Simple router question

icemannz · August 17, 2010, 10:08am

Hi all,
I am new to Mikrotik and have a fairly simple question.
I have 2 networks that I want to connect to the Mikrotik so that they can both access the internet.
One network would be 192.168.1.x and the 2nd would be 192.168.15.x.
So I want to connect up the internet to port one.
The 192.168.1.x network up to port 2 and
the 192.168.15.x to port 3.

Now my question is how to make sure that the 2 networks can both access the internet but cannot access each other.
ie: the 192.168.1.x network should not be allowed to access anything on the 192.168.15.x network,
and the 192.168.15.x network should not be allowed to access anything on the 192.168.1.x network.

Sorry for the basic question but to a newbe, it is not so easy.
Any help would be appreciated.

Chupaka · August 17, 2010, 10:19am

/ip firewall filter
add chain=forward in-interface=ether2 out-interface=ether3 action=reject
add chain=forward in-interface=ether3 out-interface=ether2 action=reject

or, in general,

/ip firewall filter
add chain=forward in-interface=!ether1 out-interface=!ether1 action=reject

it will block any communication not via port 1

icemannz · August 17, 2010, 10:24am

Excellent, thanks for the help

Chupaka · August 17, 2010, 10:40am

PLZPLZ

fewi · August 17, 2010, 1:30pm

That does still leave you open for traffic from the Internet to either LAN. I prefer the below as it blocks that, too, except for return packets belonging to connections that have already been established from the LAN to the Internet:

/ip firewall filter
add chain=forward action=accept connection-state=established
add chain=forward action=accept connection-state=related
add chain=forward action=drop connection-state=invalid
add chain=forward action=accept out-interface=ether1
add chain=forward action=drop

Chupaka · August 17, 2010, 5:50pm

if you use NAT - it’s useless. if you have public IPs - you probably want to have the ability of incoming connections =)

fewi · August 17, 2010, 6:08pm

Relying on NAT to drop unknown connections on the WAN interface works (or it should), but I prefer explicitly saying “don’t allow that” without relying on an assumption that something else takes care of it. Logically just by rule interpretation your rules still permit traffic from WAN to LAN. I don’t ‘like’ that.
It is personal preference, though.