RB800
I am going to put 130 different subnets on vlans than push the subnets and dhcp through switches.
192.168.1.1 - 192.168.131.1
I do not want any of the subnets to talk to each other.
Is there a way to do this with out making firewall rules for each subnet? I feel like 300+ firewall rules may bog down the router a little.
Thanks.
Re: Rules to stop subnet to subnet traffic
You can just add firewall rule that stops all forwarding (/ip firewall filter add chain=forward action=drop) and above it you can add rules that allow forwarding between specific subnets (if needed).
-
-
plankanater
Member Candidate
- Posts: 172
- Joined:
Re: Rules to stop subnet to subnet traffic
Doing that drops all connections completely. It keeps those subnets from reaching the internet.
-
-
plankanater
Member Candidate
- Posts: 172
- Joined:
Re: Rules to stop subnet to subnet traffic
Added firewall rule chain=forward Src Address 192.168.1.0/24 Dst Address (everything but checked) 192.168.1.0/24 Action Drop
It drops packets to items on the different subnets but not to the subnets gateway (router). To drop those I put in the same rule just Chain=input.
This has limited it to 2 rules per subnet. Which is still 260 rules.
Anyone know of a better way?
It drops packets to items on the different subnets but not to the subnets gateway (router). To drop those I put in the same rule just Chain=input.
This has limited it to 2 rules per subnet. Which is still 260 rules.
Anyone know of a better way?
Re: Rules to stop subnet to subnet traffic
Code: Select all
/ip firewall filter
add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop-
-
plankanater
Member Candidate
- Posts: 172
- Joined:
Re: Rules to stop subnet to subnet traffic
This completely dropped all traffic to the gateway including DNS and DHCP basically making it unusable.
I have also tried disabling arp on interfaces but this also stops all pings in and out
I have also tried disabling arp on interfaces but this also stops all pings in and out
Re: Rules to stop subnet to subnet traffic
Do you really want users to communicate within their broadcast domain only? Or, perhaps you want your users to go to internet and nowhere else?RB800
I am going to put 130 different subnets on vlans than push the subnets and dhcp through switches.
192.168.1.1 - 192.168.131.1
I do not want any of the subnets to talk to each other.
Is there a way to do this with out making firewall rules for each subnet? I feel like 300+ firewall rules may bog down the router a little.
Thanks.
-
-
plankanater
Member Candidate
- Posts: 172
- Joined:
Re: Rules to stop subnet to subnet traffic
Basically I want each subnet to be able to get to the internet and to anything else on their /24 subnet, but not talk to any other /24 subnet.
Re: Rules to stop subnet to subnet traffic
Basically I want each subnet to be able to get to the internet and to anything else on their /24 subnet, but not talk to any other /24 subnet.
Code: Select all
add action=reject chain=forward comment="Drop traffic between LAN interfaces/subnets" disabled=no \
dst-address-list=PrivateSubnets in-interface=!WAN reject-with=icmp-admin-prohibited-
-
plankanater
Member Candidate
- Posts: 172
- Joined:
Re: Rules to stop subnet to subnet traffic
PrivateSubnets list has all of your LAN subnets.Code: Select alladd action=reject chain=forward comment="Drop traffic between LAN interfaces/subnets" disabled=no \ dst-address-list=PrivateSubnets in-interface=!WAN reject-with=icmp-admin-prohibited
How would I set up the nat in order to add that to the destination address list?
Re: Rules to stop subnet to subnet traffic
Then the simplest would be to permit access to the internet and nothing else:Basically I want each subnet to be able to get to the internet and to anything else on their /24 subnet, but not talk to any other /24 subnet.
Code: Select all
add chain=forward action=accept connection-state=established
add chain=forward action=accept connection-state=related
add chain=forward action=accept out-interface=<gateway interface>
add chain=forward action=drop
Then add a src-nat rule to handle masquerade.
Traffic for each vlan will be handled @L2 by the switches, not the router.
-
-
plankanater
Member Candidate
- Posts: 172
- Joined:
Re: Rules to stop subnet to subnet traffic
Working great! Thank you.
This config restricts connections between ip on the individual LANs is there another rule I can add that would keep one subnet from reaching the other subnets gateway
ie. computer 1 = 192.168.1.4 computer 2 = 192.168.2.4
How I have it now computer 1 can not talk to computer 2 but it can talk to computer 2's gateway
Its not critical to have that stopped but I would prefer it.
This config restricts connections between ip on the individual LANs is there another rule I can add that would keep one subnet from reaching the other subnets gateway
ie. computer 1 = 192.168.1.4 computer 2 = 192.168.2.4
How I have it now computer 1 can not talk to computer 2 but it can talk to computer 2's gateway
Its not critical to have that stopped but I would prefer it.
Re: Rules to stop subnet to subnet traffic
Do you have input rules?
Why allow any access to the router from the various lans?
With few exceptions, I would block all but your management subnet or management port access to the router on the lan side.
Use safe mode when doing this to ensure you don't lock yourself out.
The third rule will allow mac Winbox if src-address matches.
If you need remote access add a fourth rule before the drop:
Then make an address list with the few publics that need to access the router from the public wan. Use care with this.
Why allow any access to the router from the various lans?
With few exceptions, I would block all but your management subnet or management port access to the router on the lan side.
Code: Select all
add chain=input action=accept connection-state=established
add chain=input action=accept connection-state=related
add chain=input action=accept in-interface=<management interface> src-address=<management subnet>
add chain=input action=drop
The third rule will allow mac Winbox if src-address matches.
If you need remote access add a fourth rule before the drop:
Code: Select all
add chain=input action=accept in-interface=<gateway interface> src-address-list=<Public IP List>
-
-
plankanater
Member Candidate
- Posts: 172
- Joined:
Re: Rules to stop subnet to subnet traffic
I do dns relay through the router which those rules seem to stop
Turning off relay and pushing public dns through fixes this problem
Also i would like for the individual subnets to be able to ping their individual gateway for trouble shooting purposes.
Turning off relay and pushing public dns through fixes this problem
Also i would like for the individual subnets to be able to ping their individual gateway for trouble shooting purposes.
Re: Rules to stop subnet to subnet traffic
Code: Select all
add chain=input action=accept protocol=udp in-interface=!<gateway> dst-port=53
add chain=input action=accept protocol=tcp in-interface=!<gateway> dst-port=53
add chain=input action=accept protocol=icmp in-interface=!<gateway>