(solved) block traffic between subnets

yuridee · January 24, 2014, 3:51am

Hello,

Is there better way to block traffic between 20 subnets on CCR other then creating (20+19+18+..+1) firewall filter rules like this one:
add action=drop chain=forward dst-address=192.168.21.0/24 src-address=192.168.22.0/24

(subnets are not in sequence, but all listed in IP/Adressess )

rickfrey · January 24, 2014, 7:55am

Yes, use the src and dst address lists

yuridee · January 24, 2014, 5:54pm

Thank you. That was easy…

rickfrey · January 24, 2014, 6:11pm

No, problem, glad I could help

Rudios · January 25, 2014, 9:00pm

You could also use the ‘not’ parameter.

yuridee · January 26, 2014, 1:31am

Not sure I understand. I know what “not” or “!” is, but where and how I can use it?

Rudios · January 26, 2014, 6:44am

Create a rule where you block traffic if dst-address is not sex-address. Then you only need 20 rules.
But I do not know your full config, so maybe I’m missing something.

yuridee · June 10, 2014, 12:26am

Here is the answer from here:
http://forum.mikrotik.com/t/new-firewall-matcher-connection-rate/31487/1

First, make accept rules for each subnet (src to dst) like:
/ip firewall filter add chain=forward action=accept src-address=192.168.0.0/24 dst-addresss=192.168.0.0/24

Then, make one list of all subnets (ALL_subnets) and make rule:
/ip firewall filter add chain=forward action=drop src-address-list=ALL_subnets dst-address-list=All-subnets