Community discussions

MikroTik App
 
patrickmkt
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Sat Jul 28, 2012 5:21 pm

Firewall rules between two LAN help

Fri Aug 17, 2012 8:13 am

Hi, I have the following setup:

ether1-gateway : WAN 192.168.1.1/24
ether2-LANA: LAN A 192.168.20.1/24
ether3-LANB: LAN B 192.168.30.1/24

With the default setup, there is no access from the WAN to any LAN, but each LAN can connect to the other LAN or WAN.

Now I want to isolate both LAN:
chain=forward action=drop in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=drop in-interface=ether3-LANB out-interface=ether2-LANA

so far, so good.

Now I want to add two servers on LAN A and two servers on LAN B that should be accessible from both LAN

I created the following rules before the previous drop

Address list: listA: server A1, A2; listB: server B1, B2.
chain=forward action=accept dst-address-list=listA in-interface=ether3-LANB out-interface=ether2-LANA
chain=forward action=accept dst-address-list=listB in-interface=ether2-LANA out-interface=ether3-LANB

It doesn't work unless I'm disabling the drop rule.
I thought that maybe I had to add a return path rule for established & related connections, I then added:

chain=forward action=accept connection-state=established src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=accept connection-state=related src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=accept connection-state=established src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA
chain=forward action=accept connection-state=related src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA


but still no joy, the returning packets are still hitting the drop rule.

What am I doing wrong here?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Firewall rules between two LAN help

Fri Aug 17, 2012 4:57 pm

It would be helpful to see the rules in context and in the order in which they are installed - order matters.

I would encourage you to rethink the logic on the forwarding rules. Your last forwarding rule should be a drop all rule. Anything you want to forward should be covered by an accept rule above the "drop all". In other words forwarding should be the exception and dropping should be the default.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
patrickmkt
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Sat Jul 28, 2012 5:21 pm

Re: Firewall rules between two LAN help

Fri Aug 17, 2012 5:27 pm

Ok I was maybe not clear enough in my prose, here's the order of my rules:



;;; from A to B
     chain=forward action=accept dst-address-list=listB in-interface=ether2-LANA out-interface=ether3-LANB
     chain=forward action=accept connection-state=established src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
     chain=forward action=accept connection-state=related src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
     chain=forward action=drop in-interface=ether2-LANA out-interface=ether3-LANB

;;; from B to A
     chain=forward action=accept dst-address-list=listA in-interface=ether3-LANB out-interface=ether2-LANA
     chain=forward action=accept connection-state=established src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA
     chain=forward action=accept connection-state=related src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA
     chain=forward action=drop in-interface=ether3-LANB out-interface=ether2-LANA

;;; default configuration
     chain=input action=accept protocol=icmp
     chain=input action=accept connection-state=established
     chain=input action=accept connection-state=related
     chain=input action=drop in-interface=ether1-gateway

but when I'm trying to connect to the server from the other LAN, my drop rule block all returning traffic from the server.
 
patrickmkt
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Sat Jul 28, 2012 5:21 pm

Re: Firewall rules between two LAN help

Sun Aug 26, 2012 4:00 pm

nobody?
 
Zavi
newbie
Posts: 28
Joined: Thu Jul 05, 2012 1:02 pm
Location: Czech Republic

Re: Firewall rules between two LAN help

Sun Aug 26, 2012 11:01 pm

Is conntrack enabled? It's required by "established" and "related" rules.
RB751G-2HnD & RB2011UiAS-2HnD-IN at home
 
patrickmkt
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Sat Jul 28, 2012 5:21 pm

Re: Firewall rules between two LAN help

Sun Aug 26, 2012 11:43 pm

Is conntrack enabled?
Yes I just checked.
I'm probably doing something blatantly stupid here but I can't point my finger on it. Could it be on the established rule? Should the dest and source address been from the inbound point of view or the return path? Maybe I've put it the wrong way?
I haven't found in the wiki any sample examples for this simple configuration: Block all traffic between two LAN except for a server with multiple services.
 
Zavi
newbie
Posts: 28
Joined: Thu Jul 05, 2012 1:02 pm
Location: Czech Republic

Re: Firewall rules between two LAN help

Mon Aug 27, 2012 12:18 am

I think i figured it out: you allow established connections, but to establish TCP connection you already need link in both directions.

