Community discussions

MikroTik App
 
jprasad
just joined
Topic Author
Posts: 19
Joined: Sun Apr 27, 2014 10:12 pm

RB2011 different subnets are pingable

Thu Aug 07, 2014 10:58 pm

Hi,
Hope someone can help me with what is probably a very simple problem

I have a few subnet on my router - it is operating as follows
192.168.0.x - Life school - network of about 40 students - can connect to WAN (restricted)
192.168.1.x - tamil uplink - can connect to WAN
192.168.88.x - office network can connect to WAN
wan is a ppoe client on ether 10

I dont want the segments to talk with each other, i have tried fewi's suggestion to add in:
/ip firewall filter 
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward out-interface=!WAN action=drop
but it doesn't work at all.
can someone please point out where i have gone wrong?
thank you so much

Jonni
# aug/08/2014 03:57:24 by RouterOS 6.6
# software id = 7H93-B129
#
/interface bridge
add l2mtu=1598 name=bridge-life
add l2mtu=1598 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-server_life
set [ find default-name=ether2 ] name=ether2-up_life
set [ find default-name=ether3 ] bandwidth=1M/2M name=ether3-up_tamil
set [ find default-name=ether4 ] name=ether4-nas1
set [ find default-name=ether5 ] master-port=ether4-nas1 name=ether5-nas2
set [ find default-name=ether6 ] name=ether6-master-up_switch
set [ find default-name=ether7 ] master-port=ether6-master-up_switch name=\
    ether7-slave
set [ find default-name=ether8 ] master-port=ether6-master-up_switch name=\
    ether8-slave-printer
set [ find default-name=ether9 ] master-port=ether6-master-up_switch name=\
    ether9-slave
set [ find default-name=ether10 ] name=ether10-gateway
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no l2mtu=2290 mode=\
    ap-bridge ssid="Grace Shah Alam" wireless-protocol=802.11
/interface vlan
add interface=ether10-gateway l2mtu=1594 name="vlan 500" vlan-id=500
/interface pppoe-client
add add-default-route=yes disabled=no interface="vlan 500" max-mru=1492 \
    max-mtu=1492 name=unifi_internet password=************ use-peer-dns=yes \
    user=whetc@unifibiz
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys wpa-pre-shared-key=44938222 wpa2-pre-shared-key=\
    44938222
/ip dhcp-server
add disabled=no interface=ether3-up_tamil name=dhcp-tamil
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=pool-gcsa ranges=192.168.88.50-192.168.88.200
add name=pool-life ranges=192.168.0.118-192.168.0.250
/ip dhcp-server
add address-pool=pool-gcsa disabled=no interface=bridge-local name=dhcp-gcsa
add address-pool=pool-life disabled=no interface=bridge-life name=dhcp-life
/port
set 0 name=serial0
/queue type
add kind=pcq name=upload pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name=download pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-rate=1M pcq-src-address6-mask=64
/queue simple
add comment="Restricts Life Students laptop to 1M each to WAN" dst=\
    unifi_internet name=queue-life queue=download/download target=\
    192.168.0.0/24
/interface bridge port
add bridge=bridge-local interface=ether4-nas1
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether6-master-up_switch
add bridge=bridge-life interface=ether1-server_life
add bridge=bridge-life interface=ether2-up_life
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.0.1/24 interface=bridge-life network=192.168.0.0
add address=192.168.88.1/24 interface=ether4-nas1 network=192.168.88.0
add address=192.168.1.1/24 interface=ether3-up_tamil network=192.168.1.0
/ip dhcp-server lease
add address=192.168.88.11 client-id=1:0:11:32:31:a4:b6 mac-address=\
    00:11:32:31:A4:B6 server=dhcp-gcsa
add address=192.168.88.10 client-id=1:0:11:32:31:a4:b5 mac-address=\
    00:11:32:31:A4:B5 server=dhcp-gcsa
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.88.0/24 dns-server=\
    8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220
/ip dns static
add address=127.0.0.1 name=www.facebook.com ttl=5m
add address=127.0.0.1 name=glib1.facebook.com ttl=5m
add address=127.0.0.1 name=glib2facebook.com ttl=5m
add address=127.0.0.1 name=mail.facebook.com ttl=5m
add address=127.0.0.1 name=dns.facebook.com ttl=5m
add address=127.0.0.1 name=ns0.facebook.com ttl=5m
add address=127.0.0.1 name=ns1.facebook.com ttl=5m
add address=127.0.0.1 name=ns2.facebook.com ttl=5m
add address=127.0.0.1 name=ns3.facebook.com ttl=5m
add address=127.0.0.1 name=ns4.facebook.com ttl=5m
add address=127.0.0.1 name=www.youtube.com ttl=5m
add address=127.0.0.1 name=www.twitter.com ttl=5m
add address=127.0.0.1 name=mobile.twitter.com ttl=5m
add address=127.0.0.1 name=www.google.com.my ttl=5m
add address=127.0.0.1 name=www.google.com ttl=5m
add address=127.0.0.1 name=www.wikipedia.com ttl=5m
/ip firewall address-list
add address=192.168.88.0/24 list=PrivateSubnets
add address=192.168.0.0/24 list=PrivateSubnets
add address=192.168.1.0/24 list=PrivateSubnets
add address=192.168.88.0/24 list=PrivateSubnets
add address=192.168.0.0/24 list=PrivateSubnets
add address=192.168.1.0/24 list=PrivateSubnets
/ip firewall filter
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward src-address=192.168.0.117
add chain=forward dst-port=443 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=1935 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=5938 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=5938 protocol=udp src-address=192.168.0.0/24
add action=drop chain=forward disabled=yes out-interface=!ether10-gateway
add action=drop chain=forward src-address=192.168.0.0/24
add action=drop chain=forward src-address=192.168.1.0/24
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward src-address=192.168.0.117
add chain=forward dst-port=443 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=1935 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=5938 protocol=tcp src-address=192.168.0.0/24
add chain=forward dst-port=5938 protocol=udp src-address=192.168.0.0/24
add action=drop chain=forward disabled=yes out-interface=!ether10-gateway
add action=drop chain=forward src-address=192.168.0.0/24
add action=drop chain=forward src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=unifi_internet
add chain=srcnat src-address=192.168.0.117
add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address=\
    192.168.0.0/24 to-ports=8080
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=\
    192.168.0.0/24 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=\
    192.168.0.0/24 to-ports=53
add action=dst-nat chain=dstnat dst-port=5001 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=5001
add action=dst-nat chain=dstnat dst-port=5000 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=5000
add action=dst-nat chain=dstnat dst-port=21 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=21
add action=masquerade chain=srcnat out-interface=unifi_internet
add chain=srcnat src-address=192.168.0.117
add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address=\
    192.168.0.0/24 to-ports=8080
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=\
    192.168.0.0/24 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=\
    192.168.0.0/24 to-ports=53
add action=dst-nat chain=dstnat dst-port=5001 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=5001
add action=dst-nat chain=dstnat dst-port=5000 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=5000
add action=dst-nat chain=dstnat dst-port=21 in-interface=unifi_internet \
    protocol=tcp to-addresses=192.168.88.10 to-ports=21
/ip proxy
set enabled=yes max-cache-size=none
/ip proxy access
add dst-host=learning.eduseeds.com
add dst-host=live.wiziq.com
add dst-host=www.viddler.com
add action=deny
add dst-host=learning.eduseeds.com
add dst-host=live.wiziq.com
add dst-host=www.viddler.com
add action=deny
/ip route
add distance=1 gateway=192.168.88.1
add distance=1 gateway=192.168.88.1
/lcd interface
set sfp1 interface=sfp1
set ether1-server_life interface=ether1-server_life
set ether2-up_life interface=ether2-up_life
set ether3-up_tamil interface=ether3-up_tamil
set ether4-nas1 interface=ether4-nas1
set ether5-nas2 interface=ether5-nas2
set ether6-master-up_switch interface=ether6-master-up_switch
set ether7-slave interface=ether7-slave
set ether8-slave-printer interface=ether8-slave-printer
set ether9-slave interface=ether9-slave
set ether10-gateway interface=ether10-gateway
set wlan1 interface=wlan1
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system ntp client
set enabled=yes mode=unicast primary-ntp=202.71.100.89 secondary-ntp=\
    202.190.183.189
[admin@MikroTik] >
Last edited by jprasad on Fri Aug 08, 2014 4:53 pm, edited 1 time in total.
 
