Page 1 of 1
Firewall rules between two LAN help
Posted: Fri Aug 17, 2012 8:13 am
by patrickmkt
Hi, I have the following setup:
ether1-gateway : WAN 192.168.1.1/24
ether2-LANA: LAN A 192.168.20.1/24
ether3-LANB: LAN B 192.168.30.1/24
With the default setup, there is no access from the WAN to any LAN, but each LAN can connect to the other LAN or WAN.
Now I want to isolate both LAN:
chain=forward action=drop in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=drop in-interface=ether3-LANB out-interface=ether2-LANA
so far, so good.
Now I want to add two servers on LAN A and two servers on LAN B that should be accessible from both LAN
I created the following rules before the previous drop
Address list: listA: server A1, A2; listB: server B1, B2.
chain=forward action=accept dst-address-list=listA in-interface=ether3-LANB out-interface=ether2-LANA
chain=forward action=accept dst-address-list=listB in-interface=ether2-LANA out-interface=ether3-LANB
It doesn't work unless I'm disabling the drop rule.
I thought that maybe I had to add a return path rule for established & related connections, I then added:
chain=forward action=accept connection-state=established src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=accept connection-state=related src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=accept connection-state=established src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA
chain=forward action=accept connection-state=related src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA
but still no joy, the returning packets are still hitting the drop rule.
What am I doing wrong here?
Re: Firewall rules between two LAN help
Posted: Fri Aug 17, 2012 4:57 pm
by CelticComms
It would be helpful to see the rules in context and in the order in which they are installed - order matters.
I would encourage you to rethink the logic on the forwarding rules. Your last forwarding rule should be a drop all rule. Anything you want to forward should be covered by an accept rule above the "drop all". In other words forwarding should be the exception and dropping should be the default.
Re: Firewall rules between two LAN help
Posted: Fri Aug 17, 2012 5:27 pm
by patrickmkt
Ok I was maybe not clear enough in my prose, here's the order of my rules:
;;; from A to B
chain=forward action=accept dst-address-list=listB in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=accept connection-state=established src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=accept connection-state=related src-address-list=listA in-interface=ether2-LANA out-interface=ether3-LANB
chain=forward action=drop in-interface=ether2-LANA out-interface=ether3-LANB
;;; from B to A
chain=forward action=accept dst-address-list=listA in-interface=ether3-LANB out-interface=ether2-LANA
chain=forward action=accept connection-state=established src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA
chain=forward action=accept connection-state=related src-address-list=listB in-interface=ether3-LANB out-interface=ether2-LANA
chain=forward action=drop in-interface=ether3-LANB out-interface=ether2-LANA
;;; default configuration
chain=input action=accept protocol=icmp
chain=input action=accept connection-state=established
chain=input action=accept connection-state=related
chain=input action=drop in-interface=ether1-gateway
but when I'm trying to connect to the server from the other LAN, my drop rule block all returning traffic from the server.
Re: Firewall rules between two LAN help
Posted: Sun Aug 26, 2012 4:00 pm
by patrickmkt
nobody?
Re: Firewall rules between two LAN help
Posted: Sun Aug 26, 2012 11:01 pm
by Zavi
Is conntrack enabled? It's required by "established" and "related" rules.
Re: Firewall rules between two LAN help
Posted: Sun Aug 26, 2012 11:43 pm
by patrickmkt
Is conntrack enabled?
Yes I just checked.
I'm probably doing something blatantly stupid here but I can't point my finger on it. Could it be on the established rule? Should the dest and source address been from the inbound point of view or the return path? Maybe I've put it the wrong way?
I haven't found in the wiki any sample examples for this simple configuration: Block all traffic between two LAN except for a server with multiple services.
Re: Firewall rules between two LAN help
Posted: Mon Aug 27, 2012 12:18 am
by Zavi
I think i figured it out: you allow established connections, but to establish TCP connection you already need link in both directions.
So i think you should allow all traffic from server to second network, so he can respond and establish the connection, then the established rule isn't needed.
Re: Firewall rules between two LAN help
Posted: Tue Aug 28, 2012 7:26 pm
by sirEgghead
/ip firewall address-list add list="servers" address=192.168.20.100
/ip firewall address-list add list="servers" address=192.168.20.101
/ip firewall address-list add list="servers" address=192.168.30.100
/ip firewall address-list add list="servers" address=192.168.30.101
/ip firewall filter add comment="allow servers" disabled=no chain=forward src-address-list="servers" action=allow
/ip firewall filter add disabled=no chain=forward dst-address-list="servers" action=allow
/ip firewall filter add comment="dropLANa-LANb" disabled=no chain=forward in-interface=ether2-LANA out-interface=ether3-LANB action=drop
/ip firewall filter add comment="dropLANb-LANa" disabled=no chain=forward in-interface=ether3-LANB out-interface=ether2-LANA action=drop
Since the "allow servers" rules come first, connections to and from the servers are allowed before the drop rules are even checked. The "established" and "related" are not needed in this case. Simplifies things. You can narrow the server access rules if you like. For instance adding another address list and changing the 2 "allow server" rules would look something like:
/ip firewall address-list add list="LANs" address=192.168.20.0/24
/ip firewall address-list add list="LANs" address=192.168.30.0/24
/ip firewall filter add comment="allow servers" disabled=no chain=forward src-address-list="LANs" dst-address-list="servers" action=allow
/ip firewall filter add chain=forward src-address-list="servers" dst-address-list="LANs" action=allow
Let's say you want to allow access to your servers to everyone on both LANs except for a computer that is used exclusively for guests. Let's call this guest computer's address 192.168.30.200. You can add these 2 drop rules above your existing allow filter rules:
/ip firewall filter add comment="no guest access to server" disabled=no chain=forward src-address=192.168.30.200 dst-address-list="servers" action=drop
/ip firewall filter add disabled=no chain=forward dst-address=192.168.30.200 src-address-list="servers" action=drop
Or you could combine it with your existing filter rules:
/ip firewall filter add comment="allow servers" disabled=no chain=forward src-address-list="LANs" dst-address-list="servers" src-address=!192.168.30.200 action=allow
/ip firewall filter add disabled=no chain=forward src-address-list="servers" dst-address-list="LANs" dst-address=!192.168.30.200 action=allow
I hope this helps!
Thomas
Re: Firewall rules between two LAN help
Posted: Wed Aug 29, 2012 2:16 pm
by patrickmkt
Thanks. makes things a little bit more clear in my head
Re: Firewall rules between two LAN help
Posted: Wed Aug 29, 2012 4:41 pm
by sirEgghead
Get everything sorted out?
Re: Firewall rules between two LAN help
Posted: Fri Nov 09, 2012 2:39 pm
by rixon
Hi everyone,
I have three separated LANs, witch are blocked by firewall rules to drop packages between them.
I want to add exception for two servers from two separated LANs, so they can communicate between each other.
Any suggestions?
Re: Firewall rules between two LAN help
Posted: Sun Nov 03, 2013 2:04 am
by y0d4
same question here
any help?
Re: Firewall rules between two LAN help
Posted: Sun Nov 10, 2013 3:52 am
by CTrain
As what has been stated above you will need a rule that allows the servers to communicate with all lans, a rule that allows all lans to communicate with the servers and finally a rule that drops all packets not meeting these rules. the drop rule needs to be last.
Re: Firewall rules between two LAN help
Posted: Sun Nov 10, 2013 5:14 pm
by y0d4