Thank you for the response!You only need to set that address 192.168.2.253/24 on one of the ports of the MikroTik and take that port out of
the switch or bridge used for the LAN. Then connect it to the other network.
Of course!With a cable, of course, running from the port on the MikroTik where that address is configured to any port on the switch.
If you wish to only allow communication between the 192.168.3.0/24 and 192.168.2.250(printer IP) then you will want to configure a firewall rule which only permits said communication between the networks and will deny all other traffic between them.Of course!With a cable, of course, running from the port on the MikroTik where that address is configured to any port on the switch.
So cable from SRX to Mikrotik port (say) 5.
Then configure (in the Mikrotik) port 5 with a fixed IP of 192.168.2.253/24, which would allow the devices on 192.168.2.x to reach the devices on the other LAN 192.168.3.x ?
Hi, thank you. I can see this is an important point as both LANs have different routers etc. This will prevent a lot of cross-talk.If you wish to only allow communication between the 192.168.3.0/24 and 192.168.2.250(printer IP) then you will want to configure a firewall rule which only permits said communication between the networks and will deny all other traffic between them.Of course!With a cable, of course, running from the port on the MikroTik where that address is configured to any port on the switch.
So cable from SRX to Mikrotik port (say) 5.
Then configure (in the Mikrotik) port 5 with a fixed IP of 192.168.2.253/24, which would allow the devices on 192.168.2.x to reach the devices on the other LAN 192.168.3.x ?
Something like this:Hi, thank you. I can see this is an important point as both LANs have different routers etc. This will prevent a lot of cross-talk.If you wish to only allow communication between the 192.168.3.0/24 and 192.168.2.250(printer IP) then you will want to configure a firewall rule which only permits said communication between the networks and will deny all other traffic between them.Of course!With a cable, of course, running from the port on the MikroTik where that address is configured to any port on the switch.
So cable from SRX to Mikrotik port (say) 5.
Then configure (in the Mikrotik) port 5 with a fixed IP of 192.168.2.253/24, which would allow the devices on 192.168.2.x to reach the devices on the other LAN 192.168.3.x ?
What would this rule look like?
Thanks!
chain=forward action=accept src-address=192.168.3.0/24 dst-address=192.168.2.250/32 log=no log-prefix=""
chain=forward action=accept src-address=192.168.2.250/32 dst-address=192.168.3.0/24 log=no log-prefix=""
chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.3.0/24 log=no log-prefix=""
# Mikrotik has internet via PPPoE tagged on VLAN10
# LAN A 192.168.3.0/24 is primary LAN
# LAN B 192.168.2.0/24 is another LAN with a printer at IP 192.168.2.152
# LAN B's switch is connected with a patch cable to ethernet port 3 on Mikrotik
# The goal is to allow workstations on LAN A to use the printer on LAN B
#
/interface ethernet
set [ find default-name=ether2 ] comment="ether2 LAN" name=LAN
set [ find default-name=ether1 ] comment="ether1 WAN port" name=WAN
set [ find default-name=ether3 ] comment="printer on LAN B"
set [ find default-name=ether4 ] arp=disabled comment=spare master-port=LAN
set [ find default-name=ether5 ] arp=disabled comment=spare master-port=LAN
/ip neighbor discovery
set LAN comment="ether2 LAN A"
set WAN comment="ether1 WAN port internet"
set ether3 comment="printer LAN B"
set ether4 comment=spare
set ether5 comment=spare
/interface vlan
add interface=WAN name=VLAN10 vlan-id=10
/interface pppoe-client
add add-default-route=yes comment="ISP PPPoE client WAN" disabled=no \
interface=VLAN10 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out1 \
password=xxxxxxxxxx use-peer-dns=yes user=yyy@zzz
/ip neighbor discovery
set pppoe-out1 comment="ISP PPPoE client WAN"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.3.50-192.168.3.150 comment="DHCP pool for LAN A"
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LAN lease-time=1d name=dhcp1
/ip neighbor discovery settings
set default=no
/ip address
add address=192.168.3.254/24 comment="LAN A" interface=LAN network=\
192.168.3.0
add address=192.168.2.250/24 comment=\
