Community discussions

 
ddzyfaa
just joined
Topic Author
Posts: 4
Joined: Wed May 08, 2019 1:07 am

Stop forwarding from default Bridge to Interface "etherX"

Fri May 17, 2019 8:47 pm

Hello, as you can read in older post I setup a interface with a vlan looking for some kind of interface isolation for administration the ROS.

viewtopic.php?f=13&t=148307

Thsi is what I reached:
1) Put interface "ether10" outside default bridge.
2) Assign Vlan"100" to interface ether10
4)Asign Ip network to ether 10
3) properly setup services listen on ether10

And now I'm stuck of the firewall part.
I want to stop traffic to be forward from ether1-8 network (10.0.1.0/24) to ehter9 (10.0.100.0/24) so I write a rule to drop, placed them on first place in default rule set but packets can flow from one network to the other:
ping -t -S 10.0.1.50  10.0.100.1

Haciendo ping a 10.0.100.1 desde 10.0.1.50 con 32 bytes de datos:
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
The rules are:
[admin@MikroTik] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

1    chain=forward action=drop src-address=10.0.1.0/24 dst-address=10.0.100.0/24 log=no log-prefix=""

 2    chain=forward action=drop src-address=10.0.100.0/24 dst-address=10.0.1.0/24 log=no log-prefix=""

 3    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 4    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 5    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

11    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

12    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Thanks in advance
 
mkx
Forum Guru
Forum Guru
Posts: 2955
Joined: Thu Mar 03, 2016 10:23 pm

Re: Stop forwarding from default Bridge to Interface "etherX"  [SOLVED]

Fri May 17, 2019 10:19 pm

If 10.0.100.1 is router's IP address on that VLAN interface ... then firewall rules 1 and 2 won't block pings because those pings go to chain=input (doesn't matter if they originate from another subnet) as their destination is router.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2969
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Stop forwarding from default Bridge to Interface "etherX"

Fri May 17, 2019 10:27 pm

Simple, draw a diagram and post your config, then we will be able to give credible responses instead of guessing.

/export hide-sensitive file=yourconfigmay17

No need to confine your port for admin control.
Simply use firewall rules and winbox rules and you can limit it by IP without contorting your network.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 37 guests