How to block subnet to subnet access

sandyshores · Fri Apr 05, 2024 3:09 am

[EDIT] I put the full scope of the question in the text here but never updated the title. The title is now updated.

I started by resetting all config and connecting via MAC. What I am trying to do also covers the future requirement that only two of the subnets Im going to use should be able to talk to each other. Without using VLANs for now, I would like to figure out how to do this with routing or firewall.

I know this is covered viewtopic.php?t=60451, I think, but that method doesn't work:

/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/24 dst-addresss=10.0.0.0/24

But that simply doesn't work at all since I'm still able to log in to the router via ssh(10.0.0.1) from a host on 192.168.0.0. These subnets use different bridges and these 2 bridges are on their own physical interface. 192.168.0.0 is on bridge2, 10.0.0.0 is on bridge1

I also tried:

filter chain=forward action=drop in-interface=bridge2 out-interface=bridge1

Venturing into the barely know what I'm doing, pre-routing sounds smart... so:

/ip/firewall/raw/add src-address=192.168.0.0/24 dst-address=10.0.0.0/24 action=drop

But not work.

I know the router has Routing and like routing tags too but I haven't any experience with that.

baragoon · Fri Apr 05, 2024 7:03 am

Set allowed addresses for ssh in the ip/services

TheCat12 · Fri Apr 05, 2024 9:57 am

Try the following command:

/ip firewall filter add action=drop chain=input src-address=192.168.0.0/24 protocol=tcp dst-port=22

That will block SSH for the subnet

sandyshores · Fri Apr 05, 2024 7:20 pm

OK that looks like a possibility for the console login. How about for subnet to subnet access?

TheCat12 · Fri Apr 05, 2024 7:33 pm

For a full isolation of the subnets you should have two drop forward rules:

/ip firewall filter
add chain=forward action=drop src-address=192.168.0.0/24 dst-address=10.0.0.0/24
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.0.0/24

Buckeye · Fri Apr 05, 2024 10:56 pm

I know this is covered viewtopic.php?t=60451, I think, but that method doesn't work:
Code: Select all
/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/24 dst-addresss=10.0.0.0/24
But that simply doesn't work at all since I'm still able to log in to the router via ssh(10.0.0.1) from a host on 192.168.0.0. These subnets use different bridges and these 2 bridges are on their own physical interface. 192.168.0.0 is on bridge2, 10.0.0.0 is on bridge1

If you are trying to block access to the router itself, you need to use the input chain instead of the forward chain. So to block all traffic to the 10.0.0.0/24 network you will need at least two rules, one to block traffic to the router's interface(s) via input chain, and another to block access to hosts on the 10.0.0.0/24 that the router is routing on behalf of another host (the forward chain is applies to traffic that is being routed).

Here are some videos worth watching:
MikroTips: How to firewall by MikroTik (Normis) (but read the comments, there is a mistake in the video)
MikroTik Firewall Filter Rules: Chains Forward - Input - Output by MAICT (Maher Haddad) - also covers clearing connections when changing firewall rules.
If you want more depth, see Mikrotik Firewall From Scratch - The Basics - Episode 1 by The Network Trip (Wilmer Almazon)

sandyshores · Sat Apr 06, 2024 12:13 am

For a full isolation of the subnets you should have two drop forward rules:
Code: Select all
/ip firewall filter
add chain=forward action=drop src-address=192.168.0.0/24 dst-address=10.0.0.0/24
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.0.0/24

That's the strange thing. The first rule you mentioned should work by itself. And in my case it doesn't work with both rules installed either. Here's my firewall filter printout:

/ip/firewall/filter/print               
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=forward action=drop src-address=10.0.0.0/24 
      dst-address=192.168.0.0/24 

 1    chain=forward action=drop src-address=192.168.0.0/24 
      dst-address=10.0.0.0/24 

 2    ;;; accept established,related
      chain=input action=accept connection-state=established,related 

 3    chain=input action=drop connection-state=invalid 

 4    ;;; block everything else
      chain=input action=drop in-interface=ether1

anav · Sun Apr 07, 2024 7:48 pm

Playing the one million block subnets game is a waste of time and energy.
Simply change the default rule that comes with the router.
All subnets are blocked immediately at L3, and all one needs to do ( and should do ) is focus on the traffic that is allowed!!

From:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="Drop all else"

Now for example if you had to allow one subnet access to another, its a simple allow rule.
Or the admin IP access to all vlans.......
or all user access to common printer.

add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to all subnets" src-address=adminLAN-IP out-interface-list=LAN
add action=accept chain=forward comment="home users to video subnet" src-address=home-subnet dst-address=video-subnet
add action=accept chain=forward comment="all user to common printer on home subnet" in-interface-list=LAN out-interface=homeVLAN dst-address=IP of printer
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="Drop all else"

sandyshores · Mon Apr 08, 2024 12:36 am

Playing the one million block subnets game is a waste of time and energy.
Simply change the default rule that comes with the router.
All subnets are blocked immediately at L3, and all one needs to do ( and should do ) is focus on the traffic that is allowed!!

From:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="Drop all else"

Now for example if you had to allow one subnet access to another, its a simple allow rule.
Or the admin IP access to all vlans.......
or all user access to common printer.

add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to all subnets" src-address=adminLAN-IP out-interface-list=LAN
add action=accept chain=forward comment="home users to video subnet" src-address=home-subnet dst-address=video-subnet
add action=accept chain=forward comment="all user to common printer on home subnet" in-interface-list=LAN out-interface=homeVLAN dst-address=IP of printer
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="Drop all else"

OK I tried doing that but I guess that because Im using bridges (I followed the first time setup guide) that it actually breaks internet access completely.


 0 R name="bridge2" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled 
     arp-timeout=auto mac-address=xxxxx protocol-mode=rstp fast-forward=yes 
     igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s 
     forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no 
     port-cost-mode=long 

 1 R name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto 
     mac-address=xxxxxxx protocol-mode=none fast-forward=yes igmp-snooping=no 
     auto-mac=yes ageing-time=5m vlan-filtering=no dhcp-snooping=no port-cost-mode=long

and 192.168.0.0/24 is the pool for the dhcp server for bridge2
and 10.0.0.0/24 is the pool for the dhcp server for bridge1

I have no NAT settings. No bridge filters.

/interface/bridge/settings> print
              use-ip-firewall: no
     use-ip-firewall-for-vlan: no
    use-ip-firewall-for-pppoe: no
              allow-fast-path: yes
      bridge-fast-path-active: yes
     bridge-fast-path-packets: 3304
       bridge-fast-path-bytes: 290269
  bridge-fast-forward-packets: 0
    bridge-fast-forward-bytes: 0

/interface/bridge/settings> /ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY          DISTANCE
  DAd 0.0.0.0/0         192.168.1.1             1
  DAc 192.168.1.0/24    ether1                  0
  DAc 10.0.0.0/24   bridge1             0
  DAc 192.168.0.0/24  bridge2           0

And bridge1 is on ether4
and bridge2 is on ether5

anav · Mon Apr 08, 2024 1:24 am

Is your device a router or a switch ( model and firmware ) and normally the setup is one bridge..........
viewtopic.php?t=143620

would also need to see config to comment further
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

emunt6 · Thu Apr 11, 2024 11:09 pm

For a full isolation of the subnets you should have two drop forward rules:
Code: Select all
/ip firewall filter
add chain=forward action=drop src-address=192.168.0.0/24 dst-address=10.0.0.0/24
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.0.0/24

That's the strange thing. The first rule you mentioned should work by itself. And in my case it doesn't work with both rules installed either. Here's my firewall filter printout:

/ip/firewall/filter/print               
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=forward action=drop src-address=10.0.0.0/24 
      dst-address=192.168.0.0/24 

 1    chain=forward action=drop src-address=192.168.0.0/24 
      dst-address=10.0.0.0/24 

 2    ;;; accept established,related
      chain=input action=accept connection-state=established,related 

 3    chain=input action=drop connection-state=invalid 

 4    ;;; block everything else
      chain=input action=drop in-interface=ether1

You need to add "explicit block all", because MT default policy is "ACCEPT" in every table/chain:

->  ( iptables -t filter -P INPUT ACCEPT ) - this is cannot be changed on Mikrotik - hardcoded.
->  ( iptables -t filter -P FORWARD ACCEPT ) - this is cannot be changed on Mikrotik - hardcoded.
->  ( iptables -t filter -P OUTPUT ACCEPT ) - this is cannot be changed on Mikrotik - hardcoded.

This Will do:

/ip firewall filter
add chain=forward action=drop src-address=192.168.0.0/24 dst-address=10.0.0.0/24
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.0.0/24
add chain=forward action=drop

How to block subnet to subnet access

How to block subnet to subnet access

Re: How to block router console login from user subnet ONLY

Re: How to block router console login from user subnet ONLY

Re: How to block router console login from user subnet ONLY

Re: How to block subnet to subnet access

Re: How to block subnet to subnet access

Re: How to block subnet to subnet access

Re: How to block subnet to subnet access

Re: How to block subnet to subnet access

Re: How to block subnet to subnet access

Re: How to block subnet to subnet access

Who is online