Community discussions

 
stanelie
just joined
Topic Author
Posts: 19
Joined: Sun Jun 03, 2012 9:32 pm

Allow traffic between isolated subnets?

Mon Aug 12, 2019 4:59 pm

Hello.

I implemented this solution to block traffic between my subnets (I have 6 of them) using addresses lists, and it works. However, when I try to make an exception rule to allow traffic between one of the subnets and a specific IP on another subnet, and I put this rule higher in the firewall filters list, it does not work. Thoughts?

This is the code to block traffic between my subnets, easily scalable if I ever need to add a subnet :
/ip firewall filter
add action=drop chain=forward comment="subnets insulation" dst-address-list=Subnets src-address-list=Subnets

/ip firewall address-list
add address=10.5.0.0/24 list=Subnets
add address=10.6.0.0/24 list=Subnets
add address=10.8.0.0/23 list=Subnets

Here is an example rule that I think should allow traffic between subnets to bypass the previous rule, but does not work :
chain=forward action=accept src-address=10.8.0.0/23 dst-address=10.6.0.151 log=no log-prefix=""

(this is a repeat of viewtopic.php?f=2&t=60451&p=743497#p743497, I thought it deserved it's own thread)
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 975
Joined: Fri Jul 28, 2017 2:53 pm

Re: Allow traffic between isolated subnets?

Mon Aug 12, 2019 5:35 pm

Hey. If you will shut the drop rule off, will the traffic forward between networks? If no, try to check the firewalls on PCs, if yes - try to set the input interface in upper rule.
 
stanelie
just joined
Topic Author
Posts: 19
Joined: Sun Jun 03, 2012 9:32 pm

Re: Allow traffic between isolated subnets?

Mon Aug 12, 2019 5:43 pm

Hello.
Yes, if I disable the blocking rule, traffic flows between subnets.
Setting the bypass rule to input instead of forward does not help.

Thanks
 
stanelie
just joined
Topic Author
Posts: 19
Joined: Sun Jun 03, 2012 9:32 pm

Re: Allow traffic between isolated subnets?

Mon Aug 12, 2019 5:46 pm

Sorry, I re-read your suggestion and I set the input interface to the corresponding bridge, it did not work either.
 
Sob
Forum Guru
Forum Guru
Posts: 4370
Joined: Mon Apr 20, 2009 9:11 pm

Re: Allow traffic between isolated subnets?  [SOLVED]

Mon Aug 12, 2019 7:26 pm

Is this all you have in "/ip firewall filter"? The usual way is to use stateful firewall, i.e. start with:
/ip firewall filter
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
and then follow with other rules (I prefer to end everything with unconditional drop/reject, so everything not specifically allowed is blocked, but it's not mandatory). The important part is the two rules above, mainly the first one. If you have it and you allow communication from A to B, it will automatically handle responses from B to A (but only responses, no new connections from B to A). If you don't have it and you allow communication from A to B, it can't work, because responses are still blocked. You could add another rule for responses (exactly the same, only with swapped source and destination), but it would also allow new connection from the wrong side, so you don't want that.
Last edited by Sob on Mon Aug 12, 2019 7:28 pm, edited 1 time in total.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
Exiver
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Sat Jan 10, 2015 6:45 pm
Location: Germany

Re: Allow traffic between isolated subnets?

Mon Aug 12, 2019 7:27 pm

Depends on your other firewall configuration but most likely you are missing the return path - means right now you are allowing ips from 10.8.0.0/23 to send packets to 10.6.0.151. But if 10.6.0.151 wants to answer any packet it will be dropped by your deny-rule. Setup a second rule with something like this:
/ip firewall filter add chain=forward action=accept src-address=10.6.0.151 dst-address=10.8.0.0/23
or more general:
/ip firewall filter add chain=forward action=accept connection-state=established,related
The second rule allows to pass any traffic which is initiated through any allowed firewall rule (stateful firewall). But that means every other connection can make use of that rule even if they are blocked from other rules. So use this with caution and only if you know what you are doing ;-)


Edit: Damn, one minute too late -.-
 
stanelie
just joined
Topic Author
Posts: 19
Joined: Sun Jun 03, 2012 9:32 pm

Re: Allow traffic between isolated subnets?

Mon Aug 12, 2019 7:46 pm

Ah!

@sob, I already had that rule to allow established connections, I copied it from somewhere, but it was at the bottom of the rules, just before the "drop everything else" rule. So, just to be clear, that "allow established" rule should be at the very top, right?

Thanks!
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 597
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Allow traffic between isolated subnets?

Mon Aug 12, 2019 7:48 pm

Hy

A good trick is to create a bogus rule that only logs forwarded traffic and see where traffic dies. When your bogus rule stops logging, the previous one is the culprit.

Cheers

Sent from my cell phone. Sorry for the errors.

___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
Sob
Forum Guru
Forum Guru
Posts: 4370
Joined: Mon Apr 20, 2009 9:11 pm

Re: Allow traffic between isolated subnets?

Mon Aug 12, 2019 7:57 pm

Rules are processed in order from top to bottom, so yes, at the top is good place for "allow established & related" (unless you use fasttrack, in that case it should be second after fasttrack rule). Under normal circumstances, it will catch most packets, so it's good when it happens as early as possible.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 52 guests