Ok so here is my issue my lan is in the 10.0.0.0 network now i want one of my port to be on a seperate network now its not bridge to anything so i add an ip address to that interface 172.16.0.1 and for some reason i can ping that ip from my lan on the 10.x.x network. I dont have any routing rules to allow access to that is there something i may be doing wrong.
Thanks!
Here are some bits from my config
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; LAN IP
10.0.0.5/8 10.0.0.0 wlan1
1 ;;; MX1
173.246.xx.xx7/32 173.246.xx.xx7 pppoe-out1
2 ;;; MX2
173.246.xx.xx8/32 173.246.xx.xx8 pppoe-out1
3 ;;; HTTP
173.246.xx.xx9/32 173.246.xx.xx9 pppoe-out1
4 ;;; VPN
173.246.xx.xx0/32 173.246.xx.xx0 pppoe-out1
5 172.16.0.1/12 172.16.0.0 ether1
6 D 69.165.xx.xx/32 206.248.xx.xx2 pppoe-out1
INTERFACE
Flags: X - disabled, R - running
0 R ;;; LAN/WLAN BRIDGE
name="bridge1" mtu=1500 l2mtu=2290 arp=enabled
mac-address=D4:CA:6D:6F:74:6B protocol-mode=rstp priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
PORT
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 bonding1 bridge1 0x80 10 none
1 wlan1 bridge1 0x80 10 none
HOST
Flags: L - local, E - external-fdb
BRIDGE MAC-ADDRESS ON-INTERFACE AGE
bridge1 00:0F:20:D1:BD:34 bonding1 13s
bridge1 00:13:72:3A:2B:31 bonding1 1s
bridge1 00:15:17:8C:8E:FA bonding1 2m43s
bridge1 00:15:17:8C:8E:FB bonding1 2m43s
bridge1 00:15:5D:1E:77:01 bonding1 24s
bridge1 00:15:5D:1E:77:03 bonding1 36s
bridge1 00:15:5D:1E:77:05 bonding1 0s
bridge1 00:15:5D:1E:E5:03 bonding1 1s
bridge1 00:15:5D:1E:E5:05 bonding1 1m22s
bridge1 00:18:8B:84:E4:2B bonding1 2m38s
bridge1 00:1A:A0:0D:68:E7 bonding1 2m13s
bridge1 00:21:9B:C0:2C:F9 bonding1 2s
bridge1 00:21:9B:C0:2D:26 bonding1 21s
bridge1 00:21:9B:C0:2D:27 bonding1 22s
bridge1 00:21:9B:C0:2D:28 bonding1 21s
bridge1 00:21:9B:C0:2D:29 bonding1 21s
bridge1 00:57:47:01:FA:88 bonding1 15s
L bridge1 D4:CA:6D:6F:74:6B bonding1 0s
L bridge1 D4:CA:6D:6F:74:74 wlan1 0s
bridge1 D4:CA:6D:9A:70:F3 wlan1 52s
bridge1 F0:7D:68:03:7D:D3 wlan1 1s
bridge1 F4:6D:04:AD:BA:A9 bonding1 0s
FILTER
Flags: X - disabled, I - invalid, D - dynamic
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
NAT
Flags: X - disabled, I - invalid, D - dynamic
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
SETTINGS
use-ip-firewall: yes
use-ip-firewall-for-vlan: no
use-ip-firewall-for-pppoe: no
allow-fast-path: yes
Re: Router can ping other network but it should not
As you have the route to the 172.16.0.0 network in your route list the routerboard will route any traffic it receives to that location by default.
That route would have been auto added when the interface IP of 172.16.0.1 was assigned. That traffic can be easily stopped by creating a firewall rule. However that route must remain present for the router it self to communicate on the separate network. I you need help to create a firewall rule I will require information such as the interface identifiers for the networks and the ip addresses and subnets ie (172.16.0.0/24). Use winbox to make the task easier and the chain=forward, action=drop, out interface=(the 172.16.0.1 interface whatever ether it is eg eth6), DST adress=172.16.0.0/24 if the subnet mask is not 255.255.255.0 it will be something other than /24.
Let me know if their is any problem
That route would have been auto added when the interface IP of 172.16.0.1 was assigned. That traffic can be easily stopped by creating a firewall rule. However that route must remain present for the router it self to communicate on the separate network. I you need help to create a firewall rule I will require information such as the interface identifiers for the networks and the ip addresses and subnets ie (172.16.0.0/24). Use winbox to make the task easier and the chain=forward, action=drop, out interface=(the 172.16.0.1 interface whatever ether it is eg eth6), DST adress=172.16.0.0/24 if the subnet mask is not 255.255.255.0 it will be something other than /24.
Let me know if their is any problem
Re: Router can ping other network but it should not
This is perfect i will figure out how to make the firewall rule to block this Thanks!As you have the route to the 172.16.0.0 network in your route list the routerboard will route any traffic it receives to that location by default.
That route would have been auto added when the interface IP of 172.16.0.1 was assigned. That traffic can be easily stopped by creating a firewall rule. However that route must remain present for the router it self to communicate on the separate network. I you need help to create a firewall rule I will require information such as the interface identifiers for the networks and the ip addresses and subnets ie (172.16.0.0/24). Use winbox to make the task easier and the chain=forward, action=drop, out interface=(the 172.16.0.1 interface whatever ether it is eg eth6), DST adress=172.16.0.0/24 if the subnet mask is not 255.255.255.0 it will be something other than /24.
Let me know if their is any problem
Who is online
Users browsing this forum: No registered users and 105 guests