Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Block local IP's fails  [SOLVED]

Post Reply
 
Denniz01
just joined
Topic Author
Posts: 4
Joined: Thu Jul 29, 2021 8:41 pm

Block local IP's fails

Wed Sep 29, 2021 5:08 pm

Hello,

I'm trying to make my system more secure. Wanted to block one ip from talking to other devices in the local network. Tried first to block just two ip's:
Code: Select all
/ip firewall filter add  chain=forward action=drop src-address=192.168.88.87 dst-address=192.168.88.86  
/ip firewall filter add  chain=forward action=drop src-address=192.168.88.86 dst-address=192.168.88.87
Still, when executing a ping from 192.168.88.86 to .192.168.88.87 it goes through. Is there any reason that the rule does not work? (Tried it in safe mode)

Here is my full configuration just in case (without the two rules above).
Code: Select all
# sep/29/2021 13:05:01 by RouterOS 6.47.10
# software id = RKPD-G2FL
#
# model = RB4011iGS+
# serial number = F0380E36CDBF
/interface bridge
add admin-mac=2C:C8:1B:46:39:96 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=xxxxxxx@xxx.com
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip arp
add address=192.168.88.103 interface=bridge mac-address=3C:78:0E:59:5C:BA
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.111 client-id=1:a0:8c:fd:d8:c:1f mac-address=\
    A0:8C:FD:D8:0C:1F server=defconf
add address=dhcp mac-address=2C:41:78:4F:BB:6D server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-address=192.168.88.102 protocol=rdp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=774 in-interface=pppoe-out1 \
    protocol=tcp src-port="" to-addresses=192.168.88.102 to-ports=3389
add action=dst-nat chain=dstnat dst-port=776 protocol=tcp to-addresses=\
    192.168.88.102 to-ports=776
add action=dst-nat chain=dstnat dst-port=775 protocol=tcp to-addresses=\
    192.168.88.249 to-ports=5601
add action=masquerade chain=srcnat src-address=192.168.88.102
add action=masquerade chain=srcnat src-address=192.168.88.249
add action=dst-nat chain=dstnat dst-port=774 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.88.102 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.88.87 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.88.87 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.88.87 to-ports=444
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thanks for Any hint!
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block local IP' fails

Wed Sep 29, 2021 5:14 pm

Such firewall rules are not going to work within one network.
You need to split your network e.g. by having different network on some physical ports, or using VLANs.
Then you can move some device(s) to the other network and use such rules to filter the traffic.
E.g. on a 4011 it makes sense to have a separate network on ports 1-5 and 6-10.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11629
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block local IP's fails  [SOLVED]

Wed Sep 29, 2021 5:15 pm

Both IPs are in same IP subnet, so basically they'll try to talk to each other directly, without involving their gateway.

If traffic between the two devices is forced to pass router (i.e. they are connected to different ports of your mikrotik), then you can do something by using bridge filters ... and make sure at least one of involved ports is exempt from HW offload.
Top
 
Denniz01
just joined
Topic Author
Posts: 4
Joined: Thu Jul 29, 2021 8:41 pm

Re: Block local IP's fails

Wed Sep 29, 2021 5:20 pm

Got it! Thanks a lot for the clarification. Is there some easy rule in my case?
So basically the device I want to block has the IP 192.168.88.87 and runs on ether port 6. Already tried to set up VLANs but am kind of new to Mikrotik and networking, so somehow it didn't worked.

PS: Basically forbid some ports to talk to other ether ports would be ideal.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block local IP's fails

Wed Sep 29, 2021 5:47 pm

When you have no other switch connected or the particular device is not on another switch you can do it without VLANs.
You can either make a new network for that port and use a firewall rule as you did, or you can use switch/bridge tricks like bridge filter or port isolation.
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12008
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Block local IP's fails

Wed Sep 29, 2021 5:52 pm

Go on one of the two device settings and block the other device on firewall, without make all traffic go trough CPU for apply some rules...
Last edited by rextended on Wed Sep 29, 2021 6:12 pm, edited 3 times in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19379
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Block local IP's fails

Wed Sep 29, 2021 6:10 pm

Having a good network map/diagram will help you plan and state clear requirements
If you have enough ports and Wireless ports if a wifi router, to separate groups of users by ports, then your golden.
If you have to send traffic to a switch which then connects to different users then most likely you will need vlans.

So the first thing is to identify,
a. how many groups you have (of users that are distinct and devices that are distinct).
For example it could be
spouses work, kids comptuers, house lan, house wifi, guest wifi, iot devices (thermostats, cameras

b. how are they connected or will be connected or could be connected by devices (ports, ethernet switch, wifi)

c. then you have to figure out who or what can talk to who or what, and who or what needs internet etc..

d. now you the start of a plan, which may or may not entail buying more networking equipment and a plan on which one can start to build a config.
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12008
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Block local IP's fails

Wed Sep 29, 2021 6:12 pm

Paste this on terminal for fix some errors:
Code: Select all
/interface bridge
set bridge protocol-mode=none
/ip address
set [find where address="192.168.88.1/24"] interface=bridge
/ip firewall nat
set [find where src-port=""] !src-port
/interface ethernet switch port
set [find] default-vlan-id=auto

And if you are connected to internet by pppoe-client only also this:
Code: Select all
/ip dhcp-client
remove [find]
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12008
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Block local IP's fails

Wed Sep 29, 2021 6:17 pm

PS: Basically forbid some ports to talk to other ether ports would be ideal.
For be clear, you wanted every device completly isolated from eachother?
If you have only one single device per port is doable,
but as already wrote from @anav, is impossible to understand how is your network maded,
without provide detailed network diagram.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19379
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Block local IP's fails

Wed Sep 29, 2021 6:24 pm

With understanding comes knowledge and information from which advice and configs can then be responsibly offered. ;-P
Top
 
Denniz01
just joined
Topic Author
Posts: 4
Joined: Thu Jul 29, 2021 8:41 pm

Re: Block local IP's fails

Wed Sep 29, 2021 6:29 pm

Thanks a lot for all the hints !!! I finally ended up with bridge filtering using the UI. Here are the two rules that worked for me:
In this case, ether8 should not be reachable from other ether ports.
Code: Select all
/interface bridge filter
add action=drop chain=forward in-interface=!ether8 out-interface=ether8
add action=drop chain=forward in-interface=ether8 out-interface=!ether8
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether8
Maybe it is not the most performant solution, but very easy and the CPU load seems to be really low. I hope it will work well.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19379
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Block local IP's fails

Wed Sep 29, 2021 7:01 pm

Awesome glad it works........
Great work MKX ;-P
Top
Post Reply

Who is online

Users browsing this forum: pmcsill and 98 guests
  4. RouterOS
  5. Beginner Basics