Community discussions

MikroTik App
  4. RouterOS
  5. General

Allow trafic from one LAN to another but not the reverse  [SOLVED]

Post Reply
 
phgachoud
just joined
Topic Author
Posts: 8
Joined: Thu Jul 18, 2019 9:33 pm

Allow trafic from one LAN to another but not the reverse

Thu Jul 18, 2019 9:39 pm

Having 2 LAN with different ports
172.16.10.x -> Bridge 1
172.16.11.x -> Bridge 2

Having as rules into firewall (see attachment)
Screenshot_20190718_143502.png
Code: Select all
ip firewall filter add chain=forward src-address=172.16.10.0/24 dst-address=172.16.11.0/24 action=drop comment="172.16.10.0->172.16.11.0 DROP"
ip firewall filter add chain=forward src-address=172.16.11.0/24 dst-address=172.16.10.0/24 action=drop comment="172.16.11.0->172.16.10.0 DROP"
ip firewall filter add chain=forward src-address=172.16.11.0/24 dst-address=172.16.11.1 action=accept comment="172.16.11.0->172.16.10.1 Accept"

I'd like to allow connecting through ssh from 172.16.10.x => 172.16.11.x

Disabling the above rules I reach the goal but disabling any of the 2 first I can't, How can I do that its possible to connect from a LAN to another but not the reverse?

Thx in advance
You do not have the required permissions to view the files attached to this post.
Top
 
WeWiNet
Long time Member
Long time Member
Posts: 597
Joined: Thu Sep 27, 2018 4:11 pm

Re: Allow trafic from one LAN to another but not the reverse

Fri Jul 19, 2019 11:01 am

You will need to allow the return packets (from the LAN2 into LAN1) .
For this add on your drop rule connection state: "NEW" connections from LAN 2 into LAN 1, but accept "related"/established.
Top
 
phgachoud
just joined
Topic Author
Posts: 8
Joined: Thu Jul 18, 2019 9:33 pm

Re: Allow trafic from one LAN to another but not the reverse

Mon Jul 22, 2019 3:14 pm

You will need to allow the return packets (from the LAN2 into LAN1) .
For this add on your drop rule connection state: "NEW" connections from LAN 2 into LAN 1, but accept "related"/established.
Thx for your kind answer, but as a newbie, and after having read your answer as many times as I could I'm unable to take it to concrete steps... could you help me more describing how precisely?
Top
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:
Contact cdiedrich

Re: Allow trafic from one LAN to another but not the reverse  [SOLVED]

Mon Jul 22, 2019 3:38 pm

Code: Select all
/ip firewall filter
add action=accept chain=forward dst-address=172.16.11.0/24 src-address=172.16.10.0/24
add action=accept chain=forward connection-state=established,related dst-address=172.16.10.0/24 src-address=172.16.11.0/24
add action=drop chain=forward connection-state=invalid,new dst-address=172.16.10.0/24 src-address=172.16.11.0/24
-Chris
Top
 
phgachoud
just joined
Topic Author
Posts: 8
Joined: Thu Jul 18, 2019 9:33 pm

Re: Allow trafic from one LAN to another but not the reverse

Tue Jan 26, 2021 1:27 pm

Note that for that to be working which was not my case Both addresses in the lists have to be set to its corresponding bridges. By default the interfaces are talking to each other without restriction. You have to set rules to avoid the trafic from one subnet (172.16.10.x) to be able to talk to another (172.16.11.x) by adding a firewall rule to either reject (on LAN) or drop (for WAN) the traffic coming from the other interface.
Screenshot_20210126_082045.png
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: homerouter, jhbarrantes and 77 guests
  4. RouterOS
  5. General