Why can my /30 subnet can talk to other subnets?

RouterOS General
1

Hi there,

I have setup a few /30 subsets in my CCR1036. 192.168.1.5/30, 192.168.1.9/30 on a local bridge.

When I set my laptop to 192.168.1.6/30 and use 192.168.1.5 as the gateway I have internet and everything works BUT can ping 192.168.1.9 and in fact all other IPs on different interfaces and sub nets of the CCR1036.

Does anyone know why this is happening? I want them to be completely separated and unreachable to each other.

Config is below:

/ip address
add address=192.168.0.2/24 comment=defconf interface=ether1 network=192.168.0.0
add address=10.0.0.1 interface=LB1 network=10.0.0.1
add address=192.168.1.5/30 interface=Local_Trunk network=192.168.1.4
add address=192.168.1.9/30 interface=Local_Trunk network=192.168.1.8

/interface bridge port 
add bridge=Local_Trunk interface=sfp4
add bridge=Local_Trunk interface=ether12
add bridge=Local_Trunk interface=ether11

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip route
add distance=1 gateway=192.168.0.1

Thanks in advanced

2

You have to set up /ip firewall filter rules which will block unwanted connections. By default your router is happily routing packets according to it’s configuration.

Other than that, your setup is flawed on L2 (ethernet) level. Right now your subnets are not physically separated. If you really want separation between subnets which can’t be bypassed by clients configurations, you’ll have to use different ports for different subnets … then either set router’s LAN IP addresses to appropriate ports … or you can use VLANs with those ports being access pots for appropriate VLANs … and use /interface vlan to set router’s LAN IP addresses.

3

It is because your clients and your router know where to look for each other. In a /24, they would talk directly as they are same broadcast domain, but in your example they are sending traffic to the router, and the router knows ‘hey i know how to get to IP x’ so routes it, no issue.

Best thing to do would be set up firewall rules. If you want a blanket rule to stop all clients talking to each other maybe something like

/ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.1.0/24 action=drop

What this does is allows communication direct with the router, but does not allow any 192.168.1.x address to talk to any other 192.168.1.x address.

The rule specifies /24, but it will catch all /30’s within that /24.

4

I have tried using the filter rule you suggested but it doesn’t seem to make a difference? 192.168.1.6/30 can still ping 192.168.1.9/30

EDIT: I have changed it from

chain=forward

to

chain=input

and that seems to be working :slight_smile:

5

Thanks for your input, can you give an example of a

/firewall filter

rule that would work?

Thanks,

6

Its a gateway stuff, baby :smiley:

Try to use exact /30 subnets in source and destination with forward chain. That’s should make sense :slight_smile: