Subnet Isolation Problem

Maknz · January 11, 2015, 10:56pm

Hi guys,

Newbie alert, I have setup different subnets on interfaces 2-5 and have separate DHCP servers working fine on all. Internet feed is on port 1 and all interfaces can get internet, cool, all working. What I now need to achieve is stopping the different subnets communicating with each other except to access internet. I have been back and forth following many of the posts instructions here on the forum creating Firewall rules but cannot for the life of me figure out why I can’t stop these different subnets communicating with each other.

Can someone please help a fulla out and give me a bit of advice on where I might be going wrong.

It’s my first foray into RouterOS as part of a project i’m working on and I am increasingly seeing Mikrotik gear around NZ.

Cheers

Caci99 · January 12, 2015, 9:39am

It is normal that subnets on the same router communicate with each other, as you have discovered. As soon as you add an IP on one interface, its subnet is part of the connected routes. To stop them from communicating with each other, you need firewall filter routes.
For example, let suppose that you have 1.1.1.0/24 on ether2 and 2.2.2.0/24 on ether3. The firewall filter rules should be:

/ip firewall filter
add chain=forward src-address=1.1.1.0/24 dst-address=2.2.2.0/24 action=drop
add chain=forward src-address=2.2.2.0/24 dst-address=1.1.1.0/24 action=drop

Maknz · January 13, 2015, 10:47am

Hi Caci99,

Thanks for the reply. Yeah I tried that and still no luck, used command line and then the gui in Winbox and still the connection continues to ping away happily between subnets.

Below is my complete config. Baffled still

############
[admin@MikroTik] > export

jan/02/1970 00:26:57 by RouterOS 6.15

software id = ICMS-0ZFN

/interface bridge
add admin-mac=4C:5E:0C:78:A9:23 auto-mac=no l2mtu=1598 name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above
disabled=no distance=indoors l2mtu=2290 mode=ap-bridge ssid=MikroTik-78A927
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool1Port3 ranges=10.0.0.50-10.0.0.254
add name=pool2port4 ranges=192.168.2.50-192.168.2.254
add name=pool3port5 ranges=192.168.3.50-192.168.3.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local lease-time=10m
name=default
add address-pool=pool1Port3 disabled=no interface=ether3-slave-local
lease-time=1h name="Port3 DHCP"
add address-pool=pool2port4 disabled=no interface=ether4-slave-local name=
"Port4 DHCP"
add address-pool=pool3port5 disabled=no interface=ether5-slave-local name=
"Port5 DHCP"
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=
bridge-local network=192.168.88.0
add address=10.0.0.1/24 interface=ether3-slave-local network=10.0.0.0
add address=192.168.2.1/24 interface=ether4-slave-local network=192.168.2.0
add address=192.168.3.1/24 interface=ether5-slave-local network=192.168.3.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no
interface=ether1-gateway
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.88.0/24 comment="default configuration" dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=
ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=
invalid
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=
10.0.0.0/24 src-address-list=""
add action=drop chain=forward dst-address=10.0.0.0/24 src-address=
192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway to-addresses=0.0.0.0
/ip upnp
set allow-disable-external-interface=no
/system leds
set 0 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
[admin@MikroTik] >

Caci99 · January 13, 2015, 12:54pm

You should not try it from the router itself, which obviously can reach those subnets, otherwise wouldn’t be able to route them. Try it from on device to another of different subnets.

Maknz · January 13, 2015, 7:40pm

Sorry I mean’t I used the gui and command line to create the firewall rules.

I’m pinging the other subnets gateway address on ether4 from a laptop plugged into ether3.

I shouldn’t be able to do that right?

rmmccann · January 13, 2015, 7:58pm

If you’re pinging the gateway addresses, you should get a ping response, yes. The router will always be able to talk to all devices.

To test your setup, you need IP devices on each port - ie a PC on port 2 and a PC on port 4. If you can’t ping the other PC, it’s working as expected.

Caci99 · January 13, 2015, 8:25pm

As @rmmccann says, you should try it from one device of subnet A to another device on subnet B. For example, you have:

/ip address
add address=1.1.1.1/24 interface=ether3
add address=2.2.2.1/24 interface=ether4

With the above configuration and filter rules, you should not be able to ping 2.2.2.10 from 1.1.1.10.
Address 2.2.2.1, which is gateway for subnet 2.2.2.0/24, is on router interface, so it is normal that it will respond to your ping request. If you really want that subnet 1.1.1.0/24 should not be able to ping the gateway of the other subnet (2.2.2.1) ad well, then you need another filter rule on the input chain. Be carefull though, as you might leave yourself out of the router if you do it wrong:

/ip firewall filter
add chain=input src-address=1.1.1.0/24 dst-address=2.2.2.0/24 action=drop

Input and output chains are for traffic to the router itself, forward chain is for traffic through the router i.e. the connected subnets

Maknz · January 13, 2015, 11:57pm

Ok, some success I didn’t bother trying to ping a device on the other subnet earlier, so cool yes it’s blocking comms between addresses on the different subnets. I tried that input filter rule but I can still ping the gateway?

Caci99 · January 14, 2015, 10:26am

The rule in input chain works. In your case it is not working because you have a default configuration rule which accepts icmp protocol, which is ping. The rule I am talking about is:

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp

You should place the rule which drops the connection above/before this one

Maknz · January 15, 2015, 9:20pm

Great it all works. Thanks for your help guys much appreciated