Two Subnets Separate Interfaces Communication Fix?

Hello, all... thank you for your help in advance.

I have two networks running on a Mikrotik RB450G.  Here's what I wanted to accomplish:

Two subnets on two different interfaces:

eth1: WAN
eth2: LAN
eth5: LAN2
(ports 3 and 4 will be used later for switching)

eth2: LAN subnet: 10.10.23.0/24
eth5: LAN2 subnet: 172.16.23.0/25
Both of these subnets are in the firewall address list under a single name so they may share the firewall filter and nat rules.

I set up separate pools/dhcp servers for both interfaces.  It all seemed to go well except for the fact that I could ping between the subnets!  I was always under the impression they would not be able to communicate.

For example, a machine connected to eth5, received an IP of 172.16.23.124 and was able to ping every address on the other subnet residing in eth2 (10.10.23.0/24).  In short, I was able to get to any machine on the other interface.

The way I solved it is that I simply added a firewall filter entry that will drop any connection attempt on the input chain that is from interface LAN2 with a dst address of 10.10.23.0/24, and in the forward chain with an input interface of LAN2 and output interface of LAN.

Still with me?  Thanks!  :)

This solved the entire problem.  Neither subnet can communicate with the other, which is what I wanted.  Both interfaces can access the internet and the dns server on the 450G is serving them both well.

My question is... (FINALLY!):  Was this the proper method of accomplishing what I set out to do?  I really thought that if there were two interfaces running two different subnets they should inherently not be able to talk to each other.  Did I simply patch a hole without addressing another bigger issue, or is this the way it is supposed to work?

Thoughts/comments are appreciated.
SeaburyNortonAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
kdearingConnect With a Mentor Commented:
What you did is correct.
Some firewalls allow inter-vlan traffic by default, some don't.
Adding/modifying the security rules is the proper method.
0
 
rfc1180Connect With a Mentor Commented:
> Was this the proper method of accomplishing what I set out to do?
Simply yes, adding filters to deny between subnets is ultimately what you wanted to accomplish
0
 
BITCoolerConnect With a Mentor Commented:
Sounds like you did a nice job.

Another way to accomplish this is a more manual approach, but also workable.
You would need an additional equipment.

Internet feed --> to WAN Port on Router (in bridge mode) serving multiple public IPs  -->> Router's Ethernet Port to -->> Port 1 on a basic 4-port switch (100/1000) switch (managed or unmanaged):

Switch Port 2) to -->> to Firewall A untrust Port, Subnet A -->> Switch A for Network A

Switch Port 3) to -->> to Firewall B untrust port, Subnet B -->> Switch B for Network B

Result: Two Networks, Two Subnets, One Internet Feed no cross talk.

Downside, higher equipment cost.  I would keep what you have.
0
 
SeaburyNortonAuthor Commented:
A big thank you to all who answered!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.