Hi all. Been watching the forums for a while now and been able to use prior posts to help my cause, but I've come to a dead end on this one

Basically, I have one WAN interface to public IPs. And 3 LAN interfaces that each go to a different subnet network. What I'd like to achieve is complete isolation of each interface. The LAN interfaces cannot talk to each other -- only WAN. We're moving from physical segmented networks with two firewalls to one firewall and would like to keep them separated.

For the time being, I've just added a reject forward rule for each interface so they don't talk. But is there a better way? Is this even possible? Was thinking using VLANs or some routing rules.

Any help would be greatly appreciated Thanks!!

Set up firewall to block communication between lan segments.

Yep. Same here, just added some rules that 192.168.0.0/24 cannot access 192.168.1.0/25 and other way around. Easy.

Another way to isolate all LAN segments from one another regardless of IP addressing is to keep state for connection and allow established traffic, and then drop everything that is going through the router and isn't destined to the WAN:

Isn't that like scratching left leg with right hand?

What?

There are at least couple of ways how to filter something, but IMHO the best way is the simplest, that doesn't use all the CPU and memory. Am I wrong?

I believe that my way is the fastest and uses the least resources, as long as connection tracking is on (and it is required for NAT, so it's turned on on the vast majority of routers).

Looking up connection state is a very quick operation and can happen right at the top of the chain, so for the vast majority of packets you're processing exactly one rule. When you have more than one LAN interface, it's faster to just look up the out-interface as one property of each packet (each packet that hasn't been processed by the connection state rules further up, which should be less than 5% of all packets even in horrible circumstances) than to potentially process several rules enlisting all the possible source and destination addresses on the several LAN interfaces.

Thanks for the great replies. I'm going to give fewi's approach a try and will report back Over the weekend I managed to setup routing rules that seemed to segment traffic fine, but would still like to see the outcome of using connection states.

Another way to isolate all LAN segments from one another regardless of IP addressing is to keep state for connection and allow established traffic, and then drop everything that is going through the router and isn't destined to the WAN:

Code: Select all

/ip firewall filter 
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward out-interface=!WAN action=drop 

Quite clever and efficient if I may say so

I think above will also block and port-forwarding from internet to LAN.

Yes, it does. If you needed services you'd have to insert accepts just above the drop. For example, if you wanted port tcp/5900 open towards 192.168.1.100 after destination NAT this would become:
I know you know that, but just for other people reading along

Here's another way to do it:
PrivateSubnets list comprises of LAN subnets.

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward protocol=tcp dst-port=5900 dst-address=192.168.1.100 action=accept
add chain=forward out-interface=!WAN action=drop

Dragging up an old thread but it's relevant

I used the above method successfully with a bridged LAN and WLAN device (192.168.0.x) and a virtual WLAN AP (192.168.55.x) on the same device RB751G.

Now I want to allow the 192.168.55.x range access to the printer on 192.168.0.100, nothing i've tried so far seems to work.
(accept/allow rules on the input filter for that source range and destination address)

any clues?

thanks in advance