Page 1 of 1
Mikrotik block traffic between subnets
Posted: Tue Mar 01, 2016 1:34 pm
by peter187
Hello, I need little help with mikrotik configuration. I have few subnets on few mikrotik devices, and one mikrotik that is my GW. Mikrotik devices are in bridge on network 192.168.0.0/22, GW is 192.168.0.1. on each mikrotik i have set subnets like 192.168.4.0/24, 192.168.6.0/24, 192.168.8.0/24, 192.168.10.0/24, 192.168.12.0/24, etc. On GW I have set routing that allow other subnets connect to Internet, its like:
/ip route add dst-address=192.168.4.0/24 gateway=192.168.0.4
/ip route add dst-address=192.168.6.0/24 gateway=192.168.0.6, etc.
Everything is working, but i have problem with local traffic, all subnets are seeing each other, so PC from 192.168.4.0/24 can connect with PC from 192.168.12.0/24. I want to block it, but i have no idea how to do this, Anyone can help me?
Re: Mikrotik block traffic between subnets
Posted: Tue Mar 01, 2016 10:43 pm
by trace323
Go to Bridge > Ports > Select one of the stuff u have here > then for Horizion put 1 on each one. That will isolate all of them from each other.
Re: Mikrotik block traffic between subnets
Posted: Wed Mar 02, 2016 10:51 am
by peter187
Thank you for response, it would work if it will be all on one mikrotik, but its not. Scheme is like this:
MRT1 (GW with firewall and routing table) -----> MRT2 (here are 10 LAN ports and here are connected all parts of network, means other mikrotik devices with subnets)
so I think your advice will isolate me only ports from each other, but I need to isolate networks, and in y opinion it need to be done on MRT1, but I can be wrong, thats why I need some help :/
Re: Mikrotik block traffic between subnets
Posted: Wed Mar 02, 2016 11:03 am
by ShayanFiroozi
Hi
They are seeing each other because this is ROUTER ! your device routing your traffic between your subnets , because your have assigned ip address for each interface and of course there are dynamic routes on your routing table,
use IP firewall and you can easily deny any traffic you want , use forward chain , not input or output
if your network is bridged you can also use Bridge firewall
Re: Mikrotik block traffic between subnets
Posted: Wed Mar 02, 2016 11:28 am
by peter187
That was one of my idea to use IP Firewall, but i hoped there would be some other way to block it. In my case there is about 80 subnets, so it will be many rules in firewall. First idea was to block one by one:
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.4.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.6.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.8.0/24, etc.
but it would be few hundred of rules to wirte so I tried to do domething else.
Next, i thought about allow each subnet to acces main network 192.168.0.0/22 (all mikrotik devices are in this network MRT GW 192.168.0.1, MRT2 192.168.0.3, MRT3 192.168.0.4, etc)
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.0.0/22
/ip firewall filter add chain=forward action=drop src-address=192.168.4.0/24 dst-address=192.168.0.0/22, etc
and as the last rule:
/ip firewall filter add action=drop chain=forward comment="" disabled=no
But I when I did that, I lost connection with Internet on all devices, so I made something wrong but dont know what.
Re: Mikrotik block traffic between subnets
Posted: Wed Mar 02, 2016 3:35 pm
by ShayanFiroozi
That was one of my idea to use IP Firewall, but i hoped there would be some other way to block it. In my case there is about 80 subnets, so it will be many rules in firewall. First idea was to block one by one:
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.4.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.6.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.8.0/24, etc.
but it would be few hundred of rules to wirte so I tried to do domething else.
Next, i thought about allow each subnet to acces main network 192.168.0.0/22 (all mikrotik devices are in this network MRT GW 192.168.0.1, MRT2 192.168.0.3, MRT3 192.168.0.4, etc)
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.0.0/22
/ip firewall filter add chain=forward action=drop src-address=192.168.4.0/24 dst-address=192.168.0.0/22, etc
and as the last rule:
/ip firewall filter add action=drop chain=forward comment="" disabled=no
But I when I did that, I lost connection with Internet on all devices, so I made something wrong but dont know what.
So obviously you are dropping any packest,where did you allow your subnets to access your main network??? There is not any allowance , I can not see them,all of them are just drop
Re: Mikrotik block traffic between subnets
Posted: Wed Mar 02, 2016 3:54 pm
by peter187
So obviously you are dropping any packest,where did you allow your subnets to access your main network??? There is not any allowance , I can not see them,all of them are just drop
Main network (where all devices are) is 192.168.0.0/22, Main mikrotik (GW) is 192.168.0.1 on LAN and 77.22.45.2 on WAN. In firewall I wrote those rules:
/ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.0.0/22
/ip firewall filter add chain=forward action=drop src-address=192.168.4.0/24 dst-address=192.168.0.0/22
/ip firewall filter add chain=forward action=drop src-address=192.168.6.0/24 dst-address=192.168.0.0/22
.....
.....
/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/22 dst-address=192.168.2.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/22 dst-address=192.168.4.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/22 dst-address=192.168.6.0/24
/ip firewall filter add action=drop chain=forward comment="" disabled=no
So I think subnets now are allowed to access main network (192.168.0.0/22), I can ping GW 192.168.0.1 from any subnet, but I have no access to Internet
Re: Mikrotik block traffic between subnets
Posted: Wed Mar 02, 2016 5:52 pm
by ZeroByte
I would say there are two simple ways to do this:
1) make a blanket rule blocking lan-lan by using private IP ranges:
/ip firewall filter
add chain=forward action=drop src-address=192.168.0.0/16 dst-address=192.168.0.0/16
If you have private IP ranges that you want to grant access to, then place exceptions like this:
add chain=forward action=accept dst-address=192.168.32.0/24 comment="server network"
... and make sure the exceptions come before the above rule in your filter chain.
2) use address lists
/ip firewall address-list
add list=IsolatedLANs address=192.168.2.0/24
add list=IsolatedLANs address=192.168.4.0/24
add list=IsolatedLANs address=192.168.6.0/24
etc....
/ip firewall filter
add chain=forward action=drop src-address-list=IsolatedLANs dst-address-list=IsolatedLANs
-- This second method doesn't require any exceptions for "server lans" because you would simply not put the server lan address range into the IsolatedLANs address list. The second method takes a little more maintenance (you need to remember to add customer LANs to this list whenever you provision new customers) but it's more explicit and gives you control over which LANs you want isolated and which you do not.
Now - one thing to consider is that when doing it like either of these methods, you need to make sure that NAT does not apply to traffic that is not going out the Internet interface, but it sounds like this is already how your router works because you're able to "see" lan1 from lan2, etc... but I wanted to point this out because the filter rule is called after any dst-nat but before any src-nat/masquerade rules.