Community discussions

 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 19, 2019 12:25 am

This worked to stop the AP pinging the router:
add action=drop chain=input dst-address=192.168.1.1 protocol=icmp src-address=172.16.24.0/24
I suggest you to start over from default firewall filter rules and adapt them according to needs
Since I did not start from the basic firewall after importing the first time a script (with the actual FW), where can I get it? I am reading here
.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 19, 2019 1:07 am

I have impemented the previous steps.

Should I implement these too?:

-Make jumps to new chains
-Create tcp chain and deny some tcp ports in it
-Deny udp ports in udp chain
-Allow only needed icmp codes in icmp chain
-Bruteforce_login_prevention_(FTP_&_SSH)

Any other?
 
mkx
Forum Guru
Forum Guru
Posts: 2573
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 19, 2019 8:38 am

Using custom chains has certainly some good effects:
  • you can reuse same filters for multiple original chains (e.g. if you want to limit ICMP traffic to certain types and you want to do it for both chain=input and chain=forward) and you jump to the generic chain (filter rule execution returns to the original chain if none of special-chain rules apply)
  • you can optimize filter execution ... if you have a few filter rules which apply to same class of packets, then you can jump to special chain only for packets matching selection criteria ... the rest of packets won't get compared to filter criteria and thus will be processed faster
  • ...

The main reason against using custom chains is that they somehow reduce readability of filter list. In short: first make your filter list flat and linear. When everything works as desired, it's time to optimize for execution speed (which includes fast-tracking the bulk of packets and using custom chains).

The wiki you linked is only an example and firewall rules state there are not optimum. Quite better are rules from default setup. You can always get default setup using command /system default-configuration print and on my SOHO class devices current (ROS 6.45.1) default firewall filter rules are

/ip firewall
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

... and for compelteness sake ...
/ipv6 firewall
address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"

The above listed default filter rules are a good starting point. Some would argue that the principle they follow is flawed ... keep in mind that there's the final implicit rule in each chain which accepts everything. When building firewall it's better to explicitly deny all connections as the ultimate filter rule and explicitly allow what's needed (this way you don't forget to deny something). And following this principle you don't need most of filter rules denying this and that, you only need filter rules for exceptions. Your additional filter rules would then go to the end of the list of default rules (and above the ultimate drop rule if you add it).
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 19, 2019 3:40 pm

Hi, thx for support.
One doubt I have is where to apply the initial drop everything except LAN: should I do that in ether1 or in Brigde1-ISP?
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 19, 2019 5:26 pm

Here is the actual status of the FW (without ipv6). A bit different from the default one but following the one in the wiki and comparing it line by line with the default one:
/ip firewall filter
add action=drop chain=input comment="ROUTER PROTECTION.Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow connections to router itself only from our local network" dst-port=46767 in-interface=\
    !ether1-gateway protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="CUSTOMER PROTECTION. Drop invalid connections" connection-state=invalid protocol=tcp
add action=accept chain=forward comment="Allow already established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block \"bogon\" IP addresses" src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
Let me know what you think.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 1:46 pm

Hi, after I tried to setup the new firewall I must have stopped the ipTV service. I have tried to find the problem but I cannot.

Maybe you can have a look and point me in the right direction...

old FW:

/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=dhcp_pool1 ranges=192.168.1.210-192.168.1.230
add name=dhcp_pool2 ranges=172.16.24.100-192.16.24.120
/ip dhcp-server
add address-pool=dhcp_pool1 bootp-support=dynamic disabled=no interface=bridge1-ISP name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=bridge2 name=dhcp2
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1-ISP network=192.168.1.0
add address=192.168.100.10/24 comment=WAN interface=ether1-gateway network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.24.1/24 comment=LAN2 interface=bridge2 network=172.16.24.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=7a:79:78:65:6c:5f:44:54:54:37:31:30:35:2d:30:2e:32:5f:53:31:34:30:59:34:38:39:32:35:32:31:35 \
    dhcp-option=option_para_deco mac-address=xxx server=dhcp1
add address=192.168.1.40 client-id=xxx mac-address=xxx server=dhcp1
add address=192.168.1.50 client-id=xxx mac-address=xxx server=dhcp1
add address=172.16.24.2 client-id=xxx mac-address=xxx server=dhcp2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=80.58.61.250,80.58.61.254
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add action=fasttrack-connection chain=forward
add action=accept chain=input comment="deniego ICMP" log=yes protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=accept chain=input dst-port=8291 protocol=tcp src-address=192.168.1.50
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=udp to-addresses=\
    192.168.1.200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=221
set api disabled=yes
set winbox address=192.168.1.50/32 port=8291
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge1-ISP type=internal
add interface=pppoe-out1 type=external


new FW:

