Community discussions

 
User avatar
ScottReed
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Thu Sep 24, 2009 9:47 pm
Location: Montana / Western Massachusetts

Firewall Assistance

Mon Oct 28, 2013 11:05 pm

All -

I have a fairly large network consisting of 26 Mikrotik routers, predominantly RB1200's.

Not going to use real IP's below...

Overview

Each router has a 1.1.x.x/22 subnet off it and then we do 2.2.2.x/29 backhaul links off other interfaces and run OSPF. Some sites have redundancy, some do not. I have multiple OSPF areas and run multiple instances.

All the 1.1.x.x/22 subnets consist of customer UBNT devices. Customer routers pull a 1.1.x.x address from the local router at the site they are subscribed from.

The 1.1.x.x/22 traffic works its way back to a core Cloud Core router in our backbone area where it is NAT'd out to the internet.

Question

I'm looking to build firewall rules that allow all our administrative traffic from 3.3.3.x/24 to get to everything. But I want to ensure that each router at each site doesn't allow 1.1.x.x/22 traffic from other sites.

I'm looking for any ideas, suggestions?

Thanks,
Scott
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Firewall Assistance

Tue Oct 29, 2013 12:43 am

All -

I have a fairly large network consisting of 26 Mikrotik routers, predominantly RB1200's.

Not going to use real IP's below...

Overview

Each router has a 1.1.x.x/22 subnet off it and then we do 2.2.2.x/29 backhaul links off other interfaces and run OSPF. Some sites have redundancy, some do not. I have multiple OSPF areas and run multiple instances.

All the 1.1.x.x/22 subnets consist of customer UBNT devices. Customer routers pull a 1.1.x.x address from the local router at the site they are subscribed from.

The 1.1.x.x/22 traffic works its way back to a core Cloud Core router in our backbone area where it is NAT'd out to the internet.

Question

I'm looking to build firewall rules that allow all our administrative traffic from 3.3.3.x/24 to get to everything. But I want to ensure that each router at each site doesn't allow 1.1.x.x/22 traffic from other sites.

I'm looking for any ideas, suggestions?

Thanks,
Scott

So, do a simple "dst-address=3.3.3.0/24 , action=accept" and put in other rules to accept whatever else you do want to accept, then at the bottom, put a deny all rule

Who is online

Users browsing this forum: No registered users and 86 guests