Community discussions

 
Lomez
just joined
Topic Author
Posts: 6
Joined: Tue Jan 23, 2018 2:24 pm
Location: Latvia

Isolating physical LAN interfaces

Wed Mar 21, 2018 11:01 am

Hi,

I have a RB1100 router, idea is that every port on ruter is used by different client.
So I've configured every ethernet port with LAN Address, DHCP server, DHCP Pool, masquarade rule, it looks like that:
Ether1-WAN
Ether2-1customer (10.10.1.0)
Ether3-2customer (10.10.2.0)
Ether4-3customer (10.10.3.0)
....and so on till Ether11

I wan't to isolate every network so I've created a firewall rule for every port:
ip firewall filter add chain=forward action=drop in-interface=ether2
out-interface=ether3 log=no
ip firewall filter add chain=forward action=drop in-interface=ether3
out-interface=ether2 log=no

It works fine, but in my case it means I need to create ~90 firewall rules, is there any other way to isolate them?

Thank you in advance,
Br, Arturs
 
freemannnn
Long time Member
Long time Member
Posts: 655
Joined: Sun Oct 13, 2013 7:29 pm

Re: Isolating physical LAN interfaces

Wed Mar 21, 2018 11:07 am

In another post i read about ip/settings option ip-forward that isolates different interfaces.
I test it in my router and i could not surf the web. If someone can post some info of how we use it.

Also there is bridge horizon value in every bridge (if you use bridges). If you have same horizon number in every bridge they cannot comunicate.
Last edited by freemannnn on Thu Mar 22, 2018 6:59 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5523
Joined: Mon Jun 08, 2015 12:09 pm

Re: Isolating physical LAN interfaces

Wed Mar 21, 2018 12:15 pm

It works fine, but in my case it means I need to create ~90 firewall rules, is there any other way to isolate them?
Go to Interfaces -> Interface lists, click the Lists button and create a new list, e.g. name it "customers".
Go back to interfaces -> interface lists and add all your customer interfaces to this list.

Then create only a single rule: in-interface-list and out-interface-list are your customers list, and drop traffic.

This solves your problem in a simple way.
 
Lomez
just joined
Topic Author
Posts: 6
Joined: Tue Jan 23, 2018 2:24 pm
Location: Latvia

Re: Isolating physical LAN interfaces

Wed Mar 21, 2018 2:32 pm

It works fine, but in my case it means I need to create ~90 firewall rules, is there any other way to isolate them?
Go to Interfaces -> Interface lists, click the Lists button and create a new list, e.g. name it "customers".
Go back to interfaces -> interface lists and add all your customer interfaces to this list.

Then create only a single rule: in-interface-list and out-interface-list are your customers list, and drop traffic.

This solves your problem in a simple way.
Will try this one, thank you for advice.
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Isolating physical LAN interfaces

Thu Mar 22, 2018 3:26 am

It works fine, but in my case it means I need to create ~90 firewall rules, is there any other way to isolate them?
Go to Interfaces -> Interface lists, click the Lists button and create a new list, e.g. name it "customers".
Go back to interfaces -> interface lists and add all your customer interfaces to this list.

Then create only a single rule: in-interface-list and out-interface-list are your customers list, and drop traffic.

This solves your problem in a simple way.
Really nice solution!!
I wonder why though why the IP setting of IP FORWARD not being checked did not accomplish the goal of the OP???
Further why would unchecking this setting suddenly prevent internet (LAN to WAN, WAN to LAN) access??

Finally, the FW rules would stop Layer 3 traffic but they would not stop, at least to my understanding, layer two traffic if all are considered on same bridge.
Don't know the unit but this seems to be the case for my HEX.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
pe1chl
Forum Guru
Forum Guru
Posts: 5523
Joined: Mon Jun 08, 2015 12:09 pm

Re: Isolating physical LAN interfaces

Thu Mar 22, 2018 11:50 am

The interfaces are NOT part of the same bridge (as far as I understand the question) so that does not apply.
In any MikroTik device, you as the admin controls what is in the bridge, you can take the ports out and use them as routed interfaces.

An alternative to the solution with the address list, for this special case where 1 interface is WAN and all the others are customers,
would be:

- accept all traffic from ether1-wan in forward table
- accept all traffic to ether1-wan in forward table
- drop all traffic in forward table

This will allow only traffic to or from ether1-wan and all other forwards are dropped.
Of course this will get complicated in other cases where there are other special interfaces like VPN or a management interface,
and the use of interface lists is more appropriate.
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Isolating physical LAN interfaces

Thu Mar 22, 2018 6:15 pm

Thanks pe1Chl, concur also assumed all interfaces are separate and not bridged and thus no layer 2 concerns.

But what about the IP Setting and the action of unchecking IP Forward.
Q1. Should not have given the OP the result desired?
Q2. Why would that action cause lan to wan traffic blocking.

My assumptions are that
IN traffic is to the router typically from the WAN only.
OUT traffic is out of the interfaces (and probably only out of the WAN but not sure?) and
FORWARD which is across the router in both hardware and software.

I come for a more simplistic use of routers and programming which are WAN to LAN, LAN to WAN, and LAN to LAN respectively etc...........
and find the above hard to wrap my head around and still dont have it clear.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
pe1chl
Forum Guru
Forum Guru
Posts: 5523
Joined: Mon Jun 08, 2015 12:09 pm

Re: Isolating physical LAN interfaces

Thu Mar 22, 2018 6:50 pm

Of course IP Forward must be enabled when you want to use the device as a router.
Disabling that will of course solve the issue (forwarding between customers) but will also cut the internet connection for the customers!
It is like installing the best firewall/spam filter/threat protection: just unplug the internet cable.
Sure it works, but nobody wants that.
 
mkx
Forum Guru
Forum Guru
Posts: 2570
Joined: Thu Mar 03, 2016 10:23 pm

Re: Isolating physical LAN interfaces

Thu Mar 22, 2018 6:54 pm

In proper router (MT basically are) there is no WAN and LAN ports. It's just ports and routing engine between them.

Only when you apply certain configuration (IP address, routing rules and tables, FW rules, ...) it may appear that certain port might be WAN and another LAN. However, if you disable IP routing, nothing gets nowhere, including traffic that might need to pass the "WAN" port. Therefore if you don't really mean to cut off everybody from WAN, you still need to keep the routing engine in place and rather block most of routing (e.g. LAN-to-LAN) traffic.
BR,
Metod
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Isolating physical LAN interfaces

Thu Mar 22, 2018 6:57 pm

OK I think this will answer your question on the port forwarding post:

Input chain, is traffic into the router
output chain, is traffic originated from the router
forward chain, is traffic passing through the router

my understanding of IP Foward, is that it Enable/disable packet forwarding between interfaces. This include your WAN interface, so that explains why you lost internet connection perhaps?
MTCNA MTCTCE UEWA
 
anav
Forum Guru
Forum Guru
Posts: 2886
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Isolating physical LAN interfaces

Thu Mar 22, 2018 8:38 pm

Thanks Solar, and ref IP FORWARD, I fail to see then a practical use of that checkbox (being unchecked).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 25 guests