Page 1 of 1

Disable LAN-LAN bridge except one?

Posted: Tue Apr 10, 2007 6:20 pm
by GlueGuy
Hi,

We have a RB532a with three ethers; WAN, LAN1, & LAN2.

WAN goes to the public internet
LAN1 is internal, private network
LAN2 is the "guest" network

The desired result is to give the guest (LAN1) network access to the WAN, but NOT LAN1, EXCEPT for one computer that is on LAN2 that needs to tunnel into LAN1.

As it is right now, it appears that LAN1 and LAN2 are bridged. Seems like a simple filter rule would allow the one computer into LAN1, but I can't seem to find a suitable example.

Any help out there?

Standard routes are set up like so:
 #     DST-ADDRESS        PREF-SRC        G GATEWAY         DISTANCE INTERFACE
 0 ADC 1.2.3.0/24         1.2.3.22                                   WAN
 1 ADC 192.168.2.0/24     192.168.2.1                                LAN1
 2  DC 10.1.1.0/24        10.1.1.1                                   LAN2
 3 A S 0.0.0.0/0                          r 1.2.3.1                  WAN
We're using pretty much standard firewall rules like so:
[admin@R1] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Drop Invalid connections
     chain=input connection-state=invalid action=drop

 1   ;;; Allow Established connections
     chain=input connection-state=established action=accept

 2   ;;; Allow UDP
     chain=input protocol=udp action=accept

 3   ;;; Allow ICMP
     chain=input protocol=icmp action=accept

 4   ;;; Allow access to router from known network
     chain=input in-interface=!WAN action=accept

 5   ;;; Drop anything else
     chain=input action=drop

 6   ;;; drop invalid connections
     chain=forward protocol=tcp connection-state=invalid action=drop

 7   ;;; allow already established connections
     chain=forward connection-state=established action=accept

 8   ;;; allow related connections
     chain=forward connection-state=related action=accept

 9   chain=forward src-address=0.0.0.0/8 action=drop

10   chain=forward dst-address=0.0.0.0/8 action=drop

11   chain=forward src-address=127.0.0.0/8 action=drop

12   chain=forward dst-address=127.0.0.0/8 action=drop

13   chain=forward src-address=224.0.0.0/3 action=drop

14   chain=forward dst-address=224.0.0.0/3 action=drop

15   chain=forward protocol=tcp action=jump jump-target=tcp

16   chain=forward protocol=udp action=jump jump-target=udp

17   chain=forward protocol=icmp action=jump jump-target=icmp

18   ;;; deny TFTP
     chain=tcp protocol=tcp dst-port=69 action=drop

19   ;;; deny RPC portmapper
     chain=tcp protocol=tcp dst-port=111 action=drop

20   ;;; deny RPC portmapper
     chain=tcp protocol=tcp dst-port=135 action=drop

21   ;;; deny NBT
     chain=tcp protocol=tcp dst-port=137-139 action=drop

22   ;;; deny cifs
     chain=tcp protocol=tcp dst-port=445 action=drop

23   ;;; deny NFS
     chain=tcp protocol=tcp dst-port=2049 action=drop

24   ;;; deny NetBus
     chain=tcp protocol=tcp dst-port=12345-12346 action=drop

25   ;;; deny NetBus
     chain=tcp protocol=tcp dst-port=20034 action=drop

26   ;;; deny BackOriffice
     chain=tcp protocol=tcp dst-port=3133 action=drop

27   ;;; deny DHCP
     chain=tcp protocol=tcp dst-port=67-68 action=drop

28   ;;; deny TFTP
     chain=udp protocol=udp dst-port=69 action=drop

29   ;;; deny PRC portmapper
     chain=udp protocol=udp dst-port=111 action=drop

30   ;;; deny PRC portmapper
     chain=udp protocol=udp dst-port=135 action=drop

31   ;;; deny NBT
     chain=udp protocol=udp dst-port=137-139 action=drop

32   ;;; deny NFS
     chain=udp protocol=udp dst-port=2049 action=drop

33   ;;; deny BackOriffice
     chain=udp protocol=udp dst-port=3133 action=drop

34   ;;; drop invalid connections
     chain=icmp protocol=icmp icmp-options=0:0 action=accept

35   ;;; allow established connections
     chain=icmp protocol=icmp icmp-options=3:0 action=accept

36   ;;; allow already established connections
     chain=icmp protocol=icmp icmp-options=3:1 action=accept

37   ;;; allow source quench
     chain=icmp protocol=icmp icmp-options=4:0 action=accept

38   ;;; allow echo request
     chain=icmp protocol=icmp icmp-options=8:0 action=accept

39   ;;; allow time exceed
     chain=icmp protocol=icmp icmp-options=11:0 action=accept

40   ;;; allow parameter bad
     chain=icmp protocol=icmp icmp-options=12:0 action=accept

41   ;;; deny all other types
     chain=icmp action=drop

Posted: Wed Apr 11, 2007 6:08 pm
by GlueGuy
Until someone explained to me the difference between the different chains, specifically the INPUT, OUTPUT, and FORWARD chains, I was pretty much clueless about how this works (no thanks to THIS particular forum).

For the co-clueless, it helps a lot to know that the above mentioned chains work like this:

INPUT = traffic going TO the MikroTik
OUTPUT = traffic going OUT of the MikroTik
FORWARD = traffic going THROUGH the MikroTik

So one simple way to manage this, and assuming that an encrypted tunnel is not required, is to specifically allow the one computer on LAN2 into LAN1 via:
add chain=forward src-address=10.1.1.X out-interface=LAN1 action=accept
Then drop any other packets going from LAN2 to LAN1:
add chain=forward in-interface=LAN2 out-interface=LAN1 action=drop 
I placed these filter rules in the forward list after the rule allowing existing connections. So previously listed forward rules now look like this:

6   ;;; drop invalid connections
    chain=forward protocol=tcp connection-state=invalid action=drop

7   ;;; allow already established connections
    chain=forward connection-state=established action=accept

8   ;;; ;;; specifically allow our special computer on the guest LAN
    add chain=forward src-address=10.1.1.X out-interface=LAN1 action=accept

9   ;;; drop any other guest LAN access to the private LAN
    add in-interface=LAN2 out-interface=LAN1 action=drop


10  ;;; allow related connections
    chain=forward connection-state=related action=accept

11   chain=forward src-address=0.0.0.0/8 action=drop

12   chain=forward dst-address=0.0.0.0/8 action=drop

13   chain=forward src-address=127.0.0.0/8 action=drop

14   chain=forward dst-address=127.0.0.0/8 action=drop

15   chain=forward src-address=224.0.0.0/3 action=drop

16   chain=forward dst-address=224.0.0.0/3 action=drop

17   chain=forward protocol=tcp action=jump jump-target=tcp

18   chain=forward protocol=udp action=jump jump-target=udp

19   chain=forward protocol=icmp action=jump jump-target=icmp
Of course this does not preclude setting up an encrypted tunnel of some sort.