"Mikrotik's ethernet#3 port has 192.168.2.250 IP on LAN B" interface=ether3 \
network=192.168.2.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server network
add address=192.168.3.0/24 comment="DHCP to LAN" gateway=192.168.3.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=xx.xx.xx.xx comment="management IP" list="Allowed IPs"
add address=192.168.3.0/24 comment="allow management from LAN A" list="Allowed IPs"
add address= xx.xx.xx.xx comment="management IP" list="Allowed IPs"
/ip firewall filter
add action=accept chain=input comment="allow ping from LAN B" disabled=\
yes dst-address=192.168.2.250 protocol=icmp src-address=192.168.2.0/24
add action=accept chain=forward comment=\
"allow traffic from LAN A 192.168.3.0 to printer IP 192.168.2.152 on LAN B" dst-address=\
192.168.2.152 src-address=192.168.3.0/24
add action=accept chain=forward comment=\
"allow traffic from LAN B printer IP 192.168.2.152 to LAN A" dst-address=\
192.168.3.0/24 src-address=192.168.2.152
add action=drop chain=forward comment=\
"drop all other traffic from LAN B 192.168.2.0/24" dst-address=\
192.168.3.0/24 src-address=192.168.2.0/24
add action=accept chain=input comment="winbox admin from WAN" dst-port=8291 \
protocol=tcp
add action=accept chain=input comment=\
"Accept connections TO router from allowed IPs" src-address-list=\
"Allowed IPs"
add action=drop chain=forward comment="Drop invalid packets THROUGH router" \
connection-state=invalid
add action=accept chain=forward comment="Accept new connections from LAN" \
connection-state=new in-interface=pppoe-out1
add action=accept chain=forward comment="Allow related connections" \
connection-state=related
add action=accept chain=forward comment="Allow established connections" \
connection-state=established
add action=drop chain=forward comment=\
"Drop all other traffic THROUGH the router" disabled=yes
add action=accept chain=input comment=\
"Allow etablished connections to the router" connection-state=established
add action=accept chain=input comment=\
"Allow related connections to the router" connection-state=related
add action=drop chain=input comment="Drop all other traffic TO the router"
add action=drop chain=forward comment="Drop invalid packets TO router" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="Allow outgoing traffic" \
dst-address=0.0.0.0/0 out-interface=pppoe-out1
/ip service
set telnet disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name="MikroTik"
/system note
set note=\
"Authorised administrators only. Access to this device is monitored."
/system ntp client
set enabled=yes server-dns-names=us.pool.ntp.org,pool.ntp.org
Hi and thanks for your helpful reply, complete with diagram!Alright, there are some issues... You can't just rely on a /24 network between the routers to route your traffic effectively. I created a rudimentary diagram to show how you can set this up and have it work. You can adjust the IPs as needed.
Now the ip route commands are probably not the correct syntax for Mikrotik, it should get you close. You have to inform the routers where to send packets. Instead of using IPs from your /24 LAN, we'll use a different address space to keep things simple. This can be done with addresses from your LAN, just for now change it up. The ".1" and ".2" represent the last octect of that network address space going between the routers. When it comes to the routes, you have to point the traffic you are trying to reach to the remote or distance interface. Your firewall rules will still come into play, if you want to limit traffic into and out of the network.
Hopefully this makes more sense for you and you can quickly get things setup the way you want it.
pohutukawa.png
Hey pe1chl, are you around? Tried to contact you via forum but maybe we need to be "friends" first?With a cable, of course, running from the port on the MikroTik where that address is configured to any port on the switch.
Hi and thanks again for your help.Once you have the /30 configured between them, go ahead and ping the remote IP from each box. before we get into configuring routes and FW rules, lets make sure the basics are working.
If both ping successfully, move on to creating the static routes. You then want to test that by pinging the Printer's IP address from the remote LAN. Now you want to add FW rules to limit traffic and test again to ensure you maintain the desired level of connectivity.
Since we only discussed static routes you can't "crash their network routing."Hi and thanks again for your help.
I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.
Is there any other way of achieving this just from the Mikrotik side?
I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!
Regards
Robin
Hi Revelation, thanks for the additional info.Since we only discussed static routes you can't "crash their network routing."Hi and thanks again for your help.
I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.
Is there any other way of achieving this just from the Mikrotik side?
I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!
Regards
Robin
On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.
Redo the diagram with the correct IPs and connection information so we can make sure we are talking "on the same page."
I don't see a diagram, could also be my work computer - they provide a POS.Hi Revelation, thanks for the additional info.Since we only discussed static routes you can't "crash their network routing."Hi and thanks again for your help.
I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.
Is there any other way of achieving this just from the Mikrotik side?
I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!
Regards
Robin
On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.
Redo the diagram with the correct IPs and connection information so we can make sure we are talking "on the same page."
I have made a diagram (see below). Please let me know if something isn't clear and I will update!
Your comment regarding NAT with their IP is particularly interesting. I think that this is their preferred configuration.
Regards
Robin
Hi Again!I don't see a diagram, could also be my work computer - they provide a POS.Hi Revelation, thanks for the additional info.Since we only discussed static routes you can't "crash their network routing."Hi and thanks again for your help.
I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.
Is there any other way of achieving this just from the Mikrotik side?
I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!
Regards
Robin
On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.
Redo the diagram with the correct IPs and connection information so we can make sure we are talking "on the same page."
I have made a diagram (see below). Please let me know if something isn't clear and I will update!
Your comment regarding NAT with their IP is particularly interesting. I think that this is their preferred configuration.
Regards
Robin
I'm at work, so I cannot verify syntax. Basically the IP they provided will be assigned to your interface. You will then setup an ip route, if it is not added automatically, to reach all of the /24 address space using that IP / interface.
You will setup nat with masquerade using that IP. This will be in addition to your NAT for traffic leaving through your WAN. When I have a chance, after I am off of work, I will lab it up and see if there is any need for additional configs.
**EDIT**
You will probably want or need a firewall rule allowing your subnet to reach the printer IP via that NAT. That way only that specific traffic uses that NAT and for everything else the default route out through your WAN.
Hi, did the links work for you?I don't see a diagram, could also be my work computer - they provide a POS.Hi Revelation, thanks for the additional info.Since we only discussed static routes you can't "crash their network routing."Hi and thanks again for your help.
I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.
Is there any other way of achieving this just from the Mikrotik side?
I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!
Regards
Robin
On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.
Redo the diagram with the correct IPs and connection information so we can make sure we are talking "on the same page."
I have made a diagram (see below). Please let me know if something isn't clear and I will update!
Your comment regarding NAT with their IP is particularly interesting. I think that this is their preferred configuration.
Regards
Robin
I'm at work, so I cannot verify syntax. Basically the IP they provided will be assigned to your interface. You will then setup an ip route, if it is not added automatically, to reach all of the /24 address space using that IP / interface.
You will setup nat with masquerade using that IP. This will be in addition to your NAT for traffic leaving through your WAN. When I have a chance, after I am off of work, I will lab it up and see if there is any need for additional configs.
**EDIT**
You will probably want or need a firewall rule allowing your subnet to reach the printer IP via that NAT. That way only that specific traffic uses that NAT and for everything else the default route out through your WAN.
Hi, did the links work for you?I don't see a diagram, could also be my work computer - they provide a POS.Hi Revelation, thanks for the additional info.Since we only discussed static routes you can't "crash their network routing."Hi and thanks again for your help.
I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.
Is there any other way of achieving this just from the Mikrotik side?
I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!
Regards
Robin
On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.
Redo the diagram with the correct IPs and connection information so we can make sure we are talking "on the same page."
I have made a diagram (see below). Please let me know if something isn't clear and I will update!
Your comment regarding NAT with their IP is particularly interesting. I think that this is their preferred configuration.
Regards
Robin
I'm at work, so I cannot verify syntax. Basically the IP they provided will be assigned to your interface. You will then setup an ip route, if it is not added automatically, to reach all of the /24 address space using that IP / interface.
You will setup nat with masquerade using that IP. This will be in addition to your NAT for traffic leaving through your WAN. When I have a chance, after I am off of work, I will lab it up and see if there is any need for additional configs.
**EDIT**
You will probably want or need a firewall rule allowing your subnet to reach the printer IP via that NAT. That way only that specific traffic uses that NAT and for everything else the default route out through your WAN.
Thanks!
Robin
Hi Again!
Just a quick reply with some links for the image...
https://s22.postimg.io/4r6uq2kz5/network.png
or shortened with Goo.gl:
goo.gl/hrXkyX
Can you see those?
Could aways email…
Regards
Robin
chain=srcnat action=masquerade src-address=192.168.3.0/24 dst-address=192.168.2.152 out-interface=ether3 log=no log-prefix=""
chain=forward action=accept src-address=192.168.3.0/24 dst-address=192.168.2.152 out-interface=ether3 log=no log-prefix=""
chain=forward action=accept src-address=192.168.2.152 dst-address=192.168.3.0/24 in-interface=ether3 log=no log-prefix=""
chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.3.0/24 log=no log-prefix=""
Hey Revelation
Hi Again!
Just a quick reply with some links for the image...
https://s22.postimg.io/4r6uq2kz5/network.png
or shortened with Goo.gl:
goo.gl/hrXkyX
Can you see those?
Could aways email…
Regards
Robin
Hey Robin,
Got it sorted and what I was thinking was correct. So I am going to assume that you have a masquerade for your LAN traffic to go out your WAN interface already based on the diagram.
Next we want to configure another NAT:We now want to configure firewall rules to permit traffic to reach the Printer and to deny any traffic coming into your network that isn't supposed to:Code: Select allchain=srcnat action=masquerade src-address=192.168.3.0/24 dst-address=192.168.2.152 out-interface=ether3 log=no log-prefix=""
With this config it also limits your LAN hosts from reaching any other IP in the 192.168.2.0/24 network. Obviously you can change that should your needs change down the road.Code: Select allchain=forward action=accept src-address=192.168.3.0/24 dst-address=192.168.2.152 out-interface=ether3 log=no log-prefix="" chain=forward action=accept src-address=192.168.2.152 dst-address=192.168.3.0/24 in-interface=ether3 log=no log-prefix="" chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.3.0/24 log=no log-prefix=""
This should get you where you need to be.
The reason I like using interface on the NAT option is in case the Juniper admin ever forces you to change the IP address assigned, or switches it to DHCP. For the Firewall rules, you really don't need the interface option on those; I add them out of habit.Hey Revelation
Thanks! I will try this configuration and see how I get on.
With my earlier configuration, I was firstly missing the NAT masquerade and additionally did not have ether3 as out/in interfaces on the first two firewall rules.
On the drop firewall rule (your #3 above) do I need to specify any in/out interface(s)?
Cheerio
Robin
Hi RevelationThe reason I like using interface on the NAT option is in case the Juniper admin ever forces you to change the IP address assigned, or switches it to DHCP. For the Firewall rules, you really don't need the interface option on those; I add them out of habit.Hey Revelation
Thanks! I will try this configuration and see how I get on.
With my earlier configuration, I was firstly missing the NAT masquerade and additionally did not have ether3 as out/in interfaces on the first two firewall rules.
On the drop firewall rule (your #3 above) do I need to specify any in/out interface(s)?
Cheerio
Robin
Glad everything is working as expected.Hi Revelation
Well that worked fantastically and exactly as expected.
Thank you so much for your help with this. I've learned a lot, which will also apply to other situations I'm sure to face so thank you for your help on the education front also!
Best wishes
Robin
Hi RevelationGlad everything is working as expected.Hi Revelation
Well that worked fantastically and exactly as expected.
Thank you so much for your help with this. I've learned a lot, which will also apply to other situations I'm sure to face so thank you for your help on the education front also!
