Community discussions

MikroTik App
 
Fede2790
just joined
Topic Author
Posts: 2
Joined: Sat Mar 18, 2023 8:30 am

Block access between wan, lan and VOIP

Sat Mar 18, 2023 8:40 am

Hello, I’m new in Mikrotik world. I have a routeros in this configuration:
Port 1 (WAn)
Ip: 10.10.10.0/24
Gateway: 10.10.10.1 <- this is my internet access and dhcp

Port 4 (LAN) Vlan 10
Ip: 192.168.10.0/24
Gateway and dhcp: 192.168.10.1

Port 5 (VOIP) Vlan 20
Ip: 192.168.30.0/24
Gateway and dhcp: 192.168.30.1

On the firewall I have a NAT rule that masquerade alla traffic.

Now if on pc i digit 10.10.10.1 on the browser the system show me the access of my Vodafone Station. I want that every subnet it’s separated and if I ping or insert some ip on web browser the mikrotik block the traffic.

How I can do that?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block access between wan, lan and VOIP

Sat Mar 18, 2023 1:42 pm

Its probably due to the default firewall rules which pretty much are safe but allow LAN to LAN traffic at layer 3.
To confirm would need to see your config to adjust the firewall..........
/export file=anynameyouwish ( minus router serial number or any public WAN IP information ). [Since it looks like you are getting a private IP for the WAN then just the router serial number]
 
Fede2790
just joined
Topic Author
Posts: 2
Joined: Sat Mar 18, 2023 8:30 am

Re: Block access between wan, lan and VOIP

Mon Mar 20, 2023 4:53 pm

OK, this is my file export
# mar/20/2023 15:49:32 by RouterOS 7.7
# software id = 22B7-6ZPW
#
# model = RB750Gr3
/interface ethernet
set [ find default-name=ether1 ] comment="WirwG VPN"
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-uffici
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    IPSEC-to-site-B
/ip ipsec peer
add address=1.23.45.7/32/32 disabled=yes exchange-mode=ike2 name=IPSEC-site-B \
    profile=IPSEC-to-site-B
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=8h
add auth-algorithms=sha512 disabled=yes enc-algorithms=aes-256-cbc name=\
    IKEv2-Proposal pfs-group=modp2048
/ip pool
add name=dhcp_pool10 ranges=192.168.10.21-192.168.10.254
add name=dhcp_pool11 ranges=192.168.30.21-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool10 interface=ether5 name=dhcp1
add address-pool=dhcp_pool11 interface=ether4 name=dhcp2
/port
set 0 name=serial0
/interface ovpn-client
add add-default-route=yes cipher=aes256-cbc connect-to=1.23.45.7/32 disabled=\
    yes mac-address=02:E9:BF:EE:93:B6 name=ovpn-out1 profile=\
    default-encryption user=telemiliano
/interface l2tp-client
add add-default-route=yes allow=mschap2 connect-to=1.23.45.7/32 name=l2tp-out1 \
    profile=default use-ipsec=yes user=Osclil2tp
/interface vlan
add disabled=yes interface=*20 name=VLAN1 vlan-id=1
add disabled=yes interface=*20 name=VLAN20 vlan-id=20
/interface bridge port
add bridge=*20 interface=ether5
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.255.255.1/32,192.168.20.0/24,192.168.1.0/24 comment=\
    "wireguard uffici " endpoint-address=1.23.45.7/32 endpoint-port=13231 \
    interface=WG-uffici persistent-keepalive=25s public-key=\
    "zeP++mysYAGIu+9CkUbwKFKcJlPC9uiQb3NcavvrwBg="
/ip address
add address=10.10.10.254/24 interface=ether1 network=10.10.10.0
add address=10.255.255.2/30 interface=WG-uffici network=10.255.255.0
add address=192.168.10.1/24 interface=ether5 network=192.168.10.0
add address=192.168.30.1/24 interface=ether4 network=192.168.30.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set servers=1.1.1.1,8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
    1.23.45.7/32
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=forward dst-address=10.10.10.0/24 src-address=\
    192.168.20.0/24
add action=drop chain=input connection-state=invalid disabled=yes log=yes
add action=accept chain=input disabled=yes protocol=icmp
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes in-interface=ether5 protocol=tcp \
    src-address=192.168.10.1 to-addresses=10.10.10.1
add action=masquerade chain=srcnat log=yes
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add disabled=yes peer=IPSEC-site-B
/ip ipsec policy
add disabled=yes dst-address=192.168.1.0/24 peer=IPSEC-site-B proposal=\
    IKEv2-Proposal src-address=192.168.10.0/24 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.1 pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.20.0/24 gateway=WG-uffici routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.1.0/24 gateway=WG-uffici routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8081
set ssh disabled=yes
set api disabled=yes
set winbox port=18291
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name="MY CLIENT"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block access between wan, lan and VOIP

Mon Mar 20, 2023 5:07 pm

Config makes no sense to me, can you draw a diagram of intentions.
There is no need for vlans if you are only using two ports.
Otherwise create one bridge and any subnet becomes a vlan on the bridge.

Who is online

Users browsing this forum: No registered users and 35 guests