Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Isolate only one local subnet and access to it via masquerade

Locked
 
marianob85
just joined
Topic Author
Posts: 20
Joined: Wed Feb 08, 2017 9:47 pm

Isolate only one local subnet and access to it via masquerade

Thu May 04, 2017 9:54 pm

Hi,

I'm stuck with my network configuration.
I would like to have 2 subnets: one for my home network and second for IP monitoring.

But 'monitoring' subnet should not have access to my home, but I would like to have access to monitoring network from my home network.
Shortly:
Code: Select all
 /ip address> print
 0   192.168.11.1/24    192.168.11.0    Eth1-Lan                                                                                                                              
 1   192.168.12.1/24    192.168.12.0    Eth2-Monitoring
Eth2-Monitoring should be isolated ( and have only access to internet ) and Eth1-Lan should have access to Eth2-Monitoring via src-nat ( I think ).
First quick try was to drop connection between those 2 networks and add masquerade for out.interface Eth2-Monitoring but it fails.

Can anyone tell me how such thing should be correctly configured ? Is it event possible to do something like that ?

Details:
Code: Select all
 /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.8.1               1
 1 ADC  192.168.11.0/24    192.168.11.1    Eth1-Lan                  0
 2 ADC  192.168.12.0/24    192.168.12.1    Eth2-Monitoring           0
Thanks,
Mariusz
Top
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:
Contact cdiedrich

Re: Isolate only one local subnet and access to it via masquerade

Fri May 05, 2017 12:31 pm

Code: Select all
/ip firewall filter
add chain=forward src-address=192.168.12.0/24 dst-address=192.168.11.0/24 connection-state=established,related action=accept
add chain=forward src-address=192.168.12.0/24 dst-address=192.168.11.0/24 connection-state=new,invalid action=drop
add chain=input src-address=192.168.12.0/24 protocol=!icmp action=drop
The first two rules drop everything from 192.168.12.0/24 to 192.168.11.0/24 but accept connections which were initiated from 192.168.11.0/24.
The third rule drops every connection attempt to your router from that network but accepts icmp. Beware that this also drops DNS requests from this network - if your roter is also the DNS server for those networks, add an accept rule for udp/53 before the third rule.
No need for masquerading as long as your router is the default gateway for both networks.
-Chris
Top
 
marianob85
just joined
Topic Author
Posts: 20
Joined: Wed Feb 08, 2017 9:47 pm

Re: Isolate only one local subnet and access to it via masquerade

Fri May 05, 2017 4:10 pm

Awesome. Thank You!,

One thing about icmp. I needed to modify second rule to get it work.
Code: Select all
14 X  chain=forward action=accept connection-state=established,related src-address=192.168.12.0/24 dst-address=192.168.11.0/24 l
15 X  chain=forward action=drop connection-state=invalid,new protocol=!icmp src-address=192.168.12.0/24 dst-address=192.168.11.0
16 X  chain=input action=drop protocol=!icmp src-address=192.168.12.0/24 log=no log-prefix=""
Top
Locked
  4. RouterOS
  5. Beginner Basics