Shared Folders

Rey68 · May 31, 2017, 3:12pm

Hi.
I have the router rb 3011, this router does not have wifi. I have added an access point asus RP-AC68U that gives wifi to the network. It is connected to the mikrotik via lan and with an ip attached by mikrotik.

What I want is that the wifi network does not have access to the other folders of the network that go by LAN.
That is to say the client that connects with wifi can not access the shared folders of the LAN network.

How can i get this from mikrotik?
Thank you.

gustavomam · May 31, 2017, 3:31pm

Hi.

You can add a firewall rule to achieve this target

/ip firewall filter add chain=forward in-interface=wifi out-interface=LAN action=drop

where wifi is the name of your access point interface, and LAN the name of your Ethernet interface

Regards.

Rey68 · May 31, 2017, 4:18pm

Hi.
Veo que eres Español.
Gracias por responder.
El punto de acceso esta conectado a la ether6 y en out interface he puesto ether1 gateway.
Me tira este error
In/out interface matcher no posible when interface 6 is slave use masterd instead br2-lan.
con br-lan tambien da ese error.
¿que esta mal?

cdiedrich · May 31, 2017, 5:24pm

If your WiFi is really for guests only, remove it from the bridge and give it an own IP range with a dedicated dhcp server.
Then add firewall drop rules from that range to your lan range.
You might need to adjust your srcnat/masquerade firewall rule to also catch guest traffic to the internet.
-Chris

aarango · June 1, 2017, 5:44am

Hola, te comento como lo tengo hecho yo. Yo tengo como tú, un router mikrotik wifi conectado a una LAN del router principal (que no tiene wifi). El router principal le asigna una IP interna al router mikrotik wifi y en este creo una wifi y se propaga.
Donde pongas el router wifi debes ponerle una ruta de enlace y una GW para que pueda salir a internet primero el router wifi, y luego crear la wifi y automáticamente todos saldrán porque salen por la misma GW que el router principal.
El fallo que dices es porque posiblemente debas crear un bridge para ambas.
Yo haría:

En interfaces renombra la boca a un nombre que te sea común para no liarte.
En bridge → Port → añade al mismo bridge la principal y la boca ethernet de tu router wifi
En IP → Address → Asigna una IP a ese bridge y configura DHCP
en DHCP → Network configura la GW y demás.
Prueba y nos comentas.

Traslate english:
Hello, I comment as I have done. I have like you, a mikrotik wifi router connected to a LAN of the main router (which does not have wifi). The main router assigns an internal IP to the router mikrotik wifi and in this I create a wifi and propagates.
Where you put the router wifi you have to put a route address and a GW so that you can go to the internet first with the router wifi, and then create the wifi and automatically all users will have internet because they go through the same GW as the main router.

The fault you say is because you should probably create a bridge for both.
I would do:

In interfaces rename the ports to avoid confused you.
In bridge → Port → add to the same bridge the main and the ethernet port of your router wifi
In IP → Address → Assign an IP to that bridge and configure DHCP
in DHCP → Network configures the GW and others.
Try and tell us.

gustavomam · June 1, 2017, 12:15pm

Hola Rey68

Como han comentado los otros foristas. Hay varias formas de hacerlo

Si quieres conservar en la misma red a los usuarios wifi de los ethernet puedes mantener el bridge y crear reglas de drop entre grupos de usuarios que puedes definir en el address-list, puedes crear un grupo WIFI y otro llamado lan Ejemplo:
/ip firewall filter add chain=forward src-address-list=wifi dst-address-list=LAN action=drop
Sin embargo ésto añade procesamiento al router dado que tiene que abrir cada paquete IP para chequear a que lista pertenece

La otra opción es
Crear redes separadas en cada interfaz (para ésto debes retirar las interfaces del bridge), crear un DHCP para cada interfaz
Y crear la regla que te comenté en el primer post
/ip firewall filter add chain=forward in-interface=ether6-wifi out-interface=etherX-LAN action=drop
Ésta resulta más efectiva puesto que filtra con el hardware dependiendo de la interfaz y no requiere que se revise el paquete IP.

