Isolating a LAN on a specific port

E6440 · Thu Nov 02, 2023 4:18 am

My firewall/router has 3 LANs on 3 separate ports (ether2 = 10.10.10.0/24, ether3 = 172.16.20.0/24, and ether4 = 172.16.20.0/24) and the WAN on ether1. I am not using a bridge on any of the ports, yet I can ping/SSH every device from any LAN to any LAN. I would like to isolate the LAN on port ether4 so that devices on that LAN can’t communicate with each other, nor SSH/PING out to the other 2 LANS on ports ether2 and ether3. On the other hand, I would like be able to SSH/PING from the LANS on ports ether2 and ether3 to ether4 to manage devices on that LAN. Below is an export of my configuration.
What firewall rule do I need to add/change/reorder in order to make that happen?
Thank you!
.

# 2023-11-02 00:52:09 by RouterOS 7.10.2
# software id = #########
#
/interface ethernet
set [ find default-name=ether5 ] comment="10G SFP+ RJ45 WAN Port" \
    disable-running-check=no name=ether1
set [ find default-name=ether1 ] comment="10G SFP+ DAC HOUSE LAN port" \
    disable-running-check=no name=ether2
set [ find default-name=ether4 ] comment="Onboard 1G MGMT/DEV LAN port" \
    disable-running-check=no name=ether3
set [ find default-name=ether2 ] comment="10G SFP+ SR PROD LAN" \
    disable-running-check=no name=ether4
set [ find default-name=ether3 ] comment="10G SFP+ port" \
    disable-running-check=no name=ether5
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    #######
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/disk
set slot1 slot=slot1 type=hardware
set slot2 slot=slot2 type=hardware
set slot3 slot=slot3 type=hardware
set slot4 slot=slot4 type=hardware
set slot5 slot=slot5 type=hardware
set slot6 slot=slot6 type=hardware
set slot7 slot=slot7 type=hardware
set usb1 type=hardware
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment=HOUSE name=dhcp_pool_ether2 ranges=10.10.10.50-10.10.10.199
add comment=MGMT/DEV name=dhcp_pool_ether4 ranges=\
    192.168.20.50-192.168.20.199
add comment=PROD name=dhcp_pool_ether3 ranges=172.16.100.50-172.16.100.199
/ip dhcp-server
add address-pool=dhcp_pool_ether2 comment="HOME LAN" interface=ether2 name=\
    dhcp-ether2
add address-pool=dhcp_pool_ether4 comment="PROD LAN" interface=ether4 name=\
    dhcp-ether4
add address-pool=dhcp_pool_ether3 comment="MGMT/DEV LAN" interface=ether3 \
    name=dhcp-ether3
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
/interface wireguard peers
add allowed-address=10.10.20.3/32 interface=wireguard1 public-key=\
    "############################################"
/ip address
add address=10.10.10.1/24 comment="HOME LAN" interface=ether2 network=\
    10.10.10.0
add address=10.10.20.1/24 comment="WIREGUARD VPN" disabled=yes interface=\
    wireguard1 network=10.10.20.0
add address=192.168.20.1/24 comment="PROD LAN" interface=ether4 network=\
    192.168.20.0
add address=172.16.100.1/24 comment="MGMT/DEV LAN" interface=ether3 network=\
    172.16.100.0
/ip dhcp-server lease
/ip dhcp-server network
add address=10.10.10.0/24 comment="HOUSE DHCP Range" dns-server=\
    10.10.10.1,8.8.8.8 gateway=10.10.10.1 netmask=24
add address=172.16.100.0/24 comment="MGMT/DEV DHCP Range" dns-server=\
    172.16.100.1,8.8.8.8 gateway=172.16.100.1 netmask=24
add address=192.168.20.0/24 comment="PROD DHCP Range" dns-server=\
    192.168.20.1,8.8.8.8 gateway=192.168.20.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.10.10.1,172.16.100.1,192.168.20.1
/ip firewall address-list
add address=10.10.10.2-10.10.10.254 comment="Allow Home LAN" list=\
    allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=172.16.100.2-172.16.100.254 list=allowed_to_router
add address=192.168.20.2-192.168.20.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input comment="default configuration" \
