I have a small home network with a few subnets, and I made some firewall filter rules for it.
the rules that concern my question here are:
- Devices in their subnets can't access devices in other subnets, except:
- Devices on the IoT subnet can see my home assistant server that's on my main subnet
- Devices on the main subnet can see every device on every subnet
- Devices on the current IoT subnet can reach the internet (i'll add another IoT subnet without internet access in the near future).
Here are all the firewall filter rules:
Code: Select all
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack established,related connections" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="ALLOW established, related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid packets" connection-state=invalid
add action=accept chain=input comment="accept INPUT established and related connections [temp]" connection-state=established,related
add action=drop chain=input comment="DROP input invalid packets" connection-state=invalid
add action=accept chain=input comment="ALLOW management" in-interface=management
add action=accept chain=forward comment="ENABLE LAN1 to WAN" in-interface=bridge1 out-interface-list=WAN src-address=192.168.188.0/24
add action=accept chain=forward comment="Allow main VLAN on other VLANs" dst-address=10.0.0.0/8 in-interface=bridge1
add action=accept chain=forward comment="ALLOW selected LANs to WAN" in-interface-list=LANs_with_internet_access out-interface-list=WAN
add action=accept chain=forward comment="Allow IoT devices to talk with HASS server" dst-address=192.168.188.200 in-interface=IoT_internet_vlan out-interface=bridge1
add action=accept chain=input comment="allow external pings" in-interface-list=WAN protocol=icmp
add action=accept chain=forward comment="allow opened ports" connection-nat-state=dstnat
add action=drop chain=forward
add action=drop chain=input in-interface=pianetafibra_pppoe
Is there something wrong in my firewall rules?
If you see other weird stuff outside of the things I asked feel free to tell me, I'm just starting into the world of networking!
Here's the whole configuration, that I also attached as a file below:
Code: Select all
# 2024-04-25 13:55:55 by RouterOS 7.14.2
# software id = [REDACTED]
#
# model = RB5009UG+S+
# serial number = [REDACTED]
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=IoT_internet_vlan vlan-id=3
add interface=bridge1 name=management vlan-id=100
add interface=bridge1 name=ospiti_vlan vlan-id=2
add interface=ether1 name=pianetafibra_vlan vlan-id=[REDACTED]
/interface pppoe-client
add add-default-route=yes disabled=no interface=pianetafibra_vlan name=\
pianetafibra_pppoe use-peer-dns=yes user=[REDACTED]
/interface list
add name=WAN
add name=LAN
add name=LANs_with_internet_access
/ip dhcp-server
add interface=management lease-time=1m name=management_dhcp
/ip pool
add name=main_ip_pool ranges=192.168.188.21-192.168.188.199
add name=ospiti_pool ranges=10.0.2.21-10.0.2.199
add name=management_pool ranges=10.0.0.2-10.0.0.10
add name=IoT_internet_pool ranges=10.0.3.30-10.0.3.254
/ip dhcp-server
add address-pool=main_ip_pool interface=bridge1 name=main_dhcp
add address-pool=ospiti_pool interface=ospiti_vlan name=ospiti_dhcp
add address-pool=IoT_internet_pool interface=IoT_internet_vlan lease-time=5h \
name=IoT_dhcp
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether7 pvid=2
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether8 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 comment="VLAN ospiti" tagged=ether2,bridge1 untagged=\
ether7 vlan-ids=2
add bridge=bridge1 comment=management tagged=bridge1 untagged=ether8 \
vlan-ids=100
add bridge=bridge1 comment=IoT_internet_access tagged=ether2,bridge1 \
vlan-ids=3
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=pianetafibra_pppoe list=WAN
add interface=bridge1 list=LAN
add interface=management list=LAN
add interface=ospiti_vlan list=LANs_with_internet_access
add interface=ospiti_vlan list=LAN
add interface=IoT_internet_vlan list=LAN
add interface=IoT_internet_vlan list=LANs_with_internet_access
/ip address
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=10.0.2.1/24 interface=ospiti_vlan network=10.0.2.0
add address=10.0.0.1/24 interface=management network=10.0.0.0
add address=10.0.3.1/24 interface=IoT_internet_vlan network=10.0.3.0
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1 netmask=24
add address=10.0.2.0/24 dns-server=10.0.2.1 gateway=10.0.2.1 netmask=24
add address=10.0.3.0/24 dns-server=10.0.3.1 gateway=10.0.3.1 netmask=24
add address=192.168.188.0/24 dns-server=192.168.188.1 gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
"fasttrack established,related connections" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment="ALLOW established, related" \
connection-state=established,related
add action=drop chain=forward comment="DROP invalid packets" \
connection-state=invalid
add action=accept chain=input comment=\
"accept INPUT established and related connections [temp]" \
connection-state=established,related
add action=drop chain=input comment="DROP input invalid packets" \
connection-state=invalid
add action=accept chain=input comment="ALLOW management" in-interface=\
management
add action=accept chain=forward comment="ENABLE LAN1 to WAN" in-interface=\
bridge1 out-interface-list=WAN src-address=192.168.188.0/24
add action=accept chain=forward comment="Allow main VLAN on other VLANs" \
dst-address=10.0.0.0/8 in-interface=bridge1
add action=accept chain=forward comment="ALLOW selected LANs to WAN" \
in-interface-list=LANs_with_internet_access out-interface-list=WAN
add action=accept chain=forward comment=\
"Allow IoT devices to talk with HASS server" dst-address=192.168.188.200 \
in-interface=IoT_internet_vlan out-interface=bridge1
add action=accept chain=input comment="allow external pings" \
in-interface-list=WAN protocol=icmp
add action=accept chain=forward comment="allow opened ports" \
connection-nat-state=dstnat
add action=drop chain=forward
add action=drop chain=input in-interface=pianetafibra_pppoe
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pianetafibra_pppoe
add action=dst-nat chain=dstnat comment="Unifi console" dst-port=8443 \
protocol=tcp to-addresses=192.168.188.200 to-ports=8443
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
192.168.188.170 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.188.0/24,10.0.0.0/24
set ssh address=192.168.188.0/24,10.0.0.0/24
set winbox address=192.168.188.0/24,10.0.0.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN