Please advise what I do wrong
Main router RB4011 has ip of 10.10.0.1 (vlan 10 main network) and 10.20.0.1 (vlan 20 guest network) --> firewall rules work fine for this router (use input chain) guest ip addresses (10.20.0.x) cannot access it for 10.10.0.1 and 10.20.0.1 as well
However MikroTik Audience and MikroTik RBM33G ips 10.20.0.2 and 10.20.0.3 can still be opened from the guest network, I know I could probably block with individual firewall rules on each on them, but I prefer to keep the firewall on one router only RB4011
this rule has not hits, why?
add action=drop chain=forward comment="drop all requests from guest network to management ports of these routers" dst-address-list=\
Audience&RBM33G_MGT_VLAN20 dst-port=22,88,8291 protocol=tcp src-address=10.20.0.0/24
thanks a lot for your help
Code: Select all
/ip firewall address-list
add address=10.20.0.0/24 comment="For QOS" list=guest_simple_queue
add address=10.10.0.1 comment="MikroTik RB4011 Management IPs for firewall input chain for VLAN 10 and 20" list=RB4011_MGT_VLAN10&20
add address=10.20.0.1 comment="MikroTik RB4011 Management IPs for firewall input chain for VLAN 10 and 20" list=RB4011_MGT_VLAN10&20
add address=10.20.0.2/31 comment="MikroTik Audience&RBM33G Management IPs for firewall forward chain for VLAN 20" list=\
Audience&RBM33G_MGT_VLAN20
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=22,80,88,8291 ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment="drop all requests from guest network to management ports of this router" dst-address-list=\
RB4011_MGT_VLAN10&20 dst-port=22,88,8291 protocol=tcp src-address=10.20.0.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="allow emby to respond back to guest network" dst-address=10.20.0.0/24 protocol=tcp \
src-address=10.10.0.5 src-port=8096
add action=accept chain=forward comment="allow acess emby from guest network" dst-address=10.10.0.5 dst-port=8096 protocol=tcp \
src-address=10.20.0.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule for guest network" connection-state=established,related \
dst-address-list=guest_simple_queue
add action=fasttrack-connection chain=forward comment="fasttrack with guest network exclusion" connection-state=established,related \
src-address=!10.20.0.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop all else coming from main to guest " dst-address=10.20.0.0/24 src-address=10.10.0.0/24
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address=10.10.0.0/24 src-address=10.20.0.0/24
add action=drop chain=forward comment="drop all requests from guest network to management ports of these routers" dst-address-list=\
Audience&RBM33G_MGT_VLAN20 dst-port=22,88,8291 protocol=tcp src-address=10.20.0.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=Orcon_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=2Degrees_ISP