Hello
The idea is as follows:
We have a mikrotik x86 machine with 5.2 and configured interfaces
lan1 - internet
lan2 - 192.168.0.1/24
lan2 vlan100 - 192.168.100.1/24
Is it possible to restrict access from vlan100 addresses to 192.168.0.1/24, one direction and i have access to the addresses in vlan100 from 192.168.0.1/24
Block vlan100 not see 192.168.0.1 as:
add action = drop chain = forward disabled = no dst-address = 192.168.0.0/24 src-address = 192.168.100.0/24
In that case, can you tell me what should be the rule 0.0/24 to 100.0/24 sees one direction, because now i cannot access vlan100 from 0.0/24 network
Re: One direction access
add "connection-state=new" to that rule.
Re: One direction access
still not working
With connection state = new access is in two ways from 100.0/24 <--> 0.0/24
Code: Select all
add action=drop chain=forward connection-state=new disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24
Last edited by slayercho on Sun Feb 17, 2013 3:10 pm, edited 1 time in total.
Re: One direction access
Post "/ip firewall filter" and "/ip firewall nat".
Which way do you want to drop? That rule will drop any new connections from 192.168.100.0/24 to 192.168.0.0/24. Established connection packets will not be dropped.
If you want to drop new connections to 192.168.0.1, you may need to add a "chain=input" rule also. That would not be a forward rule if that is assigned to a local interface on the router.
Which way do you want to drop? That rule will drop any new connections from 192.168.100.0/24 to 192.168.0.0/24. Established connection packets will not be dropped.
If you want to drop new connections to 192.168.0.1, you may need to add a "chain=input" rule also. That would not be a forward rule if that is assigned to a local interface on the router.
Re: One direction access
Filter Rules
With this filter rules 100.0/24 has no access to 0.0/24, and 0.0/24 no access to 100.0/24. testing with ping command
The idea is access from 0.0/24. Without access from 100.0/24 to this network.
NAT Rules
NOTE:
192.168.0.0/24 and 192.168.100.0/24 is on one inteface 100.0 is vlan ot that interface. That is because i have only two lan card on my x86 machine. Is that the problem?
Code: Select all
add action=drop chain=forward disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=input disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24
The idea is access from 0.0/24. Without access from 100.0/24 to this network.
NAT Rules
Code: Select all
add action=masquerade chain=srcnat disabled=no out-interface=Internet src-address=192.168.0.0/24
add action=masquerade chain=srcnat disabled=no out-interface=Internet src-address=192.168.100.0/24
NOTE:
192.168.0.0/24 and 192.168.100.0/24 is on one inteface 100.0 is vlan ot that interface. That is because i have only two lan card on my x86 machine. Is that the problem?
Re: One direction access
With those rules, you shouldn't be able to connect either way. It will block the connection request and the response. You only want to block the request. These should work.Filter Rules
With this filter rules 100.0/24 has no access to 0.0/24, and 0.0/24 no access to 100.0/24. testing with ping commandCode: Select alladd action=drop chain=forward disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24 add action=drop chain=input disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24
The idea is access from 0.0/24. Without access from 100.0/24 to this network.
Code: Select all
add action=drop chain=forward disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24 connection-state=new
add action=drop chain=input disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24 connection-state=new
Last edited by SurferTim on Sun Feb 17, 2013 3:33 pm, edited 1 time in total.
Re: One direction access
should but doesn't
With this rules access is in two ways 100.0/24 access 0.0/24
Code: Select all
add action=drop chain=forward disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24 connection-state=new
add action=drop chain=input disabled=no dst-address=192.168.0.0/24 src-address=192.168.100.0/24 connection-state=newRe: One direction access
Maybe the vlan does add a problem to that. I have not tried that with a vlan.
Re: One direction access
If adding a new LAN card that will work with this setup?
Re: One direction access
I'm surprised it doesn't work on the vlan, so I don't know what to tell you on that. I use this type rule, and it has always blocked connections in one direction only.
Bear in mind it will not block established connections. I edited my post above to mention that. If the two devices are connected prior to adding that rule, those connections will not be blocked. They would be "connection-state=established". It only blocks new connection attempts in one direction.
Bear in mind it will not block established connections. I edited my post above to mention that. If the two devices are connected prior to adding that rule, those connections will not be blocked. They would be "connection-state=established". It only blocks new connection attempts in one direction.
Re: One direction access
Thanks for your support, i will try other ways to do that.