disabling arp on interfaces but this also stops all pings in and out
Do you really want users to communicate within their broadcast domain only? Or, perhaps you want your users to go to internet and nowhere else?
Basically I want each subnet to be able to get to the internet and to anything else on their /24 subnet, but not talk to any other /24 subnet.
add action=reject chain=forward comment="Drop traffic between LAN interfaces/subnets" disabled=no \
dst-address-list=PrivateSubnets in-interface=!WAN reject-with=icmp-admin-prohibited
PrivateSubnets list has all of your LAN subnets.
How would I set up the nat in order to add that to the destination address list?
Then the simplest would be to permit access to the internet and nothing else:
add chain=forward action=accept connection-state=established
add chain=forward action=accept connection-state=related
add chain=forward action=accept out-interface=<gateway interface>
add chain=forward action=drop
Anything that is not established or related or going out the gateway interface is dropped.
Then add a src-nat rule to handle masquerade.
Traffic for each vlan will be handled @L2 by the switches, not the router.
Working great! Thank you.
This config restricts connections between ip on the individual LANs is there another rule I can add that would keep one subnet from reaching the other subnets gateway
ie. computer 1 = 192.168.1.4 computer 2 = 192.168.2.4
How I have it now computer 1 can not talk to computer 2 but it can talk to computer 2’s gateway
Its not critical to have that stopped but I would prefer it.
Do you have input rules?
Why allow any access to the router from the various lans?
With few exceptions, I would block all but your management subnet or management port access to the router on the lan side.
add chain=input action=accept connection-state=established
add chain=input action=accept connection-state=related
add chain=input action=accept in-interface=<management interface> src-address=<management subnet>
add chain=input action=drop
Use safe mode when doing this to ensure you don’t lock yourself out.
The third rule will allow mac Winbox if src-address matches.
If you need remote access add a fourth rule before the drop:
add chain=input action=accept in-interface=<gateway interface> src-address-list=<Public IP List>
Then make an address list with the few publics that need to access the router from the public wan. Use care with this.
I do dns relay through the router which those rules seem to stop
Turning off relay and pushing public dns through fixes this problem
Also i would like for the individual subnets to be able to ping their individual gateway for trouble shooting purposes.
add chain=input action=accept protocol=udp in-interface=!<gateway> dst-port=53
add chain=input action=accept protocol=tcp in-interface=!<gateway> dst-port=53
add chain=input action=accept protocol=icmp in-interface=!<gateway>