Page 1 of 1
Please Help - how to block access to the mikrotik intervlanrouting
Posted: Mon Feb 27, 2017 5:23 pm
by VlanLearner
Hello everybody,
After me sob and yogender have helped to isolate the VLANs among themselves THANKS !!! I would now like to prevent access to the microtics in the same LAN.
The adminclient is in Vlan5 (= 172.16.5.0 / 24). The microtronic router has the IP 172.16.5.254 in the adminVLAN5. The admin should of course access the microtics but all other VLANs not!
VLAN 10 - 200: 172.16.10.0/24 -> 172.16.200.0/24
Microtics VLAN DHCP and Gateway IPs: 172.16.10.254 -> 172.16.200.254
VLAN5 client to 172.16.5.254 -> accept
VLAN10 clients to 172.16.10.254 -> drop
VLAN20 clients on 172.16.20.254 -> drop
.
.
.
VLAN200 clients to 172.16.200.254 -> drop
What do you think of these rules and in this order:
/ Ip firewall filter add chain=input in-interface=adminVLAN5 action=accept
/ Ip firewall filter add chain=input in-interface=all vlan action=drop
I would be happy about every tip!
Greetings VlanLearner
Excuse me for my bad english (google translation)
Re: Please Help - how to block access to the mikrotik intervlanrouting
Posted: Mon Feb 27, 2017 6:29 pm
by Sob
Did you test the rules you posted? They look exactly as what you need.
Re: Please Help - how to block access to the mikrotik intervlanrouting
Posted: Mon Feb 27, 2017 7:53 pm
by ploquets
Yes, if you want to block access like, winbox... you can do it in
/ip firewall filter
Assuming that your router (the one you want to prevent access) is the Gateway, you need to create input rules to accept from those you want to grant access.
And after, you deny (action=drop) from everyone else.
Example for winbox:
/ip firewall filter
add chain=input src-address=XXX.XXX.XXX.XXX/XX protocol=tcp dst-port=8291 action=accept
add chain=input protocol=tcp dst-port=8291 action=drop
Where
XXX.XXX.XXX.XXX/XX is the Source IP you want to grant access.
If multiple IPs are needed, you can create an address-list and use the fild
src-address-list and put all IPs in that list.
Re: Please Help - how to block access to the mikrotik intervlanrouting
Posted: Mon Feb 27, 2017 10:28 pm
by VlanLearner
Thank you all!
@sob - I am doing lot of my testing remote via opvn therefore I am very carefully. I am so glad that I beginn to understand firewall rules
@ploquets
XXX.XXX.XXX.XXX/XX is not a single IP but an expression for a subnet incl. subnetmask? e.g. 192.168.10.0/24
- Do I need 172.16.5.254/24 or just the IP 172.16.5.254?
- Should I insert your rules before or after the mentioned above rules or is it unimportant?
Thank You again
VlanLearner
Re: Please Help - how to block access to the mikrotik intervlanrouting
Posted: Mon Feb 27, 2017 11:02 pm
by ploquets
Thank you all!
@sob - I am doing lot of my testing remote via opvn therefore I am very carefully. I am so glad that I beginn to understand firewall rules
@ploquets
XXX.XXX.XXX.XXX/XX is not a single IP but an expression for a subnet incl. subnetmask? e.g. 192.168.10.0/24
- Do I need 172.16.5.254/24 or just the IP 172.16.5.254?
- Should I insert your rules before or after the mentioned above rules or is it unimportant?
Thank You again
VlanLearner
The XXX.XXX.XXX.XXX/XX is for the Source IP that is allowed to login. If you have a whole subnet that you want to allow, then use with the /24 or the respective mask of your subnet.
If only your computer is allowed to admin the RB, then, you should only use your PC IP (with /32 mask or with no mask at all)
Those rules I've mentioned above are to achieve the allowing (exceptions) and blocking everyone (but exceptions on the first rule)
If you use your rules and they worked as you need,then you probably won't need more rules to do the same thing again.
Re: Please Help - how to block access to the mikrotik intervlanrouting
Posted: Mon Feb 27, 2017 11:53 pm
by Sob
- Should I insert your rules before or after the mentioned above rules or is it unimportant?
Order of rules is very important. Once a rule matches packet, further rules are not processed. Exception is "/ip firewall mangle" and rules with passthough=yes. So if you want to play it safe, add accept rule to input chain with your remote address, and put it before all others. Then even if you mess up something down the chain, you'll still be able to connect.
Re: Please Help - how to block access to the mikrotik intervlanrouting
Posted: Wed Mar 01, 2017 12:30 am
by VlanLearner
Hello everybody,
Finally, I would ask you to check my firewall rules. They are there to give the admin access to all VLANs and the Mikrotic. The client VLANs must not have contact with one another and do not come to the microtik router.
For information:
The actual firewall (PFSense) is behind the modem and before the Mikrotic.
Modem-> PFSense (Firewall, DNSResolver, Squid with SquidGuard, NAT) -> Mikrotic (no-NAT, Router + DHCPServer,) -> VLANs-> Clients
Sorry for my bad English!
Greetings VlanLearner
Re: Please Help - how to block access to the mikrotik intervlanrouting
Posted: Fri Mar 03, 2017 1:16 am
by Sob
It's better to post text export (created by "/export" in terminal), because WinBox does not necessarily show all fields. But based on what you asked about, I assume you don't have any hidden extras and it looks ok. It will do:
1) Forwarding: Block between VLANs, except when source is VLAN5. Allow everything else.
2) Input: Block from VLANs, except when source is VLAN5 (any traffic) or 172.16.5.0/24 (just tcp/8291). Block tcp/8291 from ether1. Allow everything else.
When you look at it, it's really simple, the rules are self-explanatory.
Re: Please Help - how to block access to the mikrotik intervlanrouting
Posted: Sat Mar 04, 2017 7:51 pm
by VlanLearner
Hello Sob,
Thank You once more!!
Everythink is working just fine.
Best greetings
vlanlearner