Community discussions

MikroTik App
 
peter187
just joined
Topic Author
Posts: 4
Joined: Tue Mar 01, 2016 1:20 pm

Mikrotik block traffic between subnets

Tue Mar 01, 2016 1:34 pm

Hello, I need little help with mikrotik configuration. I have few subnets on few mikrotik devices, and one mikrotik that is my GW. Mikrotik devices are in bridge on network 192.168.0.0/22, GW is 192.168.0.1. on each mikrotik i have set subnets like 192.168.4.0/24, 192.168.6.0/24, 192.168.8.0/24, 192.168.10.0/24, 192.168.12.0/24, etc. On GW I have set routing that allow other subnets connect to Internet, its like:
/ip route add dst-address=192.168.4.0/24 gateway=192.168.0.4
/ip route add dst-address=192.168.6.0/24 gateway=192.168.0.6, etc.
Everything is working, but i have problem with local traffic, all subnets are seeing each other, so PC from 192.168.4.0/24 can connect with PC from 192.168.12.0/24. I want to block it, but i have no idea how to do this, Anyone can help me?
Last edited by peter187 on Wed Mar 02, 2016 4:55 pm, edited 1 time in total.
 
trace323
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu May 07, 2015 5:52 pm

Re: Mikrotik block traffic between subnets

Tue Mar 01, 2016 10:43 pm

Go to Bridge > Ports > Select one of the stuff u have here > then for Horizion put 1 on each one. That will isolate all of them from each other.
 
peter187
just joined
Topic Author
Posts: 4
Joined: Tue Mar 01, 2016 1:20 pm

Re: Mikrotik block traffic between subnets

Wed Mar 02, 2016 10:51 am

Thank you for response, it would work if it will be all on one mikrotik, but its not. Scheme is like this:

MRT1 (GW with firewall and routing table) -----> MRT2 (here are 10 LAN ports and here are connected all parts of network, means other mikrotik devices with subnets)
so I think your advice will isolate me only ports from each other, but I need to isolate networks, and in y opinion it need to be done on MRT1, but I can be wrong, thats why I need some help :/
 
User avatar
ShayanFiroozi
Member Candidate
Member Candidate
Posts: 284
Joined: Sat Jun 01, 2013 12:44 pm
Location: Bandar Abbas , Iran

Re: Mikrotik block traffic between subnets

Wed Mar 02, 2016 11:03 am

Hi

They are seeing each other because this is ROUTER ! your device routing your traffic between your subnets , because your have assigned ip address for each interface and of course there are dynamic routes on your routing table,

use IP firewall and you can easily deny any traffic you want , use forward chain , not input or output

if your network is bridged you can also use Bridge firewall
The price of your knowledge which you have to pay is to share it with others !!
 
peter187
just joined
Topic Author
Posts: 4
Joined: Tue Mar 01, 2016 1:20 pm

Re: Mikrotik block traffic between subnets

Wed Mar 02, 2016 11:28 am

That was one of my idea to use IP Firewall, but i hoped there would be some other way to block it. In my case there is about 80 subnets, so it will be many rules in firewall. First idea was to block one by one:
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.4.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.6.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.8.0/24, etc.
but it would be few hundred of rules to wirte so I tried to do domething else.

Next, i thought about allow each subnet to acces main network 192.168.0.0/22 (all mikrotik devices are in this network MRT GW 192.168.0.1, MRT2 192.168.0.3, MRT3 192.168.0.4, etc)
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.0.0/22
/ip firewall filter add chain=forward action=drop src-address=192.168.4.0/24 dst-address=192.168.0.0/22, etc
and as the last rule:
/ip firewall filter add action=drop chain=forward comment="" disabled=no

But I when I did that, I lost connection with Internet on all devices, so I made something wrong but dont know what.
 
