I have 2 unmanaged switches between which I would like to limit traffic, but I’m completely new to routerOS and am a bit overwhelmed by the options. I can get into the nitty gritty specifics of my site, but I believe my question can be answered if we approach it more generally and it may be applicable to others if we don’t focus on the specifics.
So there are devices connected to both switches that need to talk to each other, and there are devices that shouldn’t talk to each other, all on the same LAN So I’m not sure what is better setting up a whitelist or a blacklist, and then having a blanket deny or blanket accept rule, respectively. And next, I’m not sure if I should be blocking based on mac or IP addressing. It would be easier to blacklist the 3 interfaces that I don’t want to cross the bridge, since there are only 3 (1 on one side, 2 on the other). But I assume it would be more secure to just deny all traffic and specify what I want to cross. But this is more complex because there are anywhere from 37-73 devices on one side, and 3 or so on the other (coming from multiple subnets). It seems like more work and more complex to set up the whitelist, but may be easier if I could specify ranges (like .52-.89). And is there anything else I need to know about this sort of configuration? Like default settings I need to override, or do I need to set 2 ports to ‘bridge’ mode or anything like that?
Normally in a situation like this you should always consider splitting the network, i.e. use routing instead of bridging.
But it can be done using bridging: in the bridging setup you can enable the IP firewalling on bridging and then you
can create rules that reference the bridge input port and that apply filtering on all levels that you want.
(MAC, IP, and up)
Side note, I was using webfig, and did something to freeze the box. I was trying to add a new firewall filter and maybe hit OK too many times. Things froze, and I had to download Winbox, which found it but saw IP was set at 0.0.0.0. I rebooted the device a number of times, and reset it, and was able to get back in. But any time I’d change the IP address in Winbox, it’d crash again. So I started using Webfig again and not changing the IP address, and now it seems to be working again for now.
I’m writing because I added a basic rule /IP Firewall drop input src 192.168.1.107 using webfig. However, I have a laptop with that static IP hooked up to the switch with a constant ping to google, and I have not dropped that connection. I do have bridge set up with IP firewall checked.
Also, what does the box [!] do next to the src. address?
And could someone explain the address lists to me? Add new seems to only add a single address, not a ‘list’. Just gives me the additional parameters or naming and commenting on an address. And when I select the sc.address list in the firewall, it doesn’t give me a “select all” sort of option. So maybe I don’t understand what is being ‘listed’.
The Firewall Chains:
Input = anything destined to the router itself. i.e. Webfig,WinBox,FTP,etc…
Ouput = anything coming from the router itself.
Forward = anything forwarded by the router. i.e. Computer to computer, LAN to Internet, Internet to LAN
Your drop rule for the laptop only dropped acces to the router, change the chain to Forward to drop access to the Internet.
As for the Address List, the Name is used in Firewall rule under src-address-list and/or dst-address-list to match the IP’s or URL you added with the same name. You would you src-address-list to replace src-address.
So what you are trying to accomplish would translate to VLAN filters in Cisco land. Like others have said, enable IP firewall on the bridge and add ACLs to deny certain traffic. I generally steer folks towards segmenting the network if they have hosts that shouldn’t talk to one another by adding a VLAN or attaching those devices to a different router or routed interface. That said, there is a time and a place where you may desire this behavior. By default MikroTik ACLs will permit any traffic not dropped by a rule. With this knowledge in hand be as specific as possible when matching traffic to drop and the rest will flow unhindered.
An example rule would be to leverage the in-bridge and out-bridge targets along with in-interface and out-interface rules to ensure you have the traffic you want to be dropped.