Community discussions

MikroTik App
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Block gateway access from connected wifi clients,

Thu Jul 29, 2021 6:46 am

I followed a guide to restrict access to the main gateway ip address (192.168.1.1) from the connected wifi clients (192.168.88.x).
I was able to make client isolation work, but i can't figure why i cant block access to the main gateway login page.

Here are some screenshots.

https://i.imgur.com/S3NjH27.png

https://i.imgur.com/gCyR4Yj.png

https://i.imgur.com/3bcamth.png

Thanks for any tips.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block gateway access from connected wifi clients,

Thu Jul 29, 2021 11:23 am

Is misunderstandable if your Router have 192.168.1.1 as address, or your Router have 192.168.1.x and another gateway have 192.168.1.1 as IP

On 2nd case client do not comunicate directly to 192.168.1.1 but are NATted from router and he source IP address is not client address but Router address (192.168.1.x?)...

or

If 192.168.1.1 is the IP of the Routerboard
remove all done on pictures, is useless
and set on /ip service on various services on what IPs are ALLOWED.

Remember the Gold rule: DROP ALL then permit wanted, NOT PERMIT ALL for block later unwanted
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Block gateway access from connected wifi clients,

Thu Jul 29, 2021 7:17 pm

Thank you rextender

Ok here is a visual clarification to better understand what i am trying to achieve:

Image

So i am trying to block ANY communication between the Wifi network for the guests and the local LAN workstations, server, router, etc..
The settings i showed in the OP, are not blocking the wifi clients to access the netgear login page for example (192.168.1.1).
I follow the video guides in youtube but i find myself unlucky with the results,, please bear in mind i am trying to learn how to setup Mikrotiks, not an expert.
Thank you
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block gateway access from connected wifi clients,

Thu Jul 29, 2021 7:32 pm

on IP firewall RAW add prerouting rule: if src-address=192.168.88.0/24 and dst-address=192.168.1.1 protocol=tcp dst-port=20,21,22,23,80,443 on action select drop
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Block gateway access from connected wifi clients,

Thu Jul 29, 2021 9:28 pm

on IP firewall RAW add prerouting rule: if src-address=192.168.88.0/24 and dst-address=192.168.1.1 protocol=tcp dst-port=20,21,22,23,80,443 on action select drop
Thank you!!!
That works..

Now i am trying to understand whats the difference between adding this rule on this RAW section vs the Filter Rules as it was shown in those tutorial guides.

Also, i see this just blocks the specified port numbers.. but an attacker can still scan the network for any other open ports?
Ideally i want to block absolutely any form of possible interaction from the wifi guest network to the internal LAN.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block gateway access from connected wifi clients,

Thu Jul 29, 2021 9:55 pm

Now i am trying to understand whats the difference between adding this rule on this RAW section vs the Filter Rules as it was shown in those tutorial guides.
Your answer is here : https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block gateway access from connected wifi clients,

Fri Jul 30, 2021 9:24 pm

Wait rextended was that the raw chain or INPUT chain that one blocked one subnet set of users from accessing the gateways of other subnet ( clearly device to device is blocked via the forward chain).

I thought this was the solution but perhaps I remembered wrong???
Even if one block lan subnets from each other in firewall filter rules, the routers subnet gateways are still accessible for pinging etc. why is beyond me but I guess such interfaces are visible however if blocked one cannot physically reach any of the IPs devices, from other subnets via the gateway but only can touch the gateway which I believe is your problem.
Apparently to block that kind of access just use the input chain.

interface list
add interface=subnetAhome list=trusted
add interface=subnetBhome list=trusted
add interface=subnetChome list=trusted.

add chain=input action=drop in-interface=guestsubnet out-interface-list=trusted (should stop guests from accessing the gateway).
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block gateway access from connected wifi clients,

Fri Jul 30, 2021 10:11 pm

@anav what is your point here?
Using RAW firewall will work as well...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block gateway access from connected wifi clients,

Fri Jul 30, 2021 10:16 pm

Understood, I seem to remember it being done via input chain vice raw chain and am simply asking the question will it also work in the input chain as stated.
I stay away from raw when I can because its more dangerous for novice users to muck about in the raw chain.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block gateway access from connected wifi clients,

Sat Jul 31, 2021 7:24 pm

@anav, have the same dangerousity as you active for error drop all on top of firewall, or for error disable accept before drop all...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block gateway access from connected wifi clients,

Sat Jul 31, 2021 10:53 pm

You got me with that phrasing, feel like a pretzel LOL.
Just sayin that using raw rules can have unintended consequences if one is not 100% sure of the effects.
Input chain is a little harder to screw up.

Still I havent had my question answered, would the input chain option actually work?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block gateway access from connected wifi clients,

Sun Aug 01, 2021 2:16 am

Ok, I try to remember,
the solution is on raw because when the packets go trough filter already are NATted from AP,
do not longer are from 192.168.88.x but from IP of the AP and on forward 192.168.88.x -> 192.168.1.1 can't be blocked...
But this topic is not clear from the start, please make a more precise question or I'm lost....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block gateway access from connected wifi clients,

Sun Aug 01, 2021 10:00 pm

Easy.

OP has two subnets behind his router.
OP wants to block traffic between subnets ( use forward chain to block traffic between subnets)
options:
2 rules block from A to B and block from B to A
1 rule: drop all else at end of forward chain.

Problem neither address the OPs concern he doesnt want subnetB users to be able to ping or reach the subnet As gateway address.
Because the router knows all the interfaces that exist behind it, it connects users to any gateway entered despite block all forward chain rule because...... its not a forward issue.

Gateways are router interfaces and thus part of the router.
How do we block access to the router, INPUT CHAIN.
Thus my thinking was that we put in an explicit blocking rule.
add chain=input action=drop source-address=subnetB dst-address=subnetA

or if a group of subnets
add chain=input action=drop source-address-list=group of subnets dst-address=subnetA

In this manner, the gateway itself for subnet A would not be pingable or reachable by other subnets????
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block gateway access from connected wifi clients,

Mon Aug 02, 2021 3:03 am

@anav as @rextended replied earlier, the packets coming from the AP are src-nated upon leaving the WAN interface of the AP, thus they will appear as coming from 192.168.1.x/24 to the Netgear.

Also, you cant use the Input Chain on the AP, since you do not target an IP configured on any of the APs interfaces, so you can't block anyone from 192.168.88.0/24 to ping 192.168.1.1/24 that way...

However, you could use the Forward chain on the AP to block icmp packets towards the 192.168.1.1/24 router... I dont know why @rextended said you cant use the forward chain ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block gateway access from connected wifi clients,

Mon Aug 02, 2021 3:48 am

Clearly I missed something about how are all connected, will look again tomorrow.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block gateway access from connected wifi clients,

Mon Aug 02, 2021 10:30 am

I dont know why @rextended said you cant use the forward chain ...
Because, as I wrote before, this topic for me is not clear from the beginning,
I have a hard time reread everything from the beginning without getting confused...

Who is online

Users browsing this forum: sybadi and 30 guests