Stop access between 2 LAN

mattltm · February 27, 2013, 12:17pm

Hi all,

I have an RB750 set up with 2 separate LAN segments:

Office lan: 192.168.10.0/24
Guest lan: 192.168 100.0/24

Switch port 1 set as the gateway
Switch ports 2,3 and 4 set on the office lan
Switch port 5 set on the guest lan

I wish to stop be guest lan from being able to access the office lan.

Can someone provide me with an example firewall rule to do this?

Thanks

CelticComms · February 27, 2013, 12:38pm

Do you have any forwarding chain rules at the moment? If you don’t then you should read the following and block the inter-LAN traffic as part of generally securing your forwarding paths.

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

The basics are:

Allow NEW connections from each LAN to WAN
Allow ESTABLISHED connections from WAN to each LAN
Allow RELATED connections from each WAN to LAN
Drop everything else

mattltm · February 27, 2013, 2:27pm

This is what I have so far.

I just set up a hotspot on the guest lan and found that I could no longer access it from the office lan. But I could access the office lan from the guest lan so it’s working the opposite way to how I want it!.

I added

add action=drop chain=forward comment="" disabled=no dst-address=\
    192.168.10.0/24 in-interface=ether5-guest-master

Which seems to have stopped the guest lan from accessing the office lan now. I would like to be able to access the guest lan from the office lan though if that is possible?

This is the full set as it stands now:

[admin@MikroTik] /ip firewall> export
# feb/27/2013 14:22:08 by RouterOS 4.11
# software id = KZR6-A26I
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=forward comment="" disabled=no dst-address=\
    192.168.10.0/24 in-interface=ether5-guest-master
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no in-interface=BT
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no in-interface=BT
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=BT
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat comment=webcam disabled=no dst-port=8000 \
    in-interface=BT protocol=tcp to-addresses=192.168.10.9
add action=dst-nat chain=dstnat comment=xbox disabled=no dst-port=88 \
    in-interface=BT protocol=udp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=3074 \
    in-interface=BT protocol=udp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=3074 \
    in-interface=BT protocol=tcp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
    in-interface=BT protocol=tcp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
    in-interface=BT protocol=udp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 \
    in-interface=BT protocol=tcp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1863 \
    in-interface=BT protocol=tcp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1863 \
    in-interface=BT protocol=udp to-addresses=192.168.10.6
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=BT
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no src-address=192.168.100.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] /ip firewall>

All help welcome

CelticComms · February 27, 2013, 3:47pm

It looks as if you had no forward chain filters prior to adding that one - so in effect you have no “firewall” in the generally accepted meaning. Input chain filters only protect the router itself. Have a look at the wiki entry I referenced earlier. The place you want to be is where your last forwarding rule is a “drop any” and you then have several “accept” rules on the forwarding chain above the “drop any” rule in the execution order. That is really the basis of a firewall.

mattltm · February 27, 2013, 4:40pm

Great.

I have a whole heap of rules now

Still cant access the guest lan from the office lan though

CelticComms · February 28, 2013, 1:21pm

Allow NEW connections from office to guest but only allow ESTABLISHED and RELATED in the opposite direction.

mattltm · February 28, 2013, 7:32pm

Thanks.

I have tried but can’t get it to work

Could you give me an example of the rule I should be adding?

Thanks.