Best wishes
Robin
Although this is for another (opposite) situation it seems that I might need to deny UDP traffic from 192.168.2.0/24 from port 5353 to any port 1024-65535 in 192.168.3.0/24 somehow?Multicast DNS operates over UDP (IP protocol 17) with a destination port 5353 and a source port above 1024. The destination address is, of course, a multicast address (in the 224.0.0.0 range). Responses to mDNS multicasts originate from UDP port 5353, but are bound for a random high port above 1024. Simply defining a rule that allows traffic to and from UDP port 5353 won’t work, because while outbound traffic will be correctly matched the responses to those outbound requests won’t be matched and will be dropped (assuming the default action is to deny traffic). So, a sample rule to be added to ipfw might look something like this:
add 2008 allow udp from 10.1.1.0/24 5353 to any 1024-65535 in via en0
If you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.
Hi Revelation
One minor issue has arisen whereby Macs on both networks can see one another via Bonjour, which as far as I can ascertain uses UDP 5353 Multicast.
Do I need to define a specific firewall rule dropping all UDP packets between the two LANs and if so what would that look like?
Hi RevelationIf you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.
/ip firewall filter
add action=accept chain=forward comment=\
"Allow traffic from .3.0/24 to printer .2.152" dst-address=192.168.2.152 \
dst-address-type="" out-interface=ether3 src-address=192.168.3.0/24 \
src-address-type=""
add action=accept chain=forward comment=\
"Allow traffic from printer .2.152 to .3.x/24" dst-address=192.168.3.0/24 \
in-interface=ether3 src-address=192.168.2.152
add action=drop chain=forward comment="Drop all other traffic from .2.0/24" \
dst-address=192.168.3.0/24 src-address=192.168.2.0/24
add action=accept chain=input comment="winbox admin from WAN" dst-port=8291 \
protocol=tcp
add action=accept chain=input comment=\
"Accept connections TO router from allowed IPs" src-address-list=\
"Allowed IPs"
add action=drop chain=forward comment="Drop invalid packets THROUGH router" \
connection-state=invalid
add action=accept chain=forward comment="Accept new connections from LAN" \
connection-state=new in-interface=pppoe-out1
add action=accept chain=forward comment="Allow related connections" \
connection-state=related
add action=accept chain=forward comment="Allow established connections" \
connection-state=established
add action=accept chain=input comment=\
"Allow etablished connections to the router" connection-state=established
add action=accept chain=input comment=\
"Allow related connections to the router" connection-state=related
add action=drop chain=input comment="Drop all other traffic TO the router"
add action=drop chain=forward comment="Drop invalid packets TO router" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="Allow outgoing traffic" \
dst-address=0.0.0.0/0 out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=\
"Masquerade/NAT ether3 to the .2.0/24 LAN with printer IP as destination" \
dst-address=192.168.2.152 out-interface=ether3 src-address=192.168.3.0/24
Add in a drop rule for your traffic going to any other IP in the 192.168.2.0/24 network space.Hi RevelationIf you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.
I have attempted to do this with rules #0 and #1, and drop all other traffic with rule #3 (see screenshot linked below).
image hosting over 5mb
What have I missed?
Maybe it is something to do with the order of rules?
Regards
Robin
Great, OK can I assume that I need to drop this traffic both directions?Add in a drop rule for your traffic going to any other IP in the 192.168.2.0/24 network space.Hi RevelationIf you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.
I have attempted to do this with rules #0 and #1, and drop all other traffic with rule #3 (see screenshot linked below).
image hosting over 5mb
What have I missed?
Maybe it is something to do with the order of rules?
Regards
Robin
Once you have that in place you should not have any other issues with Bonjour.
add chain=forward protocol=tcp in-interface=ether3 src-address=!192.168.2.152 action=drop
add chain=forward protocol=tcp out-interface=ether3 dst-address=!192.168.2.152 action=drop
No, just add another rule dropping your traffic from reaching any IP in the 192.168.2.0/24 address space. You place that right after your permit to 192.168.2.152 for the printer.Great, OK can I assume that I need to drop this traffic both directions?Add in a drop rule for your traffic going to any other IP in the 192.168.2.0/24 network space.Hi RevelationIf you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.