So i think you should allow all traffic from server to second network, so he can respond and establish the connection, then the established rule isn't needed.
RB751G-2HnD & RB2011UiAS-2HnD-IN at home
 
User avatar
sirEgghead
just joined
Posts: 19
Joined: Mon Aug 27, 2012 10:54 pm

Re: Firewall rules between two LAN help

Tue Aug 28, 2012 7:26 pm

/ip firewall address-list add list="servers" address=192.168.20.100
/ip firewall address-list add list="servers" address=192.168.20.101
/ip firewall address-list add list="servers" address=192.168.30.100
/ip firewall address-list add list="servers" address=192.168.30.101


/ip firewall filter add comment="allow servers" disabled=no chain=forward src-address-list="servers" action=allow
/ip firewall filter add disabled=no chain=forward dst-address-list="servers" action=allow

/ip firewall filter add comment="dropLANa-LANb" disabled=no chain=forward in-interface=ether2-LANA out-interface=ether3-LANB action=drop
/ip firewall filter add comment="dropLANb-LANa" disabled=no chain=forward in-interface=ether3-LANB out-interface=ether2-LANA action=drop
Since the "allow servers" rules come first, connections to and from the servers are allowed before the drop rules are even checked. The "established" and "related" are not needed in this case. Simplifies things. You can narrow the server access rules if you like. For instance adding another address list and changing the 2 "allow server" rules would look something like:
/ip firewall address-list add list="LANs" address=192.168.20.0/24
/ip firewall address-list add list="LANs" address=192.168.30.0/24

/ip firewall filter add comment="allow servers" disabled=no chain=forward src-address-list="LANs" dst-address-list="servers" action=allow
/ip firewall filter add chain=forward src-address-list="servers" dst-address-list="LANs" action=allow
Let's say you want to allow access to your servers to everyone on both LANs except for a computer that is used exclusively for guests. Let's call this guest computer's address 192.168.30.200. You can add these 2 drop rules above your existing allow filter rules:
/ip firewall filter add comment="no guest access to server" disabled=no chain=forward src-address=192.168.30.200 dst-address-list="servers" action=drop
/ip firewall filter add disabled=no chain=forward dst-address=192.168.30.200 src-address-list="servers" action=drop
Or you could combine it with your existing filter rules:
/ip firewall filter add comment="allow servers" disabled=no chain=forward src-address-list="LANs" dst-address-list="servers" src-address=!192.168.30.200 action=allow
/ip firewall filter add disabled=no chain=forward src-address-list="servers" dst-address-list="LANs" dst-address=!192.168.30.200 action=allow
I hope this helps!

Thomas
 
patrickmkt
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Sat Jul 28, 2012 5:21 pm

Re: Firewall rules between two LAN help

Wed Aug 29, 2012 2:16 pm

Thanks. makes things a little bit more clear in my head ;-)
 
User avatar
sirEgghead
just joined
Posts: 19
Joined: Mon Aug 27, 2012 10:54 pm

Re: Firewall rules between two LAN help

Wed Aug 29, 2012 4:41 pm

Get everything sorted out?
 
rixon
just joined
Posts: 1
Joined: Fri Nov 09, 2012 1:56 pm

Re: Firewall rules between two LAN help

Fri Nov 09, 2012 2:39 pm

Hi everyone,

I have three separated LANs, witch are blocked by firewall rules to drop packages between them.
I want to add exception for two servers from two separated LANs, so they can communicate between each other.

Any suggestions?
 
y0d4
newbie
Posts: 31
Joined: Wed May 29, 2013 1:22 am

Re: Firewall rules between two LAN help

Sun Nov 03, 2013 2:04 am

same question here :)
any help?
 
CTrain
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Thu Nov 07, 2013 4:41 am

Re: Firewall rules between two LAN help

Sun Nov 10, 2013 3:52 am

As what has been stated above you will need a rule that allows the servers to communicate with all lans, a rule that allows all lans to communicate with the servers and finally a rule that drops all packets not meeting these rules. the drop rule needs to be last.
 
y0d4
newbie
Posts: 31
Joined: Wed May 29, 2013 1:22 am

Re: Firewall rules between two LAN help

Sun Nov 10, 2013 5:14 pm

Who is online

Users browsing this forum: Google [Bot] and 59 guests