Hi-
I've set up an RB450 as an internet router with 2 separate internal subnets:
eth 1 - internet
eth 2 - 192.168.0.0/24
eth 3 - 10.0.0.0/24
I've limited communication between the internal subnets via the firewall:
add action=accept chain=forward comment="" disabled=no dst-port=3389 \
in-interface="3Alt Internal" protocol=tcp src-address=10.0.0.0/24
add action=accept chain=forward comment="" disabled=no dst-port=1723 \
in-interface="3Alt Internal" protocol=tcp src-address=10.0.0.0/24
add action=accept chain=forward comment="" disabled=no in-interface=\
"3Alt Internal" protocol=gre src-address=10.0.0.0/24
add action=accept chain=forward comment="" disabled=no dst-address=\
192.168.0.1 in-interface="3Alt Internal" limit=1,5 protocol=icmp \
src-address=10.0.0.0/24
add action=drop chain=forward comment="" disabled=no dst-address=\
192.168.0.0/24 in-interface="3Alt Internal" src-address=10.0.0.0/24
add action=drop chain=input comment="" disabled=no dst-address=\
192.168.0.0/24 in-interface="3Alt Internal" src-address=10.0.0.0/24
Things work fairly well, except for the VPN - When I connect to a PPTP VPN server at 192.168.0.1, communication to the 192.168.0.0/24 subnet works (passes over the VPN) except for any communication to 192.168.0.1 other than VPN - that doesn't work.
My design goal was to only allow minimal access from 10.0.0.0 to 192.168.0.0, and require a connection to the existing VPN server for any more access. I get the feeling, though, that I'm hitting a wall as far as what my config can do - would there be a better way to configure?