Jump to content
  • 0

Guest Wifi без достъп до лан мрежата


walkingcurs3

Question

walkingcurs3

Здравейте искам да блокирам мрежата за гости да няма достъп до мрежата в който има Nas сървар. Обаче не ми се получи нещо 

VPN - 192.168.20.0/24

LAN - 192.168.10.0/24

GUEST - 192.168.30.0/24

Прилагам и конфигурация на firewall-а интересното че тези правила работеха преди....

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input comment="Allow HTTPS" dst-port=443 log=yes protocol=tcp
add action=accept chain=input comment="Allow winbox" dst-port=8291 log=yes protocol=tcp
add action=accept chain=input comment="[Custom] allow connections from VPN network" log=yes src-address=192.168.20.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.10.0/24 src-address=192.168.30.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=192.168.30.0/24
add action=drop chain=forward dst-address=192.168.30.0/24 src-address=192.168.10.0/24
add action=drop chain=forward dst-address=192.168.30.0/24 src-address=192.168.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

 

Link to post
Share on other sites

2 answers to this question

Recommended Posts

  • 0
JohnTRIVOLTA

/ip route rule

add src-address=192.168.30.0/24 dst-address=192.168.10.0/24 action=drop table=main

add src-address=192.168.30.0/24 dst-address=192.168.20.0/24 action=drop table=main

 

 

Link to post
Share on other sites
  • 0
yHuKyM

 

Блокираш им всичко от GUEST към различно от WAN

/ip route firewall filter

add action=drop chain=forward comment="block guests to everything but wan" in-interface-list=GUEST out-interface-list=!WAN

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.