As you see, the 192.168.1.0/24 and 192.168.2.0/24 networks are relatively isolated (see firewall rules 3 and 4) as the 192.168.2.0/24 is reserved for wireless aka "guest network"
However, I can't reach 192.168.2.2 from 192.168.1.5 (the ssh just hangs); would you please help me understand why?
Alternatively, maybe I need a firewall nat rule instead? If so, how would it look like?
If you can also provide some recommendations for the other rules, in terms of ordering and such, please don't hesitate to chime in, many thanks for looking into this!
Code: Select all
[admin@sea-rou-001] > /ip/address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 192.168.1.1/24 192.168.1.0 ether2
1 192.168.2.1/24 192.168.2.0 ether3
2 D HIDDEN_PUBLIC_IP HIDDEN_PUBLIC_IP ether1
[admin@sea-rou-001] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; Necessary for the router to get ntp and upgrades.
chain=input action=accept connection-state=established,related connection-mark="" log=no log-prefix=""
2 chain=forward action=accept protocol=tcp src-address=192.168.1.5 dst-address=192.168.2.2 in-interface=ether3 out-interface=ether2 dst-port=22
3 ;;; block all traffic from LAN to guest network
chain=forward action=drop in-interface=ether3 out-interface=ether2 log=yes log-prefix="firewall"
4 ;;; block all traffic from guest to LAN network
chain=forward action=drop in-interface=ether2 out-interface=ether3 log=yes log-prefix="firewall"
5 ;;; block all traffic from the internet to ether1
chain=input action=drop in-interface=ether1 log=no log-prefix=""