I guess the way I do it is by creating deny actions involving
communication between subnets, eg:
/ip firewall filter
add action=drop chain=forward disabled=no dst-address=192.168.2.0/28
src-address=192.168.1.0/24
add action=drop chain=forward disabled=no dst-address=192.168.1.0/24
src-address=192.168.2.0/28
From there you could create some rules preventing Winbox, Telnet, etc
access to the router on your "public AP subnet". I've done this on one
of my routers with masquerade rules and it works fine. I can't see or
talk to the other subnet.
Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: r...@mkap.com
On 6/6/2012 9:01 AM, Josh Luthman wrote:
Doing that now with an address list. It feels messy, though.
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Jun 6, 2012 9:59 AM, "Scott Reed"<sr...@nwwnet.net> wrote:
Deny those addresses before the accept the port
On 6/6/2012 9:34 AM, Josh Luthman wrote:
That would let them snoop on the office network.
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Jun 6, 2012 7:50 AM, "Scott Reed"<sr...@nwwnet.net> wrote:
What about accept src-address=172.31.31.0/24 out-interface=WAN
and deny everything else?
On 6/6/2012 1:20 AM, Josh Luthman wrote:
I have an insecured wifi (virtual AP) on my home router. I don't mind
people using it. I do want to make it impossible for them to ever
reach anything they shouldn't. If I do a new subnet on ether5 or my
known subnet on ether2 (home LAN).
I was thinking I could do something like accept
src-address=172.31.31.0/24 dst-address=gateway and then drop
everything else with that src but if it's masqueraded, would that
work? Doesn't seem to, but I haven't tested it thoroughly.
Any other suggestions or methods to try?
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
______________________________****_________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/****mailman/listinfo/mikrotik<http://www.butchevans.com/**mailman/listinfo/mikrotik>
<http**://www.butchevans.com/mailman/**listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.2178 / Virus Database: 2433/5046 - Release Date:
06/05/12
--
Scott Reed
Owner
NewWays Networking, LLC
Wireless Networking
Network Design, Installation and Administration
Mikrotik Advanced Certified
www.nwwnet.net
(765) 855-1060
(765) 439-4253
(855) 231-6239
______________________________****_________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/****mailman/listinfo/mikrotik<http://www.butchevans.com/**mailman/listinfo/mikrotik>
<http**://www.butchevans.com/mailman/**listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:<http://www.butchevans.**com/pipermail/mikrotik/**
attachments/20120606/6be2b2b1/**attachment.html<http://www.butchevans.com/pipermail/mikrotik/attachments/20120606/6be2b2b1/attachment.html>
______________________________**_________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.2178 / Virus Database: 2433/5051 - Release Date: 06/06/12
--
Scott Reed
Owner
NewWays Networking, LLC
Wireless Networking
Network Design, Installation and Administration
Mikrotik Advanced Certified
www.nwwnet.net
(765) 855-1060
(765) 439-4253
(855) 231-6239
______________________________**_________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:<http://www.butchevans.com/pipermail/mikrotik/attachments/20120606/83225194/attachment.html>
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.butchevans.com/pipermail/mikrotik/attachments/20120606/248ad0f8/attachment.html>
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
