(i’m not even sure this can be done)
I have GRE tunnel between two mikrotiks. Everything is configured and running stable, i can access both subnets.
Point A subnet - 192.168.1.0/24
Point B subnet - 192.168.2.0/24
Now, what i’m trying to do is prevent point B from accessing Point A network devices, so for example 192.168.1.4 should have access to 192.168.2.5, but not vice-versa, even if someone add route at Point B pointing to Point A subnet (which is really unlikely, but i still want to know if this can be done using firewall only at point A)
#1 accept established and related connections #2 accept connections originating from A to B #3 block the rest
Rule #1 will allow reply packets for #2 connections that would be otherwise blocked by #3. And of course you must make it work with current setup, so unless you’d want these rules tied only to tunnel traffic, you’d need to add at least one other rule to allow traffic from LAN to internet.
Thanks! I need to read about connection states…
Ended up configuring it like this:
Allow forward established + related with in-interface=gre-tunnel
Allow forward with src 192.168.1.0/24 and out-interface=gre-tunnel
Drop everything else forward with in-interface=gre-tunnel
No “drop everything for all networks” rule in that case
Working great so far.
UPD: actually, why not in one rule?
add action=drop chain=forward comment=“OFFICE: block access to internal network” connection-state=!established,related in-interface=gre-tunnel src-address-list=!internal-users
Your one-rule solution is ok too. It’s just that I’m used to whitelist approach, block everything by default and only add allowed exceptions. It’s a little safer, because when there’s a mistake, things don’t work and it gets noticed immediately. With blacklist approach (allow everything by default and block what you don’t want) mistakes can go unnoticed for a long time.