I have a CCR1009-7G-1C-PC (on 6.48), and I'm trying to set up my firewall. After reading many thread, I can see interface-lists are often used. I like the idea, since you can group interfaces, making firewall rules easier to write, and you can give it a descriptive name "Trusted" / "Untrusted".
I've been trying to write my firewall rules only with interface-lists (I have pretty basic requirements), but I've gotten to a point where 1 drop-rule will work then I use the base interface, but refuse to work when I use the interface-list.
Setup:
vlan2 - trusted devices
vlan3 - untrusted devices
Code: Select all
/interface vlan
add interface=bridge-vlan name=vlan2 vlan-id=2
add interface=bridge-vlan name=vlan3 vlan-id=3
/interface list
add name=Trusted
add name=Untrusted
add name=WAN
...
/interface list member
add interface=ether1 list=WAN
add interface=vlan2 list=Trusted
add interface=vlan3 list=Untrusted
...
Firewall Requirements:
trusted devices can see internet, and untrusted devices.
untrusted devices can only see internet
The firewall rules below were adapted from here: viewtopic.php?t=93309
Working, with interface:
In the example below, rules 1 and 2 work with interface-list, and rule 3 works with interface.
This gives both vlans internet access, trusted can see untrusted, but untrusted cannot see trusted.
Code: Select all
/ip firewall filter
add action=accept chain=forward in-interface-list=Trusted
add action=accept chain=forward connection-state=established,related in-interface-list=Untrusted
add action=drop chain=forward in-interface=vlan3 out-interface=vlan2
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
NOT Working, with interface-lists:
In the example below, rule 3 has been converted to interface-list, and doesn't work.
With this configuration, both vlans can see internet,
Code: Select all
and each other
Code: Select all
/ip firewall filter
add action=accept chain=forward in-interface-list=Trusted
add action=accept chain=forward connection-state=established,related in-interface-list=Untrusted
add action=drop chain=forward in-interface-list=Trusted out-interface-list=Untrusted
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
Am I nuts? Shouldn't this work?
Thanks