two ip address Isolation

lasuridze · Tue Mar 25, 2014 9:24 am

hello i am beginner, i have 2 IP DHCP and i want to make Isolation,
IP1=10.10.1.1/16
IP2=192.168.20.20/24
and how to make user1 10.10.1.15 can't go user2 192.168.20.14

CelticComms · Tue Mar 25, 2014 1:12 pm

You should use filters in the forward chain of IP Firewall to control traffic between subnets.

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

rahulmkhj · Tue Mar 25, 2014 2:10 pm

Add 2 rules in IP > Firewall > Filters
i) chain= forward source-address = 10.10.1.0/16 dst-address=192.168.20.0/24 action=drop
ii) chain= forward source-address = 192.168.20.0/24 dst-address=10.10.1.0/16 action=drop

That should do it.

lasuridze · Wed Mar 26, 2014 10:31 am

Add 2 rules in IP > Firewall > Filters
i) chain= forward source-address = 10.10.1.0/16 dst-address=192.168.20.0/24 action=drop
ii) chain= forward source-address = 192.168.20.0/24 dst-address=10.10.1.0/16 action=drop

That should do it.

that block both side
i want to block one side

user1 10.10.0.0/16 can not come in to user2 192.168.20.0/24
and
user2 192.168.20.0/24 can come in user1 user1 10.10.0.0/16

i try only thet chain= forward source-address = 10.10.1.0/16 dst-address=192.168.20.0/24 action=drop but don't work :S

please help

lasuridze · Wed Mar 26, 2014 10:42 am

Add 2 rules in IP > Firewall > Filters
i) chain= forward source-address = 10.10.1.0/16 dst-address=192.168.20.0/24 action=drop
ii) chain= forward source-address = 192.168.20.0/24 dst-address=10.10.1.0/16 action=drop

That should do it.

that block both side
i want to block one side

user1 10.10.0.0/16 can not come in to user2 192.168.20.0/24
and
user2 192.168.20.0/24 can come in user1 user1 10.10.0.0/16

i try only thet chain= forward source-address = 10.10.1.0/16 dst-address=192.168.20.0/24 action=drop but don't work :S

please help

rahulmkhj · Thu Mar 27, 2014 1:01 pm

Add 2 rules in IP > Firewall > Filters
i) chain= forward source-address = 10.10.1.0/16 dst-address=192.168.20.0/24 action=drop
ii) chain= forward source-address = 192.168.20.0/24 dst-address=10.10.1.0/16 action=drop

That should do it.

that block both side
i want to block one side

user1 10.10.0.0/16 can not come in to user2 192.168.20.0/24
and
user2 192.168.20.0/24 can come in user1 user1 10.10.0.0/16

i try only thet chain= forward source-address = 10.10.1.0/16 dst-address=192.168.20.0/24 action=drop but don't work :S

please help

No, that won't work.. that won't be that easy (or might not be possible at all) .. And I can't think of a way doing this at the moment.

Rudios · Thu Mar 27, 2014 1:44 pm

Add 2 rules in IP > Firewall > Filters
i) chain= forward source-address = 10.10.1.0/16 dst-address=192.168.20.0/24 action=drop
ii) chain= forward source-address = 192.168.20.0/24 dst-address=10.10.1.0/16 action=drop

That should do it.

that block both side
i want to block one side

user1 10.10.0.0/16 can not come in to user2 192.168.20.0/24
and
user2 192.168.20.0/24 can come in user1 user1 10.10.0.0/16

i try only thet chain= forward source-address = 10.10.1.0/16 dst-address=192.168.20.0/24 action=drop but don't work :S

please help
No, that won't work.. that won't be that easy (or might not be possible at all) .. And I can't think of a way doing this at the moment.

I think it can be done.
Allow 192.168.20.0/24 to 10.10.0.0/16 and only allow only established and related traffic the opposite direction

ros code

add chain=forward src-address=192.168.20.0/24 dst-address=10.10.0.0/16 action=allow
add chain=forward src-address=10.10.0.0/16 dst-address=192.168.20.0/24 connection-state=established action=allow
add chain=forward src-address=10.10.0.0/16 dst-address=192.168.20.0/24 connection-state=related action=allow
add chain=forward src-address=10.10.0.0/16 dst-address=192.168.20.0/24 action=drop