MikroTik

I have a kind of elementary question.

I am using a RB433. It is using RouterOS v5.10. I would like to completely separate traffic on ports 2 and 3, and not allow any connection between the two ports.

Port 2 is a 10.10.0.1/24 and port 3 is a 192.168.1.1/24.

I tried creating a drop rule and also a reject rule on the forward chain with source address 10.10.0.0/24 and destination 192.168.1.0/24 and vise versa. I am still able to ping the 10.10.0.1 from a 192.168.1.x address and see devices behind that port. I also tried dropping and rejecting (tried 2 different rules) from 10.0.0.0/8 to 192.168.1.0/24 and vise versa, to no avail.

Any ideas? What I am trying to do is have my internal office traffic on the 10.10.0.1/24 and "public" traffic on 192.168.1.1/24 and make sure "public" customers cannot see my internal network.

Any help would be greatly appreciated. Thanks.

/ip firewall filter add chain=forward src-address=10.10.0.0/24 dst-address=192.168.1.0/24 action=drop place-before=0
/ip firewall filter add chain=forward dst-address=10.10.0.0/24 src-address=192.168.1.0/24 action=drop place-before=0
Are you sure that there were no other filter rules before the ones? If not - they MUST work .

You are "still able to ping the 10.10.0.1 from a 192.168.1.x address", because 10.10.0.1 is the router's address, so the packets don't go through the "forward" chain, but through the "input" . If you want to separate also this, just add:
/ip firewall filter add chain=input src-address=10.10.0.0/24 dst-address=192.168.1.0/24 action=drop
/ip firewall filter add chain=input dst-address=10.10.0.0/24 src-address=192.168.1.0/24 action=drop

Are you sure, that with the first 2 rules you are able to connect from a 192.168.1.* device to a 10.10.0.* device? Or you just check the ping to the router's address? Are there no "strange" NAT rules?

BTW - are you from Finland? Your nick sounds like that .

/ip firewall filter add chain=forward src-address=10.10.0.0/24 dst-address=192.168.1.0/24 action=drop place-before=0
/ip firewall filter add chain=forward dst-address=10.10.0.0/24 src-address=192.168.1.0/24 action=drop place-before=0
Are you sure that there were no other filter rules before the ones? If not - they MUST work .

You are "still able to ping the 10.10.0.1 from a 192.168.1.x address", because 10.10.0.1 is the router's address, so the packets don't go through the "forward" chain, but through the "input" . If you want to separate also this, just add:
/ip firewall filter add chain=input src-address=10.10.0.0/24 dst-address=192.168.1.0/24 action=drop
/ip firewall filter add chain=input dst-address=10.10.0.0/24 src-address=192.168.1.0/24 action=drop

Are you sure, that with the first 2 rules you are able to connect from a 192.168.1.* device to a 10.10.0.* device? Or you just check the ping to the router's address? Are there no "strange" NAT rules?

BTW - are you from Finland? Your nick sounds like that .

It must have been the order. It is working now. I don't understand how the order works? I have rules that are to drop common virus traffic on the virus chain that I added, rules to drop port scanners and add to a list, rules to drop smtp that seems like spammers and add to list.

I was under the impression that you want these rules first: Drop invalid traffic, Accept established, and Accept related, then after that it didn't matter as long as the allow rules were before the drop rules if they pertained to each other? Can you clarify this?

I was able to access a wireless AP that was 192.168.1.2, but after changing the order, it is working properly. The input rules also fixed my ability to ping it .

No I'm not from Finland. I'm from the USA. Isotech is my company and Kyle is my name, so I figured isokyle would fit lol.

I was able to access a wireless AP that was 192.168.1.2, but after changing the order, it is working properly.

You can paste your rules here so we can see and think . If changing the order helped, it would suggest that there was a problem .
If you have the rules for accepting established, related and dropping invalid - they should be left as the first ones, of course, as they save some cpu power .