I have attempted to do this with rules #0 and #1, and drop all other traffic with rule #3 (see screenshot linked below).
image hosting over 5mb
What have I missed?
Maybe it is something to do with the order of rules?
Regards
Robin
Once you have that in place you should not have any other issues with Bonjour.
Like this?:
Thanks!Code: Select alladd chain=forward protocol=tcp in-interface=ether3 src-address=!192.168.2.152 action=drop add chain=forward protocol=tcp out-interface=ether3 dst-address=!192.168.2.152 action=drop
Robin
Hi RevelationNo, just add another rule dropping your traffic from reaching any IP in the 192.168.2.0/24 address space. You place that right after your permit to 192.168.2.152 for the printer.Great, OK can I assume that I need to drop this traffic both directions?Add in a drop rule for your traffic going to any other IP in the 192.168.2.0/24 network space.Hi RevelationIf you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.
I have attempted to do this with rules #0 and #1, and drop all other traffic with rule #3 (see screenshot linked below).
image hosting over 5mb
What have I missed?
Maybe it is something to do with the order of rules?
Regards
Robin
Once you have that in place you should not have any other issues with Bonjour.
Like this?:
Thanks!Code: Select alladd chain=forward protocol=tcp in-interface=ether3 src-address=!192.168.2.152 action=drop add chain=forward protocol=tcp out-interface=ether3 dst-address=!192.168.2.152 action=drop
Robin
/ip firewall filter
add action=accept chain=forward comment=\
"Allow traffic from .3.0/24 to printer .2.152" dst-address=192.168.2.152 \
out-interface=ether3 src-address=192.168.3.0/24
add action=accept chain=forward comment=\
"Allow traffic from printer .2.152 to .3.x/24" dst-address=192.168.3.0/24 \
in-interface=ether3 src-address=192.168.2.152
add action=drop chain=forward comment="Drop all other traffic from .2.0/24" \
dst-address=192.168.3.0/24 src-address=192.168.2.0/24
Hi Revelation
No, just add another rule dropping your traffic from reaching any IP in the 192.168.2.0/24 address space. You place that right after your permit to 192.168.2.152 for the printer.
/ip firewall filter
add action=accept chain=forward comment=\
"Allow traffic from .3.0/24 to printer .2.152" dst-address=192.168.2.152 \
out-interface=ether3 src-address=192.168.3.0/24
add action=accept chain=forward comment=\
"Allow traffic from printer .2.152 to .3.x/24" dst-address=192.168.3.0/24 \
in-interface=ether3 src-address=192.168.2.152
add action=drop chain=forward comment="Drop all other traffic from .2.0/24" \
dst-address=192.168.3.0/24 src-address=192.168.2.0/24
I have never used a "not" rule with mikrotik or any other FW so I cannot comment on the expected behavior.Hi Revelation
No, just add another rule dropping your traffic from reaching any IP in the 192.168.2.0/24 address space. You place that right after your permit to 192.168.2.152 for the printer.
Yep I understand. Isn't that what the second of the two rules above does? (using the !=not)
Could you give me an example rule?
This is where I'm at currently:
Code: Select all/ip firewall filter add action=accept chain=forward comment=\ "Allow traffic from .3.0/24 to printer .2.152" dst-address=192.168.2.152 \ out-interface=ether3 src-address=192.168.3.0/24 add action=accept chain=forward comment=\ "Allow traffic from printer .2.152 to .3.x/24" dst-address=192.168.3.0/24 \ in-interface=ether3 src-address=192.168.2.152
With this rule dropping the other traffic, but it doesn't seem to work:Should I maybe be looking to drop traffic in the other direction? I'm just unclear on how to drop it all in a bidirectional way!Code: Select alladd action=drop chain=forward comment="Drop all other traffic from .2.0/24" \ dst-address=192.168.3.0/24 src-address=192.168.2.0/24
Cheerio
Robin