Simplify 1000 firewall rules

omidkosari · May 3, 2017, 2:08pm

Hello,

We have several PPPoE servers . Each user has a static private ip address . Each 2 specific users are allowed to only connect to each other .

192.168.0.0/30 is for user1 and user2
user1 → 192.168.0.1
user2 → 192.168.0.2

/ip firewall filter
add action=drop chain=forward dst-address=!192.168.0.0/30 src-address=192.168.0.0/30

192.168.0.4/30 is for user3 and user4
user3 → 192.168.0.5
user4 → 192.168.0.6

/ip firewall filter
add action=drop chain=forward dst-address=!192.168.0.4/30 src-address=192.168.0.4/30

And such config will be created for more than 1000 pair of users . These firewall rules should be created on each PPPOE server because each user may connect to them randomly .
This is very resource intensive .

I have no idea how to simplify this but if we could create firewall rule with this logic it would be fine

/ip firewall filter
add action=drop chain=forward dst-address=![MY OWN /30]

if firewall could dynamically find src ip address and calculate the /30 netmask of it and put it there

Also i am ready to implement any way other than firewall to achieve the goal. And the goal is each pppoe user may only connect to one specific other pppoe user (in large scale more than 1000 users)

This is going to be my new nightmare
Thanks for ideas

idlemind · May 3, 2017, 3:27pm

Scripting could do it. At least generate the rules and maintain them by comments and a feed file that would be easier to edit and maintain. May I ask the question why? oh WHY? Is this a requirement and at the scale of 1000 users. What’s the overall architecture that demands this?

I ask because their may be better ways to do what you want to do … cough private VLANs … / insert tech here.

omidkosari · May 5, 2017, 6:31am

Thanks for reply.

The main problem is not generating the rules . But thousands of rules on each router made load on router . I am trying to create few line of rules to achieve same result.

About vlans the problem is some topology limitations which makes vlan hard to implement .

We want to create some kind of private network between each 2 users with GRE or EOIP tunnels.

idlemind · May 5, 2017, 4:51pm

Have you looked at the arp=local-proxy-arp feature at all in EoIP. You may find solace in that.

omidkosari · May 6, 2017, 7:17am

That make sense after connecting the tunnels between each 2 users . Currently the problem is each 2 users allowed and only allowed to see each other and no other one .

idlemind · May 6, 2017, 2:17pm

No that I think about it. Wouldn’t a EoIP without any IP addresses assigned to the EoIP or bridge interfaces do what you want? Do they need to see only each other or only each other and upstream Internet?

Can you tell us more details. The why can often help us give you an answer you may not have thought of at all. Are you trying to provide WAN circuits to a business that don’t have Internet but connect various offices together?

omidkosari · May 10, 2017, 10:19am

Yes .

We have wide PPPoE network infrastructure . That network may use for intrAnet based on user assigned ip addresss , firewall rules ,etc . This special service is point to point only service without internet . For example userA connects via pppoe in cityX and userB connects via pppoe in cityY . userA may only see userB and nothing else.

tishri · May 11, 2017, 2:10am

Some link https://wiki.mikrotik.com/wiki/PPPOE_Server . Check the proxy-arp. Its highlighted in the tutorial page.

idlemind · May 11, 2017, 3:03am

So other than having an existing architecture have you thought about adding an overlay technology like EoIP or VPLS to service this customer need? It seems like maintaining a large amount of ACLs would be far worse and more error prone than either poor mans VPLS (EoIP) or VPLS itself.

Thoughts?