I have 2 networks 10.10.0.0/24 - Main and 10.20.0.0/24 guest
I am using firewall filters to block 10.10.0.0/24 from 10.20.0.0/24 and visa versa
add action=drop chain=forward comment="drop all else coming from main to guest " dst-address-list=guest_network src-address-list=\
main_network
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address-list=main_network src-address-list=\
guest_network
the hosts cannot access each other on the different networks which is what I want, however the guest network can still ping 10.10.0.1 and from the main i can ping 10.20.0.1 I assume this is because my drop rules above are forward rules and I guess I need a set of rules in INPUT chain as well
Has anyone noticed that as well?
ps
I know I can use the routing rules to isolate the networks completely, but I need the media server on 10.10.0.5 to be accessible from the guest 10.20.0.0/24
Code: Select all
/ip firewall address-list
add address=10.10.0.0/24 list=main_network
add address=10.20.0.0/24 list=guest_network
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=22,80,88,8291 ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="allow emby to respond back to guest network" dst-address=10.20.0.0/24 protocol=tcp \
src-address=10.10.0.5 src-port=8096
add action=accept chain=forward comment="allow acess emby from guest network" dst-address=10.10.0.5 dst-port=8096 protocol=tcp \
src-address=10.20.0.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule for guest network" connection-state=established,related \
dst-address-list=guest_network
add action=fasttrack-connection chain=forward comment="fasttrack with guest network exclusion" connection-state=established,related \
src-address=!10.20.0.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop all else coming from main to guest " dst-address-list=guest_network src-address-list=\
main_network
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address-list=main_network src-address-list=\
guest_network
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=_ISP1
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=_ISP2