    connection-state=established,related disabled=yes
add action=accept chain=input comment="ALLOW to router IPs from address list" \
    src-address-list=allowed_to_router
add action=accept chain=input comment="Enable ICMP access" protocol=icmp
add action=accept chain=input comment="Wireguard VPN" disabled=yes dst-port=\
    13231 log=yes log-prefix=WIREGUARD protocol=udp
add action=drop chain=input comment="Drop everything else, log=yes" log=yes
add action=fasttrack-connection chain=forward comment=\
    "FastTrack for established, related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="ACCEPT Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment=\
    "DROP invalid connection and log them with prefix \"invalid\"" \
    connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="DROP incoming packets that are not NAT`\
    ted (DROP access to clients behind NAT from WAN)" connection-nat-state=\
    !dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade out-interface-list=WAN
add action=dst-nat chain=dstnat comment=\
    "Forwarding Plex port 32450 to 10.10.10.16 port 32400" dst-port=32450 \
    in-interface=pppoe-out1 log=yes protocol=tcp to-addresses=10.10.10.16 \
    to-ports=32400
add action=dst-nat chain=dstnat comment="range01 TCP ports 11000-11999" \
    dst-port=11000-11999 in-interface=pppoe-out1 port="" protocol=tcp \
    to-addresses=192.168.20.101 to-ports=11000-11999
add action=dst-nat chain=dstnat comment="range01 UDP ports 11000-11999" \
    dst-port=11000-11999 in-interface=pppoe-out1 protocol=udp to-addresses=\
    192.168.20.101 to-ports=11000-11999
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ca.pool.ntp.org
add address=time.nrc.ca
/system scheduler
add comment="Update Dynu DDNS" interval=5m name=ddns_sheduller on-event=\
    "/system script run Dynu\r\
    \n" policy=read,write,test start-time=startup
/system script
add dont-require-permissions=yes name=Dynu owner=###### policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system script\r\
    \nadd name=Dynu\r\
    \npolicy=read,write,test\r\
    \n:global ddnsuser \"######\"\r\
    \n:global ddnspass \"################\"\r\
    \n:global theinterface \"ether1\"\r\
    \n:global ddnshost \"#################\"\r\
    \n:global ipddns [:resolve \$ddnshost];\r\
    \n:global ipfresh [ /ip address get [/ip address find interface=\$theinter\
    face ] address ]\r\
    \n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
    \n:log info (\"DynuDDNS: No IP address on \$theinterface .\")\r\
    \n} else={\r\
    \n:for i from=( [:len \$ipfresh] - 1) to=0 do={\r\
    \n:if ( [:pick \$ipfresh \$i] = \"/\") do={\r\
    \n:set ipfresh [:pick \$ipfresh 0 \$i];\r\
    \n}\r\
    \n}\r\
    \n:if (\$ipddns != \$ipfresh) do={\r\
    \n:log info (\"DynuDDNS: IP-Dynu = \$ipddns\")\r\
    \n:log info (\"DynuDDNS: IP-Fresh = \$ipfresh\")\r\
    \n:log info \"DynuDDNS: Update IP needed, Sending UPDATE...!\"\r\
    \n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$ipfresh\"\r\
    \n/tool fetch address=api.dynu.com src-path=\$str mode=http user=\$ddnsuse\
    r password=\$ddnspass dst-path=(\"/Dynu.\".\$ddnshost)\r\
    \n:delay 1\r\
    \n:global str [/file find name=\"Dynu.\$ddnshost\"];\r\
    \n/file remove \$str\r\
    \n:global ipddns \$ipfresh\r\
    \n:log info \"DynuDDNS: IP updated to \$ipfresh!\"\r\
    \n} else={\r\
    \n:log info \"DynuDDNS: dont need changes\";\r\
    \n} }"
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

mkx · Thu Nov 02, 2023 10:19 am

The firewall you're currently using onky drops unwanted connections coming in via ether1 (the penultimate rule) in selective way - it doesn't affect DSTNAT-ed connections. The last rule drops a few more connectiobs (which are not dropped by previous rule).