User avatar
ShayanFiroozi
Member Candidate
Member Candidate
Posts: 284
Joined: Sat Jun 01, 2013 12:44 pm
Location: Bandar Abbas , Iran

Re: Mikrotik block traffic between subnets

Wed Mar 02, 2016 3:35 pm

That was one of my idea to use IP Firewall, but i hoped there would be some other way to block it. In my case there is about 80 subnets, so it will be many rules in firewall. First idea was to block one by one:
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.4.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.6.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.8.0/24, etc.
but it would be few hundred of rules to wirte so I tried to do domething else.

Next, i thought about allow each subnet to acces main network 192.168.0.0/22 (all mikrotik devices are in this network MRT GW 192.168.0.1, MRT2 192.168.0.3, MRT3 192.168.0.4, etc)
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.0.0/22
/ip firewall filter add chain=forward action=drop src-address=192.168.4.0/24 dst-address=192.168.0.0/22, etc
and as the last rule:
/ip firewall filter add action=drop chain=forward comment="" disabled=no

But I when I did that, I lost connection with Internet on all devices, so I made something wrong but dont know what.
So obviously you are dropping any packest,where did you allow your subnets to access your main network??? There is not any allowance , I can not see them,all of them are just drop
The price of your knowledge which you have to pay is to share it with others !!
 
peter187
just joined
Topic Author
Posts: 4
Joined: Tue Mar 01, 2016 1:20 pm

Re: Mikrotik block traffic between subnets

Wed Mar 02, 2016 3:54 pm


So obviously you are dropping any packest,where did you allow your subnets to access your main network??? There is not any allowance , I can not see them,all of them are just drop
Main network (where all devices are) is 192.168.0.0/22, Main mikrotik (GW) is 192.168.0.1 on LAN and 77.22.45.2 on WAN. In firewall I wrote those rules:

/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.0.0/22
/ip firewall filter add chain=forward action=drop src-address=192.168.4.0/24 dst-address=192.168.0.0/22
/ip firewall filter add chain=forward action=drop src-address=192.168.6.0/24 dst-address=192.168.0.0/22
.....
.....
/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/22 dst-address=192.168.2.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/22 dst-address=192.168.4.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/22 dst-address=192.168.6.0/24
/ip firewall filter add action=drop chain=forward comment="" disabled=no

So I think subnets now are allowed to access main network (192.168.0.0/22), I can ping GW 192.168.0.1 from any subnet, but I have no access to Internet
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Mikrotik block traffic between subnets

Wed Mar 02, 2016 5:52 pm

I would say there are two simple ways to do this:

1) make a blanket rule blocking lan-lan by using private IP ranges:

/ip firewall filter
add chain=forward action=drop src-address=192.168.0.0/16 dst-address=192.168.0.0/16

If you have private IP ranges that you want to grant access to, then place exceptions like this:
add chain=forward action=accept dst-address=192.168.32.0/24 comment="server network"
... and make sure the exceptions come before the above rule in your filter chain.

2) use address lists

/ip firewall address-list
add list=IsolatedLANs address=192.168.2.0/24
add list=IsolatedLANs address=192.168.4.0/24
add list=IsolatedLANs address=192.168.6.0/24
etc....

/ip firewall filter
add chain=forward action=drop src-address-list=IsolatedLANs dst-address-list=IsolatedLANs

-- This second method doesn't require any exceptions for "server lans" because you would simply not put the server lan address range into the IsolatedLANs address list. The second method takes a little more maintenance (you need to remember to add customer LANs to this list whenever you provision new customers) but it's more explicit and gives you control over which LANs you want isolated and which you do not.

Now - one thing to consider is that when doing it like either of these methods, you need to make sure that NAT does not apply to traffic that is not going out the Internet interface, but it sounds like this is already how your router works because you're able to "see" lan1 from lan2, etc... but I wanted to point this out because the filter rule is called after any dst-nat but before any src-nat/masquerade rules.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: Bambie, cknolla, digin4, zerospace and 54 guests