hAP AC lite firewall

[s_kolew]

Здравейте,

опитвам се да разделя портовете на hAP AC, имам два bridge-a - WiFi и lan, като WiFi е с адреси 10.1.1.0/24, LAN- 10.1.2.0/24, опитвам се да направя rule с който да блокирам заявките от LAN към WiFi и обратното, но нещо нямам обяснение защо, ето firewall-a:

admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix=""

 2    ;;; defconf: accept establieshed,related
      chain=input action=accept connection-state=established,related log=no log-prefix=""

 3    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 log=no log-prefix=""

 4    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

 5    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix=""

 6    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix=""

 7    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""

 8    chain=forward action=drop src-address=10.1.2.0/24 dst-address=10.1.1.0/24 log=no log-prefix=""
[admin@MikroTik] >

И резултата:

s_kolew@s-kolewT510:~$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.88.1    0.0.0.0         UG        0 0          0 wlan0
10.1.1.0        10.1.2.1        255.255.255.0   UG        0 0          0 eth0
10.1.2.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.88.0    0.0.0.0         255.255.255.0   U         0 0          0 wlan0
s_kolew@s-kolewT510:~$ ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.328 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=0.495 ms
^C
--- 10.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.328/0.411/0.495/0.085 ms
s_kolew@s-kolewT510:~$

Това са интерфейсите:

admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                               
 0   10.1.2.1/24        10.1.2.0        bridge_lan                                                                                                                                                                              
 1   10.1.1.1/24        10.1.1.0        bridge_wifi                                                                                                                                                                             
[admin@MikroTik] > interface bridge print
Flags: X - disabled, R - running
 0  R ;;; defconf
      name="bridge_lan" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled mac-address=6C:3B:6B:44:23:3A protocol-mode=rstp priority=0x8000 auto-mac=no admin-mac=6C:3B:6B:44:23:3A max-message-age=20s forward-delay=15s
      transmit-hold-count=6 ageing-time=5m

 1  R name="bridge_wifi" mtu=auto actual-mtu=1500 l2mtu=1600 arp=enabled mac-address=6C:3B:6B:44:23:3D protocol-mode=rstp priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
      transmit-hold-count=6 ageing-time=5m
[admin@MikroTik] >

Нещо не мога да си обесня защо не сработват правилата, пробвах да ги преместя и по-нагоре, пак същата, пробвах и така:

[admin@MikroTik] > ip firewall export
# jan/02/1970 01:17:41 by RouterOS 6.33.5
# software id = D0LG-LI81
#
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward in-interface=bridge_lan out-interface=bridge_wifi
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
[admin@MikroTik] >

И така пак не става:

[admin@MikroTik] > ip firewall export
# jan/02/1970 01:20:09 by RouterOS 6.33.5
# software id = D0LG-LI81
#
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=input dst-address=10.1.1.0/24 in-interface=bridge_lan src-address=10.1.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
[admin@MikroTik] >

Дайте идея къде мога да греша, да не би защото тези IP-та са на съмите интерфейси, но аз все пак задавам Source и Destination мрежа.

Благодаря предварително

[s_kolew]

Аз съм тъп моля игнорирайте въпроса, осъзнах, че имам rule който пуска icmp-то малко по-нагоре, ето така си работи на пушка:

 

/ip firewall filter
add action=drop chain=input dst-address=10.1.1.0/24 in-interface=bridge_lan src-address=10.1.2.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1

 

 

П.П. Докато ровех на много места го дават с forward chain-a, но при мен поне forward-a не сработи

[JohnTRIVOLTA]

Преди 22 часа, s_kolew написа:

П.П. Докато ровех на много места го дават с forward chain-a, но при мен поне forward-a не сработи

Работи, работи ... стига правилно да си сетнал 2те правила и да са вдигнати достатъчно "високо" !