Community discussions

MikroTik App
 
saibarker
newbie
Topic Author
Posts: 45
Joined: Tue Jun 06, 2017 11:50 am

Why can my /30 subnet can talk to other subnets?

Mon Apr 08, 2019 7:50 am

Hi there,

I have setup a few /30 subsets in my CCR1036. 192.168.1.5/30, 192.168.1.9/30 on a local bridge.

When I set my laptop to 192.168.1.6/30 and use 192.168.1.5 as the gateway I have internet and everything works BUT can ping 192.168.1.9 and in fact all other IPs on different interfaces and sub nets of the CCR1036.

Does anyone know why this is happening? I want them to be completely separated and unreachable to each other.

Config is below:
/ip address
add address=192.168.0.2/24 comment=defconf interface=ether1 network=192.168.0.0
add address=10.0.0.1 interface=LB1 network=10.0.0.1
add address=192.168.1.5/30 interface=Local_Trunk network=192.168.1.4
add address=192.168.1.9/30 interface=Local_Trunk network=192.168.1.8

/interface bridge port 
add bridge=Local_Trunk interface=sfp4
add bridge=Local_Trunk interface=ether12
add bridge=Local_Trunk interface=ether11

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip route
add distance=1 gateway=192.168.0.1
Thanks in advanced
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: /30 subnet can talk to other subnets

Mon Apr 08, 2019 8:22 am

You have to set up /ip firewall filter rules which will block unwanted connections. By default your router is happily routing packets according to it's configuration.

Other than that, your setup is flawed on L2 (ethernet) level. Right now your subnets are not physically separated. If you really want separation between subnets which can't be bypassed by clients configurations, you'll have to use different ports for different subnets ... then either set router's LAN IP addresses to appropriate ports ... or you can use VLANs with those ports being access pots for appropriate VLANs ... and use /interface vlan to set router's LAN IP addresses.
Last edited by mkx on Mon Apr 08, 2019 8:26 am, edited 1 time in total.
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: /30 subnet can talk to other subnets

Mon Apr 08, 2019 8:23 am

It is because your clients and your router know where to look for each other. In a /24, they would talk directly as they are same broadcast domain, but in your example they are sending traffic to the router, and the router knows 'hey i know how to get to IP x' so routes it, no issue.

Best thing to do would be set up firewall rules. If you want a blanket rule to stop all clients talking to each other maybe something like
/ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.1.0/24 action=drop
What this does is allows communication direct with the router, but does not allow any 192.168.1.x address to talk to any other 192.168.1.x address.

The rule specifies /24, but it will catch all /30's within that /24.
 
saibarker
newbie
Topic Author
Posts: 45
Joined: Tue Jun 06, 2017 11:50 am

Re: /30 subnet can talk to other subnets

Wed Apr 10, 2019 4:46 am

It is because your clients and your router know where to look for each other. In a /24, they would talk directly as they are same broadcast domain, but in your example they are sending traffic to the router, and the router knows 'hey i know how to get to IP x' so routes it, no issue.

Best thing to do would be set up firewall rules. If you want a blanket rule to stop all clients talking to each other maybe something like
/ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.1.0/24 action=drop
What this does is allows communication direct with the router, but does not allow any 192.168.1.x address to talk to any other 192.168.1.x address.

The rule specifies /24, but it will catch all /30's within that /24.

I have tried using the filter rule you suggested but it doesn't seem to make a difference? 192.168.1.6/30 can still ping 192.168.1.9/30

EDIT: I have changed it from
chain=forward
to
chain=input
and that seems to be working :)
Last edited by saibarker on Wed Apr 10, 2019 4:56 am, edited 1 time in total.
 
saibarker
newbie
Topic Author
Posts: 45
Joined: Tue Jun 06, 2017 11:50 am

Re: /30 subnet can talk to other subnets

Wed Apr 10, 2019 4:47 am

You have to set up /ip firewall filter rules which will block unwanted connections. By default your router is happily routing packets according to it's configuration.

Other than that, your setup is flawed on L2 (ethernet) level. Right now your subnets are not physically separated. If you really want separation between subnets which can't be bypassed by clients configurations, you'll have to use different ports for different subnets ... then either set router's LAN IP addresses to appropriate ports ... or you can use VLANs with those ports being access pots for appropriate VLANs ... and use /interface vlan to set router's LAN IP addresses.
Thanks for your input, can you give an example of a
/firewall filter
rule that would work?

Thanks,
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: /30 subnet can talk to other subnets

Thu Apr 11, 2019 5:02 pm

You have to set up /ip firewall filter rules which will block unwanted connections. By default your router is happily routing packets according to it's configuration.

Other than that, your setup is flawed on L2 (ethernet) level. Right now your subnets are not physically separated. If you really want separation between subnets which can't be bypassed by clients configurations, you'll have to use different ports for different subnets ... then either set router's LAN IP addresses to appropriate ports ... or you can use VLANs with those ports being access pots for appropriate VLANs ... and use /interface vlan to set router's LAN IP addresses.
Thanks for your input, can you give an example of a
/firewall filter
rule that would work?

Thanks,
Its a gateway stuff, baby :D

Try to use exact /30 subnets in source and destination with forward chain. That's should make sense :)

Who is online

Users browsing this forum: Ahrefs [Bot], CGGXANNX, godel0914 and 69 guests