Hello folks!
Basically I have two nets on two bridges on my CCR: private net 192.168.1.0/24 and a guest net 10.0.0.0/21.
On my guest net I have installed couple of access points which are addressed from 10.0.0.10-10.0.0.50. The DHCP on this net serves the guests with ip addresses from 10.0.1.0-10.0.7.250.
Everything works flawless, but I have troubles to manage access points on the guest net from my private net when I setup a standard firewall rule looks like this: /ip firewall filter add chain=forward action=drop src-address=10.0.0.0/21 dst-addresss=192.168.1.0/24
It will be cool when something like this would work: /ip firewall filter add chain=forward action=drop src-address=10.0.0.100/21-10.0.7.254/21 dst-addresss=192.168.1.0/24
but the src-address can't handle ip ranges.
Is there another option to handle this problem? Or should I assign a second net like 172.16.0.0/24 to the guest bridge that contain all access points and drop all packets from guest to private net?
Thanks for advices!
Re: how to block ip ranges preventing access to another subn
You can't combine a subnet mask and an IP range to declare a source.
You have to either define the IP range or use the subnet.
In your case you could use:
You have to either define the IP range or use the subnet.
In your case you could use:
Code: Select all
/ip firewall filter add chain=forward action=drop src-address=10.0.0.100-10.0.7.254 dst-address=192.168.1.0/24Re: how to block ip ranges preventing access to another subn
yes I posted it incorrectly, actually I used exactly your rule but somehow it won't work 
Re: how to block ip ranges preventing access to another subn
Ok, when you say it doesn't work do you mean you can't access the APs from your private network or the firewall rule doesn't block guest access to your private network?
If it is the former, check whether you can ping your APs without the firewall rule in place. If you can't ping them, check that the IP addresses are on your bridges and not on interfaces within the bridge and also make sure your APs have a route to your private network.
If the latter is the case, then check whether the rule's packet count is increasing. If not, set it to the IP address of the test device and see whether the count is increasing. Also check the above to make sure those IP addresses are in the correct spot.
If it is the former, check whether you can ping your APs without the firewall rule in place. If you can't ping them, check that the IP addresses are on your bridges and not on interfaces within the bridge and also make sure your APs have a route to your private network.
If the latter is the case, then check whether the rule's packet count is increasing. If not, set it to the IP address of the test device and see whether the count is increasing. Also check the above to make sure those IP addresses are in the correct spot.
Re: how to block ip ranges preventing access to another subn
I mean that the rule doesn't work when i specify an ip range as source-address.
Anyway, I managed to set up a new address on the public bridge an moved all accessable devices to the new subnet.
So I can prevent guest access to the subnet by the firewall rule.
Thanks
Anyway, I managed to set up a new address on the public bridge an moved all accessable devices to the new subnet.
So I can prevent guest access to the subnet by the firewall rule.
Thanks