But: your firewall doesn't have any rule which would affect connections comming in via any other interface. You can add new rules as per your requirements at the end of current rule list. Just keep in mind that rules are evaluated in order from top to bottom, first rule matching executes (and evaluation stops). And the packets "surviving" all rules are accepted (as if there was implicit accept rule at the end of rule list).

anav · Thu Nov 02, 2023 12:15 pm

Suggest you learn what the firewall rules you are using actually do......... blind use of rules is never recommended and it takes time to learn RoS..........
viewtopic.php?t=180838

E6440 · Sat Nov 04, 2023 6:17 am

@mkx @anav I wish to thank you both for your assistance. In case a noob like me reads this post in the future, the solution is

* Forward chain
* From interface
* To subnet or interface
* Action drop

E6440 · Sat Nov 04, 2023 6:27 am

I have a follow up question related to the logs. While testing the new firewall rule, I reviewed the logs and noticed constant entries with the following patter:
input: in:(unknown 1) out:(unknown 0), connection-state:new proto UDP
This doesn't seem right so which firewall rule should be fixed?

mkx · Sat Nov 04, 2023 1:08 pm

All of rules where you have log=yes are suspects. It's not clear why neither input nor output interfaces are known, but if you find the exact rule logging these events it might be possible to find explanation.

nohup · Sat Nov 04, 2023 7:47 pm

I'm in a kinda similar situation, 2 subnets A and B where A can see B but B can't see A.
I've got the same "unknowns" in the logs, and I've found that the only firewall rule with log enabled was one from the default router configuration: Drop all not coming from LAN.
Chain: input, in. inteface list: !LAN, action: drop
Does this mean that they're packets coming from services trying to reach in our network? Google trying to profile my chromesticks or similar stuff?
Tried to whois a bunch of these ip from the "unknown" log entries and that's where they come from :O Now I feel happy to have a router with a builtin firewall able to drop that traffic.

inetnum: 103.178.228.0 - 103.178.229.255
netname: VIETNHAT-VN
descr: Viet Nhat Industrial Service and Trading Company Limited
descr: 36 Hoang Cau Street, O Cho Dua Ward, Dong Da District, Hanoi

inetnum: 114.224.0.0 - 114.239.255.255
netname: CHINANET-JS
descr: Chinanet Jiangsu Province Network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032

inetnum: 45.67.34.0 - 45.67.34.255
org: ORG-SISL18-RIPE
netname: STARK-INDUSTRIES
country: RO
geofeed: https://stark-industries.solutions/geofeed.csv

Bonus info: since I've got a nas (with jellyfin server) on the "main" subnet and the wireless on a secondary subnet where also chromecasts and firesticks are on, I added a firewall rule to only allow jellyfin port to be reached from the wireless lan. This way these sticks can still stream from jellyfin but nothing more than that. Reading this post I've decided to log the rule that drops all the traffic from the wifi subnet to the main which isn't on jellyfin port, and surprise, my firestick is continuously trying to reach my nas on other ports but fails. I'm loving this router more and more.

ReynoldFrami · Thu Nov 09, 2023 9:11 am

I'm in a kinda similar situation, 2 subnets A and B where A can see B but B can't see A.

<snip>...</snip>

Thanks for the info, I will try and I hope it works for me. If I still face any issue, I will ask by starting my own thread for better conversation.

Isolating a LAN on a specific port

Isolating a LAN on a specific port

Re: Isolating a LAN on a specific port

Re: Isolating a LAN on a specific port

Re: Isolating a LAN on a specific port

Re: Isolating a LAN on a specific port

Re: Isolating a LAN on a specific port

Re: Isolating a LAN on a specific port

Re: Isolating a LAN on a specific port