Code: Select all
add action=drop chain=input dst-address=192.168.55.0/27 src-address=192.168.80.0/24
add action=accept chain=input dst-address=192.168.80.0/24 src-address=192.168.55.0/27
add action=drop chain=input dst-address=192.168.55.0/27 src-address=192.168.80.0/24
add action=accept chain=input dst-address=192.168.80.0/24 src-address=192.168.55.0/27
If I change to "forward" I lost connection from both site"Input" chain is for traffic coming to the router. Change it to "forward" as you want to manage "forwarding" between IP subnets.
add action=drop chain=forward in-interface=CLIENT_VLAN out-interface=MGT_VLAN
# Managemet -> users allowed - not strictly needed but you can watch counters if any traffic passes that direction
add action=accept chain=forward dst-address-list=UIP src-address-list=MIP
# allow all returning traffic started from MIP to OIP device
add action=accept chain=forward connection-state=established,related dst-address-list=MIP src-address-list=UIP
# any traffic different that returnig one (defined previously) is blocked
add action=drop chain=forward connection-state=!established,related dst-address-list=MIP src-address-list=UIP
Haveing access to user subnet UIP=192.168.80.0/24 from MIP=192.168.55.0/27 with IP implies that any traffic originated from MIP to UIP should be allowed no matter what. On the other hand only related or established traffic from OIP should be accepted. Any new, invalid or untracked packets from UIP to MIP should be forbidden as they mean that someone from UIP wants to access devices on MIP.
So ... the idea is:Code: Select all# Managemet -> users allowed - not strictly needed but you can watch counters if any traffic passes that direction add action=accept chain=forward dst-address-list=UIP src-address-list=MIP # allow all returning traffic started from MIP to OIP device add action=accept chain=forward connection-state=established,related dst-address-list=MIP src-address-list=UIP # any traffic different that returnig one (defined previously) is blocked add action=drop chain=forward connection-state=!established,related dst-address-list=MIP src-address-list=UIP
The other method could be mangling to set connection mark on any traffic started from MIP and then rules should be based
on that mark to not allow to pass traffic from UIP to MIP without that mark instead of IP lists
add action=drop chain=forward in-interface=CLIENT_VLAN out-interface=MGT_VLAN