/ip firewall filter add chain=forward action=accept comment="SIP clients from 192.168.2.0/24" src-address=192.168.2.0/24 dst-address=192.168.1.10 protocol=udp dst-port=5060
Performance-wise it might indeed be wasteful. However, you never know if in future that same server might get some other functionality you don't want to expose to the said subnet. This case, however, is not similar to yours (filtering based on both physical port and IP address): in "my" case filter is only very specific (narrowing down possibilities) - but in this very particular case it may not be necessary to be that very specific. In "your" case, both filter criteria (physical port and IP address) are, strictly speaking, not related at all. Specifying both might narrow down the possibilities (possibly breaking L2 network in unlucky case) or it may broaden possibilities (in another unlucky case).3. Use of protocol and ports is a good idea in terms of limiting the ports and protocols allowed by the originating LAn to hit your server.
(seeing as there is no other functionality of the server, I tend to think that this simply wasteful as well unless someone can point out why otherwise ???
/ip firewall filter add action=accept chain=forward dst-address-list=VlanFriends in-interface-list=LAN src-address-list=VlanFriends comment="Allow inter VLAN communication with VLAN friends"
# nov/27/2018 17:09:21 by RouterOS 6.43.4 # software id = UJ3A-L315 # /ip firewall address-list add address=192.168.1.0/24 list=PrivateSubnets add address=192.168.10.0/24 list=PrivateSubnets add address=192.168.20.0/24 list=PrivateSubnets add address=192.168.1.0/24 list=AdminSubnet add address=192.168.10.10 comment="Office. Odilo" list=VlanFriends add address=192.168.20.0/24 list=VlanFriends add address=192.168.1.0/24 comment="All Subnets" list=PrivateSubnets add address=192.168.10.20 comment="Client B\FCro PC" list=AdminSubnet add address=192.168.30.0/24 list=PrivateSubnets add address=192.168.40.0/24 list=PrivateSubnets add address=192.168.50.0/24 list=PrivateSubnets add address=192.168.60.0/24 list=PrivateSubnets add address=192.168.70.0/24 list=PrivateSubnets add address=192.168.80.0/24 list=PrivateSubnets add address=192.168.1.0/24 list=AlllowWAN add address=192.168.20.0/24 list=AlllowWAN add address=192.168.10.0/24 list=AlllowWAN add address=192.168.30.0/24 list=AlllowWAN add address=192.168.40.0/24 list=AlllowWAN add address=192.168.50.0/24 list=AlllowWAN add address=192.168.60.0/24 list=AlllowWAN add address=192.168.70.0/24 list=AlllowWAN add address=192.168.80.0/24 list=AlllowWAN add address=192.168.1.0/24 list=AlllowWAN add address=192.168.10.0/24 list=SonosControl add address=192.168.60.0/24 list=VlanFriends add address=192.168.40.0/24 list=VlanFriends add address=192.168.10.40 comment=Spok list=AdminSubnet add address=192.168.30.0/24 list=VlanFriends add address=192.168.50.0/24 list=VlanFriends add address=192.168.10.0/24 list=VlanFriends add address=192.168.1.0/24 list=VlanFriends add address=192.168.10.11 comment=HP4050 list=Printer add address=192.168.10.12 comment=HP8620 list=Printer add address=192.168.10.13 comment=HP477fdw list=Printer /ip firewall filter add action=accept chain=input comment="accept established,related" \ connection-state=established,related add action=drop chain=input comment="drop invalid" connection-state=invalid add action=accept chain=input comment="VPN: allow udp 500 and 4500" disabled=\ yes dst-port=500,4500 in-interface-list=WAN protocol=udp add action=accept chain=input comment="VPN: allow ESP" disabled=yes \ in-interface-list=WAN protocol=ipsec-esp add action=accept chain=input comment="allow AdminSubnet" in-interface-list=\ LAN src-address-list=AdminSubnet add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \ in-interface-list=LAN protocol=tcp add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \ in-interface-list=LAN protocol=udp add action=accept chain=input comment="Allow LAN NTP queries" dst-port=123 \ in-interface-list=LAN protocol=udp add action=drop chain=input comment=" drop everything" add action=fasttrack-connection chain=forward comment=\ " fasttrack established,related" connection-state=established,related add action=accept chain=forward comment=" accept established,related" \ connection-state=established,related add action=accept chain=forward comment="SIP clients from 192.168.10.0/24" \ disabled=yes dst-address=192.168.20.10 