We have a RB532a with three ethers; WAN, LAN1, & LAN2.
WAN goes to the public internet
LAN1 is internal, private network
LAN2 is the "guest" network
The desired result is to give the guest (LAN1) network access to the WAN, but NOT LAN1, EXCEPT for one computer that is on LAN2 that needs to tunnel into LAN1.
As it is right now, it appears that LAN1 and LAN2 are bridged. Seems like a simple filter rule would allow the one computer into LAN1, but I can't seem to find a suitable example.
Any help out there?
Standard routes are set up like so:
Code: Select all
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 1.2.3.0/24 1.2.3.22 WAN
1 ADC 192.168.2.0/24 192.168.2.1 LAN1
2 DC 10.1.1.0/24 10.1.1.1 LAN2
3 A S 0.0.0.0/0 r 1.2.3.1 WANCode: Select all
[admin@R1] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop Invalid connections
chain=input connection-state=invalid action=drop
1 ;;; Allow Established connections
chain=input connection-state=established action=accept
2 ;;; Allow UDP
chain=input protocol=udp action=accept
3 ;;; Allow ICMP
chain=input protocol=icmp action=accept
4 ;;; Allow access to router from known network
chain=input in-interface=!WAN action=accept
5 ;;; Drop anything else
chain=input action=drop
6 ;;; drop invalid connections
chain=forward protocol=tcp connection-state=invalid action=drop
7 ;;; allow already established connections
chain=forward connection-state=established action=accept
8 ;;; allow related connections
chain=forward connection-state=related action=accept
9 chain=forward src-address=0.0.0.0/8 action=drop
10 chain=forward dst-address=0.0.0.0/8 action=drop
11 chain=forward src-address=127.0.0.0/8 action=drop
12 chain=forward dst-address=127.0.0.0/8 action=drop
13 chain=forward src-address=224.0.0.0/3 action=drop
14 chain=forward dst-address=224.0.0.0/3 action=drop
15 chain=forward protocol=tcp action=jump jump-target=tcp
16 chain=forward protocol=udp action=jump jump-target=udp
17 chain=forward protocol=icmp action=jump jump-target=icmp
18 ;;; deny TFTP
chain=tcp protocol=tcp dst-port=69 action=drop
19 ;;; deny RPC portmapper
chain=tcp protocol=tcp dst-port=111 action=drop
20 ;;; deny RPC portmapper
chain=tcp protocol=tcp dst-port=135 action=drop
21 ;;; deny NBT
chain=tcp protocol=tcp dst-port=137-139 action=drop
22 ;;; deny cifs
chain=tcp protocol=tcp dst-port=445 action=drop
23 ;;; deny NFS
chain=tcp protocol=tcp dst-port=2049 action=drop
24 ;;; deny NetBus
chain=tcp protocol=tcp dst-port=12345-12346 action=drop
25 ;;; deny NetBus
chain=tcp protocol=tcp dst-port=20034 action=drop
26 ;;; deny BackOriffice
chain=tcp protocol=tcp dst-port=3133 action=drop
27 ;;; deny DHCP
chain=tcp protocol=tcp dst-port=67-68 action=drop
28 ;;; deny TFTP
chain=udp protocol=udp dst-port=69 action=drop
29 ;;; deny PRC portmapper
chain=udp protocol=udp dst-port=111 action=drop
30 ;;; deny PRC portmapper
chain=udp protocol=udp dst-port=135 action=drop
31 ;;; deny NBT
chain=udp protocol=udp dst-port=137-139 action=drop
32 ;;; deny NFS
chain=udp protocol=udp dst-port=2049 action=drop
33 ;;; deny BackOriffice
chain=udp protocol=udp dst-port=3133 action=drop
34 ;;; drop invalid connections
chain=icmp protocol=icmp icmp-options=0:0 action=accept
35 ;;; allow established connections
chain=icmp protocol=icmp icmp-options=3:0 action=accept
36 ;;; allow already established connections
chain=icmp protocol=icmp icmp-options=3:1 action=accept
37 ;;; allow source quench
chain=icmp protocol=icmp icmp-options=4:0 action=accept
38 ;;; allow echo request
chain=icmp protocol=icmp icmp-options=8:0 action=accept
39 ;;; allow time exceed
chain=icmp protocol=icmp icmp-options=11:0 action=accept
40 ;;; allow parameter bad
chain=icmp protocol=icmp icmp-options=12:0 action=accept
41 ;;; deny all other types
chain=icmp action=drop