Hello.

I implemented this solution to block traffic between my subnets (I have 6 of them) using addresses lists, and it works. However, when I try to make an exception rule to allow traffic between one of the subnets and a specific IP on another subnet, and I put this rule higher in the firewall filters list, it does not work. Thoughts?

This is the code to block traffic between my subnets, easily scalable if I ever need to add a subnet :
Here is an example rule that I think should allow traffic between subnets to bypass the previous rule, but does not work :

(this is a repeat of viewtopic.php?f=2&t=60451&p=743497#p743497, I thought it deserved it's own thread)

Hey. If you will shut the drop rule off, will the traffic forward between networks? If no, try to check the firewalls on PCs, if yes - try to set the input interface in upper rule.

Hello.
Yes, if I disable the blocking rule, traffic flows between subnets.
Setting the bypass rule to input instead of forward does not help.

Thanks

Sorry, I re-read your suggestion and I set the input interface to the corresponding bridge, it did not work either.

Is this all you have in "/ip firewall filter"? The usual way is to use stateful firewall, i.e. start with: and then follow with other rules (I prefer to end everything with unconditional drop/reject, so everything not specifically allowed is blocked, but it's not mandatory). The important part is the two rules above, mainly the first one. If you have it and you allow communication from A to B, it will automatically handle responses from B to A (but only responses, no new connections from B to A). If you don't have it and you allow communication from A to B, it can't work, because responses are still blocked. You could add another rule for responses (exactly the same, only with swapped source and destination), but it would also allow new connection from the wrong side, so you don't want that.

Depends on your other firewall configuration but most likely you are missing the return path - means right now you are allowing ips from 10.8.0.0/23 to send packets to 10.6.0.151. But if 10.6.0.151 wants to answer any packet it will be dropped by your deny-rule. Setup a second rule with something like this:
or more general:
The second rule allows to pass any traffic which is initiated through any allowed firewall rule (stateful firewall). But that means every other connection can make use of that rule even if they are blocked from other rules. So use this with caution and only if you know what you are doing


Edit: Damn, one minute too late -.-

Ah!

@sob, I already had that rule to allow established connections, I copied it from somewhere, but it was at the bottom of the rules, just before the "drop everything else" rule. So, just to be clear, that "allow established" rule should be at the very top, right?

Thanks!

Hy

A good trick is to create a bogus rule that only logs forwarded traffic and see where traffic dies. When your bogus rule stops logging, the previous one is the culprit.

Cheers

Sent from my cell phone. Sorry for the errors.

Rules are processed in order from top to bottom, so yes, at the top is good place for "allow established & related" (unless you use fasttrack, in that case it should be second after fasttrack rule). Under normal circumstances, it will catch most packets, so it's good when it happens as early as possible.

Is this all you have in "/ip firewall filter"? The usual way is to use stateful firewall, i.e. start with:

Code: Select all

/ip firewall filter
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid

and then follow with other rules (I prefer to end everything with unconditional drop/reject, so everything not specifically allowed is blocked, but it's not mandatory). The important part is the two rules above, mainly the first one. If you have it and you allow communication from A to B, it will automatically handle responses from B to A (but only responses, no new connections from B to A). If you don't have it and you allow communication from A to B, it can't work, because responses are still blocked. You could add another rule for responses (exactly the same, only with swapped source and destination), but it would also allow new connection from the wrong side, so you don't want that.

How was this solved, share your rules with everyone please

jerry roy.
Typically in the forward chain one has the default firewall rules.
- fastrack rule
-accept established,related
-drop invalid formed traffic
THEN WE CAN ADD THE RULES WE WANT TO THE MIX.
Typically
allow lan(s) or vlans(s) access to internet
allow admin access to other lans/vlans on the network (besides the one the admin person is on).
allow access to a shared printer (for example allow users on vlan10 to access as shared device on vlan20)
allow port forwarding rule if required (action=allow connection-state=dstnat) in-interface=wan
any other allow rules needed.............
LAST Rule should be a drop all else rule. In other words if we didnt explicitly allow it above ANY OTHER TRAFFIC is stopped cold
chain=forward action=drop comment="drop all else"
Note: A similar rule should be the last rule on your input chain.
chain=forward action=drop comment="drop all else"

Therefore, especially for complicated network setups (multiple vlans), one does not have to worry about blocking traffic between vlans because if it wasnt stated as allowed traffic the router will not route between them.

Were you looking for other specific guidance??