I'm surprised by the number of replies to this post. Normally, if there is no response for a day or two, the topic fades into obscurity.
I apprecciate a lot of replyes which are very expert and informative, I also apretiate the sarcastic ones too, life is boring without humour
The question is simple and does not require any diagrams - it's just about a client isolation scenario.
@rextended made a valid point with the following:
/ip firewall filter
[add action=drop disabled=yes chain=forward in-interface=all-ppp out-interface=all-ppp
However, I don't understand how it's possible that you don't already have a "drop all at the end" on forward, and only allow traffic between all-ppp <-> WAN.
Thank you for your input.
The issue I'm facing is that I use a series of rules to allow forwarding to my public IP addresses and to the interfaces I need for managing servers, and then drop everything else.
Although it does what it's supposed to do, I'm having several problems , but one is more serious:
My public IP addresses are allowed to see all private clients because the rule accepts them.
I have businesses that require public IP addresses and have two or more locations, one of which has a public IP (for their server), while the others are private. So, I need them to see the public IP and vice versa.
I don't want to create a rule for each client, as that would require two rules for every connection, and also that would require me to change a lot of settings in my netowrok because my private ip's are dynamic.
So to avoid adding a lot of rules or changing my network , I had to create the following general rules instead:
accept forward destination=public ip/24
accept forward source public ip/24
Which allows all public IPs to see all the private IPs.
If I disable those rules the public ip addresses will be seen only from outside my network.
So, instead of asking about my original problem, I thought there might be another simple way to isolate clients (who knows?).
However, I realize that I need to find a workaround to fix these issues.
If anyone has any ideas on how to overcome these problems, I would appreciate it.
Thanks