Community discussions

MikroTik App
 
muelli
just joined
Topic Author
Posts: 20
Joined: Fri Sep 21, 2012 12:42 pm

Add a simple Firewall for routed clients

Tue Jun 28, 2022 2:25 pm

Hello forum,

obviously I am too stupid to set up one of my RB as a simple firewall.
RB_1 and RB_2 are setup as a wireless bridge, RB_1 serves as a dhcp server that provides IPs to clients on the side of RB_2.
Clients connected to RB_2 can access the Internet, everything works.

Now I need to limit access to the internet. Only clients with a certain IP on the RB_2 side should be allowed to access the internet, but I somehow cannot manage to enable the firewall on RB_1 to do this.
Tried several rules and chains, no success. Everything is allowed through.

Can someone give me a hint on how to do this in winbox?

Current config of RB_1 is attached!

Thanks!
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Add a simple Firewall for routed clients

Tue Jun 28, 2022 4:36 pm

In the context of "give a man a fish and he can eat for a day, teach a man to fish and he can eat life long"

What you're looking for is forward rules.
- create rule to drop all forward from that complete IP subnet of RB_2 (yes, drop, it's the easiest "catch all" in my view)
- add rules BEFORE this rule to allow the specific IPs you want to ... allow. (better, use address list to have all the allowed IPs in it)

May I suggest some other things:
- start with the default firewall if this RB_1 device is facing internet !!
Currently you have nothing.
- upgrade to latest long term version. 6.32 is 7 years old !! What device are you running this on ?
 
muelli
just joined
Topic Author
Posts: 20
Joined: Fri Sep 21, 2012 12:42 pm

Re: Add a simple Firewall for routed clients

Tue Jun 28, 2022 6:50 pm

Thanks for your input!
I use the RB532A, which is mipsle and the routerOS I use is the latest supported version for that CPU architecture, sadly.
And the RB_1 is connected to another router, so no problem if the firewall is currently empty.

About the problem I am facing:
Thought something was wrong with conflicting subnets, so I changed everything from 192.168.1.0/24 to 192.168.119.0/24.... but the problem still persists.

I already tried to add a DROP rule in the forward chain for 192.168.119.0/24 :
/ip firewall filter
add action=drop chain=forward src-address=192.168.119.0/24

I can still connect/ping the internet from the clients behind RB_2... Does the rule have to be activated somehow?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Add a simple Firewall for routed clients

Tue Jun 28, 2022 10:44 pm

Ok, understood on device and version.

How sure are you rb2 and clients are passing via rb1 to get out ?
Is it through ip settings ( gateway) or physical cable or ... ?
Because that drop rule should really drop all forward communication for that subnet.

Can you provide current config export as well ?
 
muelli
just joined
Topic Author
Posts: 20
Joined: Fri Sep 21, 2012 12:42 pm

Re: Add a simple Firewall for routed clients

Wed Jun 29, 2022 9:22 am

Clients on RB_2 HAVE to get out via RB_1, because there is only the wireless bridge that connects RB_2 to RB_1.
So I do not see how the Clients on RB_2 side could get around RB_1 to get out....

However thinking about your question.... THe DHCP server on RB_1 is dishing out the router behind RB_1 (192.168.119.100) as gateway for clients.
Tried a little test, change the default gw on one client to the IP of RB_1 and pinged the web:

pi@raspberrypi:~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.119.101: icmp_seq=1 Redirect Host(New nexthop: 192.168.119.100)
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=14.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=13.2 ms

Seems RB_1 wants the clients to go via 192.168.119.100 no matter what. But I have a feeling that could be the problem?

Config for RB_2 is attached!
Thanks....
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Add a simple Firewall for routed clients

Wed Jun 29, 2022 9:27 am

Did you on the client also renew DHCP lease ?
Or delete lease on RB1, it will renew as well then.

Otherwise it might take some time before the new settings are in effect.

But it still doesn't explain why that drop rule is not working.
I was referring to config of RB1, with the latest change you did on subnet etc.
 
muelli
just joined
Topic Author
Posts: 20
Joined: Fri Sep 21, 2012 12:42 pm

Re: Add a simple Firewall for routed clients

Wed Jun 29, 2022 9:52 am

No I just deleted the default GW and added a new one. I tested with lease delete, same result.

RB_1 config attached!
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Add a simple Firewall for routed clients

Wed Jun 29, 2022 10:31 am

Just checking, clients behind rb2 are effectively getting a lease from rb1 in 119.0/24 range ?
 
muelli
just joined
Topic Author
Posts: 20
Joined: Fri Sep 21, 2012 12:42 pm

Re: Add a simple Firewall for routed clients

Wed Jun 29, 2022 10:39 am

yes, I can see the leases and they match their actual IPs / GWs
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Add a simple Firewall for routed clients

Wed Jun 29, 2022 4:18 pm

You have R1 setup as a bridge. Your clients behind R2 are getting DHCP from R1 by chance. And with gateway of other Router, your clients are going out it directly.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Add a simple Firewall for routed clients

Wed Jun 29, 2022 4:38 pm

Makes sense.

Best to decouple things.
Ethernet away from bridge, same subnet as router.
Ip address on bridge different subnet.
Dhcp server on bridge.
Gateway on dhcp same ip as bridge ip.
Firewall rule to be adjusted to new subnet if needed.

It has to work.
 
muelli
just joined
Topic Author
Posts: 20
Joined: Fri Sep 21, 2012 12:42 pm

Re: Add a simple Firewall for routed clients

Thu Jun 30, 2022 8:28 am

You have R1 setup as a bridge. Your clients behind R2 are getting DHCP from R1 by chance. And with gateway of other Router, your clients are going out it directly.

Hmm, if I understand this correctly, yoou mean the clients use a layer below the OSI layer on RB_1 that the firewall uses?
Thinking about it, the firewall on RB_1 must use layer 4 and the clients get past it as the are going by in layer 3?
Best to decouple things.
Ethernet away from bridge, same subnet as router.
Ip address on bridge different subnet.
Dhcp server on bridge.
Gateway on dhcp same ip as bridge ip.
Firewall rule to be adjusted to new subnet if needed.

Not sure if I understood this correct.
Should I give the clients behind RB_2 a new subnet and RB_1 as default GW?
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Add a simple Firewall for routed clients

Thu Jun 30, 2022 1:41 pm

From your provided R1 export:
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
Add an IP address for ether1 from the 192.168.1.0/24 of your other Router and remove ether1 bridge port entry. You will also need a route on your other Router for 192.168.119.0/24 with gateway of R1>ether1 IP address. To also further separate the networks, change R1>dhcp server network gateway entry to the R1> bridge IP address. And add route with gateway of other Router IP address.

Who is online

Users browsing this forum: No registered users and 36 guests