I read what I could for MikroTik, but as this is not my primary focus it is hard to grasp it all.
Mikrotik or networking as a whole?
I probably (certainly) was not very clear
I to je to zašto je potreban export, jer iz njega se vidi sve.
I have CAPsMAN that is routing WiFi to the internet on separate bridges (two of them), and I wanted to filter them out. If I use IP filter for filter out subnets, would that cut off other communication in that case? Broadcast and such?
And this is the point. Broadcasts only work within an L2 domain, routers never forward broadcast packets across the border of a subnet. So a broadcast received at one bridge interface is only delivered to member ports of that same bridge, including the local one of the Mikrotik (which is a "hidden" port of the bridge). Multicast packets can be forwarded between L2 domains but only if such forwarding is subscribed to, and it is not used on the internet, only in private networks.
So when you want your WiFi clients to be able to talk to servers in the internet, you don't need to be afraid of blocking of forwarding of broadcast and multicast packets outside from their bridges - these are not forwarded by design.
Regarding filtering of traffic flow between bridges: packets between two different subnets must be
routed, not
bridged, even if the two subnets were hosted on the same bridge (which is not your case). You use a distinct subnet on each of your three bridges, so to prevent delivery of packets from one subnet to another, you have to prevent them from being
routed, not
bridged. To do that, you need
ip firewall filter rules which have to say "packets coming from 192.168.20.0/24 can be forwarded to any destination except 192.168.0.0/24 and 192.168.10.0/24", or "packets coming in via interface (
not bridge-interface) WiFi-GOSTI can be forwarded to any outgoing interface except LAN-COMPANY and WiFi-COMPANY." as you did in the other setup you've mentioned.
You use the default setup of the firewall on Mikrotik which basically says "permit everything, drop exceptions". So 1) whatever passes through the forward chain's last rule saying "drop all from WAN not DSTNATed" is accepted, and 2) packets belonging to already established connections are permitted in both directions thanks to the third and fourth rule in the forward chain, saying "fasttrack or accept whatever matches
connection-state=established. So if you add a rule
chain=forward action=drop in-interface=WiFi-GOSTI out-interface=LAN-COMPANY,
it will prevent clients connected to the guest WiFi from initiating connections to devices in your LAN (but
not to the Mikrotik itself), but it will not prevent devices in your LAN from initiating connections to clients connected to the guest WiFi. To do that, you need another drop rule where the values of
in-interface and
out-interface are swapped.
To prevent clients of guest WiFi from accessing Mikrotik's own management, you need a rule
chain=input action=drop in-interface=WiFi-GOSTI protocol=tcp dst-port=22,23,80,443,8291,8728-8729 at the end of your current
chain=input.
I suppose the Mikrotik gets a private IP on the INTERNET interface from an ISP's router; if it gets a public one, your firewall is far too weak and you need to add a couple more rules to it.
Also, you don't need
use-ip-firewall in
/interface bridge settings to be set to
yes; in your current configuration it only wastes CPU but does nothing useful.
On another setup I have two physical bridges for which I filter traffic by simply setting:
add action=reject chain=forward in-interface=bridge-1 out-interface=bridge-2 reject-with=\
icmp-net-prohibited
For some reason that doesn't work in CAPsman case.
Correct, but that's not an
/interface bridge filter rule, it is an
/ip firewall filter rule. So you did it right there but for some reason you changed the approach here.