Hello, all... thank you for your help in advance.

I have two networks running on an RB450G. Here's what I wanted to accomplish:

Two subnets on two different interfaces:

eth1: WAN
eth2: LAN
eth5: LAN2
(ports 3 and 4 will be used later for switching)

eth2: LAN subnet: 10.10.23.0/24
eth5: LAN2 subnet: 172.16.23.0/25
Both of these subnets are in the firewall address list under a single name so they may share the firewall filter and nat rules.

I set up separate pools/dhcp servers for both interfaces. It all seemed to go well except for the fact that I could ping between the subnets! I was always under the impression they would not be able to communicate.

For example, a machine connected to eth5, received an IP of 172.16.23.124 and was able to ping every address on the other subnet residing in eth2 (10.10.23.0/24). In short, I was able to get to any machine on the other interface.

The way I solved it is that I simply added a firewall filter entry that will drop any connection attempt on the input chain that is from interface LAN2 with a dst address of 10.10.23.0/24, and in the forward chain with an input interface of LAN2 and output interface of LAN.

Still with me? Thanks!

This solved the entire problem. Neither subnet can communicate with the other, which is what I wanted. Both interfaces can access the internet and the dns server on the 450G is serving them both well.

My question is... (FINALLY!): Was this the proper method of accomplishing what I set out to do? I really thought that if there were two interfaces running two different subnets they should inherently not be able to talk to each other. Did I simply patch a hole without addressing another bigger issue, or is this the way it is supposed to work?

Thoughts/comments are appreciated.

Your premise is wrong: on a router - that is, something that routes and does not firewall traffic - two separate subnets directly connected to it can inherently talk to one another. That is the whole purpose of a router, and what you observed is exactly what is expected. If you want the two subnets to not be able to communicate, you need to firewall the traffic between them, which is exactly what you did.

Devices explicitly sold as security devices usually have a default deny policy where you have to specify what traffic should flow, but devices such as RouterOS/RouterBOARDs are routers with a default accept policy, where you explicitly tell it what traffic to drop.

And yes, this even applies to WAN to LAN traffic - it's just that most people use private IP addressing and NAT for LANs, so their inside hosts are not exposed. Not that NAT is a sufficient security measure - you should always implement WAN to LAN firewall filters. Many, many routers out there are misconfigured in that regard.

Hi all.

I am actually trying to achieve what the poster was trying to stop but I am using an rb750g. Can anyone advise how to get the two LANs to communicate? I currently have no firewall rules, only src and dst nat rules. Any help would be greatly appreciated

Regards, Tom

As stated routers inherently route between directly connected networks. If yours isn't it is misconfigured. How is it misconfigured? Hard to say. Post your configuration. Start with the output of "/ip address print detail", "/ip route print detail", "/interface print", "/interface ethernet print detail"/ip firewall export", and an accurate network diagram. Wrap the output in

i have asked a similar question in
http://forum.mikrotik.com/viewtopic.php ... 70#p264170

I've posted an answer there.