Traffic Between Multiple LAN Interfaces

tombutt · June 24, 2010, 7:34pm

Hi all. Been watching the forums for a while now and been able to use prior posts to help my cause, but I’ve come to a dead end on this one

Basically, I have one WAN interface to public IPs. And 3 LAN interfaces that each go to a different subnet network. What I’d like to achieve is complete isolation of each interface. The LAN interfaces cannot talk to each other – only WAN. We’re moving from physical segmented networks with two firewalls to one firewall and would like to keep them separated.

For the time being, I’ve just added a reject forward rule for each interface so they don’t talk. But is there a better way? Is this even possible? Was thinking using VLANs or some routing rules.

Any help would be greatly appreciated Thanks!!

mrz · June 28, 2010, 9:01am

Set up firewall to block communication between lan segments.

bafh · June 28, 2010, 10:28am

Yep. Same here, just added some rules that 192.168.0.0/24 cannot access 192.168.1.0/25 and other way around. Easy.

fewi · June 28, 2010, 1:51pm

Another way to isolate all LAN segments from one another regardless of IP addressing is to keep state for connection and allow established traffic, and then drop everything that is going through the router and isn’t destined to the WAN:

/ip firewall filter 
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward out-interface=!WAN action=drop

bafh · June 28, 2010, 4:29pm

Isn’t that like scratching left leg with right hand?

fewi · June 28, 2010, 4:31pm

What?

bafh · June 28, 2010, 5:01pm

There are at least couple of ways how to filter something, but IMHO the best way is the simplest, that doesn’t use all the CPU and memory. Am I wrong?

fewi · June 28, 2010, 5:10pm

I believe that my way is the fastest and uses the least resources, as long as connection tracking is on (and it is required for NAT, so it’s turned on on the vast majority of routers).

Looking up connection state is a very quick operation and can happen right at the top of the chain, so for the vast majority of packets you’re processing exactly one rule. When you have more than one LAN interface, it’s faster to just look up the out-interface as one property of each packet (each packet that hasn’t been processed by the connection state rules further up, which should be less than 5% of all packets even in horrible circumstances) than to potentially process several rules enlisting all the possible source and destination addresses on the several LAN interfaces.

tombutt · June 28, 2010, 6:07pm

Thanks for the great replies. I’m going to give fewi’s approach a try and will report back Over the weekend I managed to setup routing rules that seemed to segment traffic fine, but would still like to see the outcome of using connection states.

rmichael · June 28, 2010, 8:43pm

fewi:

Another way to isolate all LAN segments from one another regardless of IP addressing is to keep state for connection and allow established traffic, and then drop everything that is going through the router and isn’t destined to the WAN:
/ip firewall filter 
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward out-interface=!WAN action=drop

Quite clever and efficient if I may say so

I think above will also block and port-forwarding from internet to LAN.

fewi · June 28, 2010, 9:04pm

Yes, it does. If you needed services you’d have to insert accepts just above the drop. For example, if you wanted port tcp/5900 open towards 192.168.1.100 after destination NAT this would become:

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward protocol=tcp dst-port=5900 dst-address=192.168.1.100 action=accept
add chain=forward out-interface=!WAN action=drop

I know you know that, but just for other people reading along

rmichael · November 11, 2010, 10:58am

Here’s another way to do it:

add action=reject chain=forward comment="Drop traffic between LAN interfaces" disabled=no \
    dst-address-list=PrivateSubnets in-interface=!ether2-WAN reject-with=icmp-admin-prohibited

PrivateSubnets list comprises of LAN subnets.

chippers · April 2, 2013, 5:00am

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward protocol=tcp dst-port=5900 dst-address=192.168.1.100 action=accept
add chain=forward out-interface=!WAN action=drop

Dragging up an old thread but it’s relevant

I used the above method successfully with a bridged LAN and WLAN device (192.168.0.x) and a virtual WLAN AP (192.168.55.x) on the same device RB751G.

Now I want to allow the 192.168.55.x range access to the printer on 192.168.0.100, nothing i’ve tried so far seems to work.
(accept/allow rules on the input filter for that source range and destination address)

any clues?

thanks in advance