How do i make mangle/firewall rules etc and route traffic between PORTS LAN1 and LAN2 without bridging them?
Just masquerading them should work?And firewall/mangle/queues should work without bridging them?
Let me insist on you analyzing a default configuration, you can check the script that applies it by issuing:
/system default-configuration print
It will serve you as a very good, simple, best practice reference to evolve/add on top from there. Take another router not in production, load the config, and play with it.
RouterOS as its name implies, routes by default, i.e.
forwards IP packets not addressed to itself to their destinations. Let's consider the utmost basic routing setup that will provide internet access, from a router with a complete blank setup: i.e. resetted to no defaults, no bridges at all:
- WAN has an IP assigned (192.168.1.244/24 in your case)
- LAN has a
different network range IP assigned (lets consider just one network for now, 192.168.2.1/24)
- A default route (0.0.0.0/0) is set with a reachable gateway; this is known as
default gateway (192.168.1.254 in your case)
- A masquerade rule is in place for all traffic exiting (
out-interface) by the WAN interface.
If you take a laptop, and plug it into the LAN ether port, setting its ethernet IP as 192.168.2.2/24, 192.168.2.1 as default GW, you'll be able to reach internet (ping 8.8.8.8 for example), because the Hap will route (
forward) anything addressed to other than its "known" networks through the default gw, 192.168.1.254.
192.168.1.0/24 and 192.168.2.0/24 are
known networks for it because you set IPs in the 192.168.1.0/24 and 192.168.2.0/24 ranges to its interfaces. That's all RouterOS need to know these networks are
directly connected to it.
If you add another network, say LAN2 and assign an ip on top, say 192.168.3.1/24, and connect a laptop to LAN2, setting laptop's ethernet IP in the 192.168.3.0/24 range, with default gw 192.168.3.1/24, it will be able also to reach internet, no need for any bridges.
Why? because the both the Hap knows how to reach 192.168.3.0/24 (through LAN2),
and the laptop know
who to hand out traffic addressed to any network other than those known to it (192.168.3.0/24) by forwarding to its default gw, 192.168.3.1, through its ethernet.
An important thing when routing between two hosts, is
both hosts need to know how to reach each other. In this last example, the Hap knows all traffic addressed to 192.168.3.0/24 should exit by LAN2 due to the IP/mask assigned to it, and the laptop knows how to reach 192.168.3.0/24 for the same reason; setting the default GW on the laptop will instruct it to send any traffic addressed to any
unknown networks through its default GW, 192.168.3.1.
Now to filtering:
You'll had noticed firewall,
filter,
mangle,
nat, use
chains; the
forward chain is the one for all
forwarded traffic, i.e. All traffic
traversing the router.
Now let's pretend you don't want the LAN1 network, 192.168.2.0/24 to be able to reach 192.168.3.0/24. Setting an ip > firewall > rule like
/ip firewall filter
add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.3.0/24
Will take care of that.
Suppose you don't want 192.168.3.0/24 to reach 192.168.2.0/24 either; adding
/ip firewall filter
add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.3.0/24
add chain=forward action=drop src-address=192.168.3.0/24 dst-address=192.168.2.0/24
Will be all the needed rules.
Suppose you want to completely isolate both LANs, regardless of the IPs involved (better practice); a firewall ruleset like
/ip firewall filter
add action=drop chain=forward in-interface=LAN1 out-interface=LAN2
add action=drop chain=forward in-interface=LAN2 out-interface=LAN1
Will achieve that.