Oct 182016

Mikrotik - firewall isolationFor a home project of mine, I have decided on Mikrotik’s hEX PoE lite due to its awesome capability to power other devices.

Outside of PoE, I needed a standard Internet router – WAN on port 1 and LAN on other ports – but with a twist. I wanted to have LAN ports isolated from each other while still being able to access WAN. Something that on almost any wireless box you get as a checkbox turned out to be a actually non-existent.

However, beauty of a bit more manageable and complicated device is that you can define a lot of functionality yourself. For this particular scenario, solution was in adjusting the firewall.

To setup firewall, the easiest way is to connect via WinBox and go into New Terminal. There we can just execute following commands:

/ip firewall filter
add action=accept chain=forward connection-state=established comment="Allow established"
add action=accept chain=forward connection-state=related comment="Allow related"
add action=accept chain=forward out-interface=ether1 comment="Allow WAN"
add action=drop chain=forward comment="Drop everything else"

First two allow any established and related connection unconditionally. Third one allows anything going out to WAN interface. Packets coming into that interface will have to be either established or related so there is no reason for another accept there. Final rule is to drop all other traffic.

With just these four rules, all LAN ports are isolated while still being capable of Internet acess.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>