Dropping Packets between subnets with an exception

mmenz · Fri Nov 25, 2016 1:25 am

Hi,

Just got my first Mikrotik Router and wanting to isolate the 2 subnets from each other. However I do wish both subnets to be able to access one Server on a static ip.

This is what I have so far

ip firewall filter add chain=forward src-address=192.168.2.0/24 dst-address=192.168.5.0/24 action=drop
ip firewall filter add chain=forward src-address=192.168.5.0/24 dst-address=192.168.2.0/24 action=drop

How would I allow the 192.168.5.0/24 subnet to access one static IP (eg; 192.168.2.100) on 192.168.2.0/24, but nothing else?

JB172 · Fri Nov 25, 2016 10:44 am

Before your two dropping rules put this:

ip firewall filter add chain=forward src-address=192.168.5.0/24 dst-address=192.168.2.100 action=accept

Rudios · Fri Nov 25, 2016 10:50 am

I would even go for one allow rule, and then a generic drop.

mmenz · Fri Nov 25, 2016 11:18 am

Before your two dropping rules put this:
Code: Select all
ip firewall filter add chain=forward src-address=192.168.5.0/24 dst-address=192.168.2.100 action=accept

Thanks for your help, I added the rule. Moved it above the rest of the rules and tried a ping the server but no joy. If I am on the 192.168.2.0/24 subnet I can ping it.

Could there be another setting that is blocking this rule from taking effect. Not sure if having the different subnets on a different interface would make any difference.

blingblouw · Fri Nov 25, 2016 11:23 am

return path?

ip firewall filter add chain=forward src-address=192.168.2.100 dst-address=192.168.5.0/24 action=accept

mmenz · Fri Nov 25, 2016 11:39 am

return path?

ip firewall filter add chain=forward src-address=192.168.2.100 dst-address=192.168.5.0/24 action=accept

Added, still nothing.

Then I disabled all my firewall rules. Still was not able to ping the server from the second subnet (still working from the first one though). Could it be a routing issue?

Each subnet has its own interface on the router. However the Mikrotik automatically creates a route between the interfaces as far as I understand?

JB172 · Fri Nov 25, 2016 1:24 pm

Make an export of IP->Routes

mmenz · Fri Nov 25, 2016 1:40 pm

Hope this helps, really appreciate your help with this

mikrotik.png

JB172 · Fri Nov 25, 2016 2:02 pm

Which ports you have in Bridge?

mmenz · Fri Nov 25, 2016 2:05 pm

Just our WAN Port on ether1 interface

mikrotik2.PNG

JB172 · Fri Nov 25, 2016 2:09 pm

Why you have a Bridge only with Ether1?
Put the IP Address of the Bridge on Ether1 and remove the Bridge.

mmenz · Tue Nov 29, 2016 2:29 am

Just figured out why the rules were not being followed. It turns out our switch was preventing us from reaching other clients on the network hence the rules had no effect.

Its all working now again. Thank you for your help with this though

Dropping Packets between subnets with an exception

Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Re: Dropping Packets between subnets with an exception

Who is online