Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

bridging firewall with each port restricted to 1 public IP

Locked
 
JasonEde
newbie
Topic Author
Posts: 29
Joined: Thu Jun 14, 2012 11:32 am
Location: Sheffield
Contact:
Contact JasonEde

bridging firewall with each port restricted to 1 public IP

Fri Jan 18, 2013 4:24 pm

We're looking to setup a mikrotik as a bridging firewall and we're starting off by trying this on a 750G.

I've the router setup on test range 172.16.154.1/24

I've port 1 as the gateway
port 2 as the management network

port 4 as 172.16.254.10
port 5 as 172.16.254.11

There is a bridge called no-nat connecting port 1,4,5 with the firewall on.

We want to isolate all traffic between ports other than allowed with the firewall. Allow all outbound connections from the "local" ports. Then add some inbound rules to allow certain traffic in to specified IP's. Currently there is just 1 inbound rule to allow web traffic on port 80 to .11

We also want to block all traffic on port 4 and 5 not from their allocated IP.

Below is the config we're using. Does this make sense or are we overly complicating things? It seems to work although it seems that most of the traffic goes through the established and related rules.
Code: Select all
# jan/18/2013 13:39:27 by RouterOS 6.0rc6
#
/interface bridge
add l2mtu=1598 name=no-nat
/interface ethernet
set 2 master-port=ether2-master-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local name=\
    default
/interface bridge port
add bridge=no-nat interface=ether4-master
add bridge=no-nat interface=ether5-master
add bridge=no-nat interface=ether1-gateway
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether2-master-local network=192.168.88.0
add address=172.16.254.1/24 interface=no-nat network=172.16.254.0
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=172.16.1.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=forward comment="Allow all out on eth1 gw" out-bridge-port=\
    ether1-gateway out-interface=no-nat
add action=drop chain=forward comment=\
    "block all traffic from bridge port 4 not on .10" in-bridge-port=\
    ether4-master src-address=!172.16.254.10
add action=drop chain=forward comment=\
    "block all traffic from port 5 not on ,11" in-bridge-port=ether5-master \
    src-address=!172.16.254.11
add chain=input comment="default configuration" disabled=yes in-interface=\
    ether1-gateway protocol=icmp
add chain=input comment="default configuration" connection-state=established \
    in-bridge-port=ether1-gateway in-interface=no-nat
add chain=input comment="default configuration" connection-state=related \
    in-bridge-port=ether1-gateway in-interface=no-nat
add chain=forward comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=forward comment="Allow all established traffic to bridge" \
    connection-state=established in-interface=no-nat
add chain=forward comment="Allow all related traffic to bridge" \
    connection-state=related in-interface=no-nat
add chain=forward comment="allow web traffic to .11" disabled=yes \
    dst-address=172.16.254.11 dst-port=80 protocol=tcp
add action=reject chain=forward comment=\
    "block all bridge traffic between ports not already allowed" \
    in-bridge-port=!ether1-gateway in-interface=no-nat out-bridge-port=\
    !ether1-gateway out-interface=no-nat reject-with=icmp-host-prohibited
add action=drop chain=forward comment=\
    "block anything in through eth1 gw not already allowed" in-bridge-port=\
    ether1-gateway in-interface=no-nat
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0 !to-ports
/ip proxy
set max-cache-size=none
/queue interface
set ether1-gateway queue=ethernet-default
set ether2-master-local queue=ethernet-default
set ether3-slave-local queue=ethernet-default
set ether4-master queue=ethernet-default
set ether5-master queue=ethernet-default
/system clock
set time-zone-name=Europe/London
/tool mac-server
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-master
add disabled=no interface=ether5-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-master
add interface=ether5-master
Top
Locked

Who is online

Users browsing this forum: public4mac and 62 guests
  4. RouterOS
  5. Beginner Basics