Community discussions

MikroTik App
 
RyanSHD
just joined
Topic Author
Posts: 2
Joined: Sun May 22, 2022 6:02 pm

DHCP Group No Wan Access

Sun May 22, 2022 6:14 pm

Hello All,

I am new to MikroTik Routers and RouterOS but I am looking for a configurable solution to manage WAN access on the DHCP server. I have configured a firewall rule to reject outputs from the local LAN by creating an IP group 10.1.10.60-10.1.10.254 I then set my DHCP server range to 10.1.10.60-10.1.10.254 this way anything that is on the DHCP server doesn't have access to the internet.

I then assign static IP addresses to the devices that I want to have internet inbetween the range of 10.1.10.2-10.1.10.59.

The issue that I am having is that anything with a static IP address doesn't seem to be able to talk to WAN or the router. I have done nothing to the router except these changes from the basic setup.

Ultimately I am want to limit WAN access to specific IP addresses that I can assign. Everything else on DHCP should have LAN access but no Wan access. If there is a better way to do this I am all ears or any help setting up this configuration would be very helpful.

Thank for the your time.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DHCP Group No Wan Access

Sun May 22, 2022 8:33 pm

Good its best not to start explaining an attempt at a config, just makes it all confusing.
Stating the requirements more clearly as you did at the bottom of the post is the way to go.
As is a network diagram if complex and posting ones config /export hide-sensitive file=anynameyouwish.

Assuming you only have one WAN, then the requirement boils down to efficient use of firewall rules
and then maintaining a list of IPs that need access to the internet.

This is a very doable request.
If you maintain a firewall address list of these IPs, then suggesting you use such an address list in the forward chain!
Basically the below are the default firewall rules slightly modifed.
The first key rule is the allow rule for lan to wan ONLY IF the IP is on the source address list called authorized.
The second key rule is the drop all else rule as the last rule. This basically takes any other traffic wan to lan, lan to wan and lan to lan, not yet matched and drops it,
including any other lan folks trying to reach the internet.

Also suggesting dont try and get overly complex for no gain. Keep the dhcp server setup SIMPLE and dont partition anything......... just one subnet.

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN src-address-list=authorized
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
 
RyanSHD
just joined
Topic Author
Posts: 2
Joined: Sun May 22, 2022 6:02 pm

Re: DHCP Group No Wan Access

Sun May 22, 2022 9:25 pm

Hey Anav

Where do I create my IP list of specific allowed IP?

I see, I create I firewall address list called “Authorized”
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DHCP Group No Wan Access

Sun May 22, 2022 9:51 pm

fwlist.jpg
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: jaclaz, jvanhambelgium and 21 guests