RB192, block between ethernet ports

jcremin · Wed Jul 30, 2008 9:02 am

Hello,
I have a RB192 which I bought to use at a commercial building with 8 suites. My intention was to plug the internet connection into ether1, and have ether 2-9 each hand out IP addresses and do NAT for each suite.

The main reason for going with the 192 was because I wanted to keep each suite from accessing the other suite's computers. Now I'm sure it's possible, but can anyone tell me what I'm missing??

Each port has it's own DHCP server running, and I can plug into any port and get online fine, but I can still ping the other ethernet ports and devices behind them.... basically it's just being a router, they way a router should be, but that isn't my intention....

Any help would be welcomed!!

Thanks,
Joe

Wed Jul 30, 2008 9:33 am

you can use firewall to stop access from one network to other networks.

jcremin · Wed Jul 30, 2008 4:12 pm

Yes, that's what I was trying to do, but even after looking through the documentation and wiki, I haven't quite figured out how to do it. Can you give me an example?

Thanks

jcremin · Fri Aug 01, 2008 6:10 am

Anyone?

hilton · Fri Aug 01, 2008 11:15 am

Joe I was also under the impression that each interface was physically separate from each other, hence the need to add them to a bridge if you wanted a 'switch'.

All I can say is perhaps run a VLAN on each interface then, this will sort out your security issues.

jcremin · Fri Aug 01, 2008 5:16 pm

The problem isn't so much that it's acting like a switch... The problem is that port 1 is say 10.10.0.x/24, and port 2 is 10.10.1.x/24. It is simply routing between the two. I only want each port to be able to go out the port I have configured as the WAN port. Wish there was a way I could just disable routing and let it still NAT through the wan port.

gmsmstr · Fri Aug 01, 2008 8:15 pm

drop in ether1 out ether2
drop in ether1 out ether3

jcremin · Fri Aug 01, 2008 8:51 pm

So you're saying that I have to create 8 rules for each port (64 rules) just to isolate the ports? Any easier way?

gmsmstr · Fri Aug 01, 2008 9:08 pm

I would have to put in one rule per port. its still a drop rule.

paulchops · Sun Aug 03, 2008 8:23 am

Here ya go... this should do it..

/ip firewall filter
add action=drop chain=forward comment="" disabled=yes out-interface=!ether1 \
src-address=10.10.0.0/16

Paul, PDMNet

Chupaka · Sun Aug 03, 2008 4:50 pm

in-interfale=!ether1 out-interface=!ether1 action=reject

jcremin · Fri Aug 29, 2008 3:34 am

in-interfale=!ether1 out-interface=!ether1 action=reject

That seems to have worked perfect.

Thanks!

RB192, block between ethernet ports

RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Re: RB192, block between ethernet ports

Who is online