Rudios
Forum Veteran
Forum Veteran
Posts: 966
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: RB2011 different subnets are pingable

Fri Aug 08, 2014 10:30 am

First of all you said you are using pppoe connection from ether10
If that is the case, the pppoe-client interface should be used on your firewall drop rule
I also see that all your rules are shown twice, just delete the duplicates.

PS. also remove your username/password from the config you supplied :)
Testing setup with: 2 x RB750UP | 2 x RB750GL | 1 x RB951G-2HnD | 1 x RB2011UiAS-IN
 
jprasad
just joined
Topic Author
Posts: 19
Joined: Sun Apr 27, 2014 10:12 pm

Re: RB2011 different subnets are pingable

Fri Aug 08, 2014 4:58 pm

Hi there

I changed:
add action=drop chain=forward disabled=yes out-interface=!ether10-gateway
To
add action=drop chain=forward disabled=yes out-interface=!unifi_internet
But all that happen is no internet access and I can still talk across subnets.
 
Rudios
Forum Veteran
Forum Veteran
Posts: 966
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: RB2011 different subnets are pingable

Sat Aug 09, 2014 7:38 am

At least the rule must be enabled.
And I think you have to be more specific and make a role per subnet. Specify the src-address parameter and in-interface.
Testing setup with: 2 x RB750UP | 2 x RB750GL | 1 x RB951G-2HnD | 1 x RB2011UiAS-IN
 
User avatar
Kickoleg
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Mar 11, 2014 3:13 pm
Location: Yverdon-les-Bains, Suisse

Re: RB2011 different subnets are pingable

Sat Aug 09, 2014 9:10 am

ip route rule add src-address=192.168.0.x/xx dst-address=192.168.1.x/xx action=unreachebale (if want can use "drop")
and for other subnet same rule add ...
MTCNA, MTCUME, MTCRE, MTCWE, MTCTCE certified
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: RB2011 different subnets are pingable

Sun Aug 10, 2014 1:19 am

In this instance it seems that the router's primary role is that of a firewall. In such cases:

A) Place a deny (drop) rule in the forward chain - no qualifications - it is intended to drop all forwarded traffic.
B) Above the rule created in A) place a permit (accept) ruled for each forwarded path that you want to permit.

If the primary role is that of a firewall it is *not* a good idea to add lots of specific deny/drop rules - save that for when the primary role is that of a router and you just want to block a few paths.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
jprasad
just joined
Topic Author
Posts: 19
Joined: Sun Apr 27, 2014 10:12 pm

Re: RB2011 different subnets are pingable

Fri Aug 15, 2014 12:04 pm

Hi

Thank you for all the advice. I actually just started again with rudios advice and everything works now.
Thanks again

Who is online

Users browsing this forum: Google Feedfetcher and 56 guests