/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=pool1 ranges=192.168.1.210-192.168.1.230
add name=pool2 ranges=172.16.33.10-172.16.33.20
/ip dhcp-server
add address-pool=pool1 bootp-support=dynamic disabled=no interface=bridge1-ISP name=dhcp1
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1-ISP network=192.168.1.0
add address=192.168.100.10/24 comment=WAN interface=ether1-gateway network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.33.1/24 comment=LAN2 interface=bridge2 network=172.16.33.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=\
    7a:79:78:65:6c:5f:44:54:54:37:31:30:35:2d:30:2e:32:5f:53:31:34:30:59:34:38:39:32:35:32:31:35 \
    dhcp-option=option_para_deco mac-address=x server=dhcp1
add address=192.168.1.40  mac-address=x server=dhcp1
add address=192.168.1.50  mac-address=x server=dhcp1
add address=192.168.1.11  mac-address=x server=dhcp1
add address=192.168.1.47  mac-address=x server=dhcp1
add address=192.168.1.49  mac-address=x server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=80.58.61.250,80.58.61.254
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add action=drop chain=input comment="ROUTER PROTECTION.Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow connections to router itself only from our local network" \
    dst-port="" in-interface=!ether1-gateway protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="CUSTOMER PROTECTION. Drop invalid connections" connection-state=\
    invalid protocol=tcp
add action=accept chain=forward comment="Allow already established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block \"bogon\" IP addresses" src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=\
    vlan2 protocol=udp to-addresses=192.168.1.200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=221
set api disabled=yes
set winbox address=192.168.1.50/32 port=8291
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge1-ISP type=internal
add interface=pppoe-out1 type=external
Rgds
 
mkx
Forum Guru
Forum Guru
Posts: 2573
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 4:03 pm

I don't know what exactly you mean by "I must have stopped the ipTV service" ... but you don't have DHCP server running on LAN2 - you don't have corresponding /ip dhcp-server network nor /ip dhcp-server ...
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 9:17 pm

Hi, I reverted to the previous firewall I had and it works.
After changing the firewall something has an effect on vlan2 and 192.168.1.200 (the deco has this static ip).
You mentioned:
you don't have corresponding /ip dhcp-server network nor /ip dhcp-server ...
.

Maybe I don´t understand you but I think I do have the network:
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 \
    netmask=24
and no need for a dhcp-server since it is a static ip (192.168.1.200).

I can ping 192.168.1.200 from the router.

I have masquerade and nat in vlan2:
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=dst-nat chain=dstnat comment=VOD dst-address-type=local in-interface=vlan2 protocol=udp to-addresses=192.168.1.200

Maybe this is blocking it?
add action=accept chain=input comment="Allow connections to router itself only from our local network" in-interface=!ether1-gateway \
    protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else"
This is the one I had before and tried this afternoon, and worked:
/ip firewall filter
add action=fasttrack-connection chain=forward
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add action=drop chain=forward dst-address=192.168.1.0/24 in-interface=bridge1-ISP out-interface=bridge2 src-address=172.16.24.0/24
add action=drop chain=forward dst-address=172.16.24.0/24 in-interface=bridge2 out-interface=bridge1-ISP src-address=192.168.1.0/24
add action=drop chain=forward disabled=yes in-interface=bridge2 out-interface=bridge1-ISP
add action=drop chain=forward disabled=yes in-interface=bridge1-ISP out-interface=bridge2
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=udp to-addresses=192.168.1.200
Wish you can see here anything. I am lost. Dont reallý want to go back to the original fw.
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 9:46 pm

Ahhh, Luka you have discovered what I like to call the mkx infinite loop. Its a phenomena that often occurs. The Op slowly goes mad and ends up throwing his device against the wall at high velocity. It doesn't fix the configuration at all but it feels really really good at the time.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 9:51 pm

Ahhh, Luka you have discovered what I like to call the mkx infinite loop. Its a phenomena that often occurs. The Op slowly goes mad and ends up throwing his device against the wall at high velocity. It doesn't fix the configuration at all but it feels really really good at the time.
That´s a perfect definition :lol:
Thx GOD I can still revert to the original FW.

Anyway, I am sure it must be a little thing that I just can´t discover ... maybe if I add the log someone gets inspiration...
Last edited by luka3 on Thu Aug 01, 2019 12:45 pm, edited 1 time in total.
 
mkx
Forum Guru
Forum Guru
Posts: 2573
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 10:18 pm

Sigh ...
You mentioned:
you don't have corresponding /ip dhcp-server network nor /ip dhcp-server ...
.

Maybe I don´t understand you but I think I do have the network:
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 \
    netmask=24
and no need for a dhcp-server since it is a static ip (192.168.1.200).

I was talking about LAN2 ... where router's got address 172.16.24.1/24

Anyway, sometimes I do notice that my well-meant advices and coments are not wellcome.

Have fun with @anav.
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 10:59 pm

Mkx, don´t let anav disturb you.

I am the one who is stuck and due to my limited knowledge even more.

Everything is there:

/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge2 name=dhcp2

add name=dhcp_pool2 ranges=172.16.24.100-172.16.24.119

/ip dhcp-server network
add address=172.16.24.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.24.1 netmask=24
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1wan + 2 lan isolated from each other

Tue Jul 23, 2019 12:07 am

I stepped back a long time ago on this thread MKX because you are more patient and more thorough and there was no point in confusing the OP with my fixation on vlans............
Don't let humour get in the way of a solution LoL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other[Solved]

Thu Aug 01, 2019 1:03 pm

After some testing I isolated succesfully:

>the AP and its clients by using the propietary function included in Unify ("guest isolation"). I tried what mkx proposed in POST#7 but isolation still did not work.

>a second subnet: following mkx and stoser advice in POST#7 and POST#23 and assigning a second subnet to specific clients, then adding this simple rule did the trick:
chain=forward src-address=192.168.2.0/24 dst-address=192.168.1.0
. None of this clients can ping each other neither the other subnet.

Thx for support guys!

Who is online

Users browsing this forum: No registered users and 16 guests