Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

2 MIKROTIKs and 2 isolated LANs

Post Reply
 
Ziter
just joined
Topic Author
Posts: 7
Joined: Tue Jul 25, 2023 12:28 am

2 MIKROTIKs and 2 isolated LANs

Fri Mar 01, 2024 11:35 pm

Hello,

I want LAN B to have no access to LAN A.
Of course, LAN B should have access to the Internet.

Is the rule below sufficient?
Code: Select all
ip firewall filter add chain=forward src-address=192.168.77.0/24 dst-address=192.168.88.0/24 action=drop

Thank you in advance.
You do not have the required permissions to view the files attached to this post.
Last edited by Ziter on Sat Mar 02, 2024 9:47 am, edited 1 time in total.
Top
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1500
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:
Contact k6ccc

Re: 2 MIKROTIKs and 2 isolated LANs

Sat Mar 02, 2024 2:56 am

Did you really mean that LAN B should have no access to LAN B? Did you really mean no access B to A?
If I understand what you are trying to do, it is possible, but without your configurations, we would be guessing. Please post both configurations.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3505
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: 2 MIKROTIKs and 2 isolated LANs

Sat Mar 02, 2024 4:47 am

While the rule shown, if on Mikrotik B, is mostly right. Likely not the whole story however, why config would help.

The related questions are:
- should "Mikrotik A" LAN (192.168.88.0/24) be able connect to "Mikrotik B" LAN (192.168.77.0/24)?
- should LAN clients on 192.168.77.0/24 be able to use winbox/ssh/webfig on the router(s)? – for that you may need an chain=input rule to deny 192.168.77.0/24 clients access to the router itself (e.g. if packet's dst-address=192.168.77.1 that is "input", not "forward", in firewall and have to be covered separately than than a drop forward rule)
Top
 
Ziter
just joined
Topic Author
Posts: 7
Joined: Tue Jul 25, 2023 12:28 am

Re: 2 MIKROTIKs and 2 isolated LANs

Sat Mar 02, 2024 10:22 am

Did you really mean that LAN B should have no access to LAN B? Did you really mean no access B to A?
If I understand what you are trying to do, it is possible, but without your configurations, we would be guessing. Please post both configurations.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". ...

Yes, I did a mistake in my question. I've already corrected it.
As you assumed, the point is that computers from network B do not have access to network A. Of course, network B is to have access to the Internet.
I don't have this configuration implemented yet to show configs, so I do some research before implementing it.

While the rule shown, if on Mikrotik B, is mostly right. Likely not the whole story however, why config would help.

The related questions are:
- should "Mikrotik A" LAN (192.168.88.0/24) be able connect to "Mikrotik B" LAN (192.168.77.0/24)?
- should LAN clients on 192.168.77.0/24 be able to use winbox/ssh/webfig on the router(s)? – for that you may need an chain=input rule to deny 192.168.77.0/24 clients access to the router itself (e.g. if packet's dst-address=192.168.77.1 that is "input", not "forward", in firewall and have to be covered separately than than a drop forward rule)

The clients from LAN A (192.168.88.0/24) do not necessarily have access to network B (192.168.77.0/24). This means that both networks will not have access to each other.
Then the following rule will probably be enough.

Code: Select all
ip firewall filter add chain=forward src-address=192.168.88.0/24 dst-address=192.168.77.0/24 action=drop
And previous one:
Code: Select all
ip firewall filter add chain=forward src-address=192.168.77.0/24 dst-address=192.168.88.0/24 action=drop

The clients of LAN B should have access to routers from network A (192.168.88.1 & 192.168.88.100) through,eg Winbox and this will enable me to carry out diagnostics - then I will be able to connect to LAN B and log in to the router. I think I don't have to do anything to achieve this? I'm right?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11645
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 MIKROTIKs and 2 isolated LANs

Sat Mar 02, 2024 7:24 pm

The clients of LAN B should have access to routers from network A (192.168.88.1 & 192.168.88.100) through,eg Winbox and this will enable me to carry out diagnostics - then I will be able to connect to LAN B and log in to the router. I think I don't have to do anything to achieve this? I'm right?

The second rule (also posted in opening post) will block all access from network B to all network A addresses, which includes routers' addresses. So no management access from network B unless you explicitly allow it (allow rules, placed above the posted deny rule).
Router B will be accessible from network B (for management access) because connections targeting it's own IP addresses (any of them, regardless ingress interface / address "mismatch") will be handled by firewall in chain=input.

This still allows packets to pass routers on the way further (towards internet). The reason being that firewall filter rules check e.g. destination address of a packet, they don't care about routing rules and L2 topology. And internet-bound IP packets nowhere carry information about next gateway IP address to be used (unless source based routing is in use, but this is largely being banned since a while ago).
Top
 
Ziter
just joined
Topic Author
Posts: 7
Joined: Tue Jul 25, 2023 12:28 am

Re: 2 MIKROTIKs and 2 isolated LANs

Sat Mar 02, 2024 9:35 pm

The clients of LAN B should have access to routers from network A (192.168.88.1 & 192.168.88.100) through,eg Winbox and this will enable me to carry out diagnostics - then I will be able to connect to LAN B and log in to the router. I think I don't have to do anything to achieve this? I'm right?

The second rule (also posted in opening post) will block all access from network B to all network A addresses, which includes routers' addresses. So no management access from network B unless you explicitly allow it (allow rules, placed above the posted deny rule).
Router B will be accessible from network B (for management access) because connections targeting it's own IP addresses (any of them, regardless ingress interface / address "mismatch") will be handled by firewall in chain=input.

This still allows packets to pass routers on the way further (towards internet). The reason being that firewall filter rules check e.g. destination address of a packet, they don't care about routing rules and L2 topology. And internet-bound IP packets nowhere carry information about next gateway IP address to be used (unless source based routing is in use, but this is largely being banned since a while ago).

Should I understand that the following rule will block clients of LAN B from accessing LAN A, but when I am a client of LAN B I will have access to router B? Am I right?

Code: Select all
ip firewall filter add chain=forward src-address=192.168.77.0/24 dst-address=192.168.88.0/24 action=drop
Top
Post Reply

Who is online

Users browsing this forum: MrdotApple and 15 guests
  4. RouterOS
  5. Beginner Basics