Stop forwarding from default Bridge to Interface "etherX"

ddzyfaa · May 17, 2019, 5:47pm

Hello, as you can read in older post I setup a interface with a vlan looking for some kind of interface isolation for administration the ROS.

http://forum.mikrotik.com/t/winbox-and-vlan/130016/1

Thsi is what I reached:

Put interface “ether10” outside default bridge.
Assign Vlan"100" to interface ether10
4)Asign Ip network to ether 10
properly setup services listen on ether10

And now I’m stuck of the firewall part.
I want to stop traffic to be forward from ether1-8 network (10.0.1.0/24) to ehter9 (10.0.100.0/24) so I write a rule to drop, placed them on first place in default rule set but packets can flow from one network to the other:

ping -t -S 10.0.1.50  10.0.100.1

Haciendo ping a 10.0.100.1 desde 10.0.1.50 con 32 bytes de datos:
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64

The rules are:

[admin@MikroTik] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

1    chain=forward action=drop src-address=10.0.1.0/24 dst-address=10.0.100.0/24 log=no log-prefix=""

 2    chain=forward action=drop src-address=10.0.100.0/24 dst-address=10.0.1.0/24 log=no log-prefix=""

 3    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 4    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 5    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

11    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

12    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

Thanks in advance

mkx · May 17, 2019, 7:19pm

If 10.0.100.1 is router’s IP address on that VLAN interface … then firewall rules 1 and 2 won’t block pings because those pings go to chain=input (doesn’t matter if they originate from another subnet) as their destination is router.

anav · May 17, 2019, 7:27pm

Simple, draw a diagram and post your config, then we will be able to give credible responses instead of guessing.

/export hide-sensitive file=yourconfigmay17

No need to confine your port for admin control.
Simply use firewall rules and winbox rules and you can limit it by IP without contorting your network.