Un saludo,

English
As the others commented. There are several ways to do it

If you want to keep the ethernet wifi users on the same network, you can keep the bridge and create drop rules between groups of users that you can define in the address-list, you can create a WIFI group and another one called lan Example:
/ip firewall filter add chain=forward src-address-list=wifi dst-address-list=LAN action=drop
However this adds processing to the router since you have to open each IP packet to check which list it belongs to

The other option is
Create separate networks on each interface (for this you need to remove the bridge interfaces), create a DHCP for each interface
And create the rule that I said in the first post
/ Ip firewall filter add chain = forward in-interface = ether6-wifi out-interface = etherX-LAN action = drop
This is more effective since it filters with the hardware depending on the interface and does not require the IP packet to be checked.

Regards

Rey68 · June 1, 2017, 2:45pm

Hola.
Voy a mirar las alternativas que propuestas.
Gracias por vuestra atencion.

Hi.
I will look at the alternatives you proposed.
Thank you for your attention.

Rey68 · June 2, 2017, 3:23pm

Hola:
Al quitar la interface del bridge recibo el siguiente error.
Couldn’t remove Bridge Port - can not remove dynamic port (6).

No veo manera de solucionar esto.

Decir que RB3011 tiene dos swicht y son independientes, aunque con el bridge funcionan todas las interface en el mismo switch.

Rey68 · June 4, 2017, 5:09pm

Hola:
Ya tengo la wfi funcionando en eth10.
Con rangos de Ip dsde 10.10.10.1 hasta la 10.10.10.254
Y la LAN en 192.168.1.1 a 192.168.1..254

Ahora la wifi no ve los equipos de la red LAN ni las carpetas compartidas.

¿como seria si un equipo de la red wifi necesita acceder a esas carpetas compartidas de la red LAN?

Hello:
I already have the wfi running on eth10.
With Ip ranges from 10.10.10.1 to 10.10.10.254
And the LAN in 192.168.1.1 to 192.168.1..254

Wi-Fi now does not see the LAN computers or the shared folders.

How would it be if a computer on the wifi network needs to access those shared folders on the LAN?

gustavomam · June 5, 2017, 7:02am

Hi.

You can add adress-list with the exceptions and put a rule below all the other rules

Puedes agregar un address-list con las excecpiones y colocar una regla por encima de todas las reglas

Rey68 · June 14, 2017, 8:30am

La ip del pc que quiere ver las carpetas de la red LAN seria esta 10.10.1.87.
¿Como seria la regla del firewall que permita esa excepcion?

The ip of the pc that wants to see the folders of the LAN would be this 10.10.1.87.
How would the firewall rule allow that exception?

aarango · June 15, 2017, 12:13pm

Hola, deberías hacer una nueva regla en Firewall → New → Src address 10.10.1.87 , Dst address → Donde esté la carpeta compartida y abajo del todo le das a “Accept” en Action. De esta forma la IP 10.10.1.87 podrá alcanzar la IP de las carpetas compartidas. Luego esa regla la arrastras (con el ratón) arriba de la que deniega todo, y así podrás probarlo.

Hi, you should create a new rule Firewall → new → Src address 10.10.1.87 , Dst address → Where folder exists and in top “Accept” in Action. Using this method the IP 10.10.1.87 could connect to IP where there are shared folder. After, that rule should move it to up.

Rey68 · June 15, 2017, 3:21pm

¿Esta regla debe ser en Filter Rules, no en NAT?
¿En filter rules en chain debe ser en forward?

Should this rule be in Filter Rules not in NAT?
Should filter rules in chain be forward?

gustavomam · June 15, 2017, 3:52pm

It has to be in filter rules and chain forward.

Debe ser en el filter rules y la cadena forward.

Rey68 · June 16, 2017, 11:08am

No funciona.

gustavomam · June 16, 2017, 3:58pm

Did you check windows firewall in both sides?

Revisaste que el firewall de windows estuviera desactivado en ambos extremos?