Community discussions

MUM Europe 2020
 
User avatar
smurphy
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Feb 06, 2008 6:48 pm
Location: Clermont / France
Contact:

Firewall - best way to separate the interfaces ?

Fri Feb 22, 2008 10:40 pm

Hia folks,

as my old firewall-router will be repalced with a RB153 - and I tend to reproduce the same setup on the RB153 - I need to separate the Interfaces. Having 6 Interfaces - what is the best method using the builtin Firewall in RouterOS v3.3 - to restrict access to the interfaces from each other ? Also - the default policies for every interface ?

Any chance to have the firewall handle interface names instead of IP-Addresses/Subnets ?
Anyway - what I have in mind - is to have interfaces policy:

fw world ACCEPT $LOG
wifi world DROP $LOG
dmz world ACCEPT
lan world ACCEPT
game world ACCEPT
world fw DROP $LOG
world fw DROP $LOG
dmz fw REJECT $LOG
wifi fw DROP $LOG
lan fw REJECT $LOG
game fw DROP $LOG
world dmz DROP $LOG 10/sec:40
fw dmz REJECT $LOG
wifi dmz DROP $LOG
game dmz DROP $LOG
lan dmz ACCEPT
etc. ...

for all interfaces. (It's my shorewall config policy)Then set rules on the world -> fw, for eventually allow ip-addresses etc.
The thing is - that I really want to separate the ethernet ports (which have different IP's and are not bridge) from each other - e.g. except if I want. So - what is the best way of doing that ?

Note - that I do belong to those who always try to apply the KISS principle (Keep It Simple Stupid).
A complex Firewall Setup is of no use !

Thx for any hints.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8329
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Firewall - best way to separate the interfaces ?

Sat Feb 23, 2008 1:51 am

Any chance to have the firewall handle interface names instead of IP-Addresses/Subnets ?
why not use
firewall filter add in-interface=fw out-interface=world action=accept
firewall filter add in-interface=world out-interface=fw action=accept
and so on?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
smurphy
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Feb 06, 2008 6:48 pm
Location: Clermont / France
Contact:

Re: Firewall - best way to separate the interfaces ?

Sun Feb 24, 2008 11:26 am

Hmm. Thx. That's a good hint.

ok - now comes the next issue.
As we have separated the traffic flow between the interfaces themselves - now I want to also limit access - on a per interface base....

IMHO - I'll have to create new chains - e.g.:

fw2lan, fw2wifi, fw2wan, fw2secure - I have to take into account.
But where ?

If I understood it correctly - I will have to first define the policy chains - this from the router's point of view:
World-in: with 0.0.0.0/0 -> 0.0.0.0/0 DROP
WiFi-in: with 0.0.0.0/0 -> 0.0.0.0/0 DROP
Lan-in: with 0.0.0.0/0 -> 0.0.0.0/0 DROP

etc.

then define the inter-port connection dfault policy - e.g.:
world2fw: with 0.0.0.0/0 -> 0.0.0.0/0 DROP
world2lan: with 0.0.0.0/0 -> 0.0.0.0/0 DROP (Same for world2wifi, world2secure etc.)
world2dmz: with 0.0.0.0/0 -> 0.0.0.0/0 DROP
wifi2world: with 0.0.0.0/0 -> 0.0.0.0/0 REJECT
lan2world: with 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT (This one is a secured LAN with no WLan access, only systems adminsitrered by me)
etc.
But then - I want to add some specific access rules to some of these directions.
E.g.
world2dmz: with 0.0.0.0/0:443 -> 10.10.10.2/32:443 DNAT
Similar for http, ssh
and on the other side:
lan2dmz: with 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT

and so on.
I suppose I will have to add a policy + rules/dnat per Interface pair.

Does such a configuration template exist somewhere ? At least for 2 different LAN's/Interfaces ?
SO I can adapt it to my needs ? (I'll have 6 different interfaces ... - and I tend to wanting limiting th accesses).


Thx for any input :)
I am new to the Router OS ... I have built some firewalls from scratch - even wrote some firewall scripts back in time, but it's always a pain again to change the dialiect ;)

Who is online

Users browsing this forum: No registered users and 138 guests