dst-port=5060 log=yes log-prefix=\ SIP protocol=udp src-address=192.168.10.0/24 add action=drop chain=forward comment="prevent SPAM" dst-port=25 \ in-interface-list=LAN out-interface-list=WAN protocol=tcp add action=drop chain=forward comment="drop invalid" connection-state=invalid add action=accept chain=forward comment=\ "only required for port forwarding from WAN" connection-nat-state=dstnat \ disabled=yes in-interface-list=WAN add action=accept chain=forward comment="accept in ipsec policy" disabled=yes \ ipsec-policy=in,ipsec add action=accept chain=forward comment="accept out ipsec policy" disabled=\ yes ipsec-policy=out,ipsec add action=accept chain=forward comment=\ "SONOS. Forward UPnP Device Discovery events from Players" in-interface=\ vlan30 out-interface-list="Sonos Control" port=1900,1901,6969 protocol=\ udp add action=accept chain=forward comment="SONOS: forward Multicast traffic" \ dst-address=188.8.131.52 log-prefix=MultiCast add action=accept chain=forward comment=\ "SONOS: Forward Contoller events from Players" in-interface-list=\ "Sonos Control" log=yes log-prefix=FromPlayer out-interface=vlan30 port=\ 3400,3401,3500,4444,4070,5353 protocol=tcp add action=accept chain=forward comment=\ "SONOS: forward Controller events to Players" dst-port="" in-interface=\ vlan30 log-prefix=ToPlayer out-interface-list="Sonos Control" port=\ 3400,3401,3500,4444,4070,5353 protocol=tcp add action=accept chain=forward comment=\ "accept Internet Access from \"Allow WAN\"" in-interface-list=LAN \ out-interface-list=WAN src-address-list=AlllowWAN add action=accept chain=forward comment="Accept AdminSubnet-> PrivateSubnet" \ dst-address-list=PrivateSubnets in-interface-list=LAN src-address-list=\ AdminSubnet add action=accept chain=forward comment=\ "Allow inter VLAN communication with VLAN friends" dst-address-list=\ VlanFriends in-interface-list=LAN src-address-list=VlanFriends add action=drop chain=forward comment="drop everything" log=yes log-prefix=\ drop /ip firewall mangle add action=mark-connection chain=prerouting connection-state=new disabled=yes \ new-connection-mark=TabS2 passthrough=yes src-mac-address=\ xx:xx:xx:xx:xx:xx add action=mark-packet chain=prerouting connection-mark=TabS2 disabled=yes \ new-packet-mark=TabS2PacketMark passthrough=no /ip firewall nat add action=redirect chain=dstnat comment=\ "Force Users to Router for DNS - TCP" dst-port=53 protocol=tcp add action=redirect chain=dstnat comment=\ "Force Users to Router for DNS - UDP" dst-port=53 protocol=udp add action=masquerade chain=srcnat comment="masquerade LAN->WAN" \ out-interface=ether1 src-address-type="" /ip firewall raw add action=notrack chain=prerouting comment=\ "Fasttrack BYPASS for IPSec traffic " disabled=yes dst-address=\ 192.168.1.0/24 src-address=192.168.2.0/24 add action=notrack chain=prerouting disabled=yes dst-address=192.168.2.0/24 \ src-address=192.168.1.0/24 /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes sip-timeout=20m set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes
You will also need to open few rules for RTP (audio)Hi,
I have configured several Subnets on my RB3011. All Subnets cannot see each other, it is disabled by FW-Rule.
Now I would like to configure some exceptions. I have a local SIP Server on Subnet1 with IP: 192.168.1.10. Client on Subnet1 can connect correctly to the Server, but Clients on Subnet2(192.168.2.0/24) do not work. This works as expected.
How do I have to configure a common rule for Subent2 to get this working? I think I have to route UDP-Port 5060.
Can some help here?
Hi Christian -@RackKing:
Yes, My Sonos Speakers are in VLAN30 and the controllers are accross different Subnets.It works for me, but sometimes it takes some time until a controller finds the Sonos players (especially the Android widget). For updates it is recommended to join one controller to VLAN30, otherwise you get errors. It is not really perfect!
Aditionally to the rules, you need to install PIM on the router in order to route Multicast.
I have round about 15 Sonos players/bridges on the subnet and It is difficult to notice improvements. But in my view, it seems to be more stable because players disappear less often then before.
For now, VLAN30 is also participant of "VlanFriends" and there are not really restrictions between "Player" and "Controller" Subnet. There is room for improvement regarding the routing. I am open for proposal