WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:
Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users
Course Of The Month
9 days, 6 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Two Subnets Separate Interfaces Communication Fix?
Posted on 2011-02-27
Hello, all... thank you for your help in advance.
I have two networks running on a Mikrotik RB450G. Here's what I wanted to accomplish:
Two subnets on two different interfaces:
eth1: WAN
eth2: LAN
eth5: LAN2
(ports 3 and 4 will be used later for switching)
eth2: LAN subnet: 10.10.23.0/24
eth5: LAN2 subnet: 172.16.23.0/25
Both of these subnets are in the firewall address list under a single name so they may share the firewall filter and nat rules.
I set up separate pools/dhcp servers for both interfaces. It all seemed to go well except for the fact that I could ping between the subnets! I was always under the impression they would not be able to communicate.
For example, a machine connected to eth5, received an IP of 172.16.23.124 and was able to ping every address on the other subnet residing in eth2 (10.10.23.0/24). In short, I was able to get to any machine on the other interface.
The way I solved it is that I simply added a firewall filter entry that will drop any connection attempt on the input chain that is from interface LAN2 with a dst address of 10.10.23.0/24, and in the forward chain with an input interface of LAN2 and output interface of LAN.
Still with me? Thanks! :)
This solved the entire problem. Neither subnet can communicate with the other, which is what I wanted. Both interfaces can access the internet and the dns server on the 450G is serving them both well.
My question is... (FINALLY!): Was this the proper method of accomplishing what I set out to do? I really thought that if there were two interfaces running two different subnets they should inherently not be able to talk to each other. Did I simply patch a hole without addressing another bigger issue, or is this the way it is supposed to work?
Thoughts/comments are appreciated.
I have two networks running on a Mikrotik RB450G. Here's what I wanted to accomplish:
Two subnets on two different interfaces:
eth1: WAN
eth2: LAN
eth5: LAN2
(ports 3 and 4 will be used later for switching)
eth2: LAN subnet: 10.10.23.0/24
eth5: LAN2 subnet: 172.16.23.0/25
Both of these subnets are in the firewall address list under a single name so they may share the firewall filter and nat rules.
I set up separate pools/dhcp servers for both interfaces. It all seemed to go well except for the fact that I could ping between the subnets! I was always under the impression they would not be able to communicate.
For example, a machine connected to eth5, received an IP of 172.16.23.124 and was able to ping every address on the other subnet residing in eth2 (10.10.23.0/24). In short, I was able to get to any machine on the other interface.
The way I solved it is that I simply added a firewall filter entry that will drop any connection attempt on the input chain that is from interface LAN2 with a dst address of 10.10.23.0/24, and in the forward chain with an input interface of LAN2 and output interface of LAN.
Still with me? Thanks! :)
This solved the entire problem. Neither subnet can communicate with the other, which is what I wanted. Both interfaces can access the internet and the dns server on the 450G is serving them both well.
My question is... (FINALLY!): Was this the proper method of accomplishing what I set out to do? I really thought that if there were two interfaces running two different subnets they should inherently not be able to talk to each other. Did I simply patch a hole without addressing another bigger issue, or is this the way it is supposed to work?
Thoughts/comments are appreciated.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4 Comments
> Was this the proper method of accomplishing what I set out to do?
Simply yes, adding filters to deny between subnets is ultimately what you wanted to accomplish
Simply yes, adding filters to deny between subnets is ultimately what you wanted to accomplish
What you did is correct.
Some firewalls allow inter-vlan traffic by default, some don't.
Adding/modifying the security rules is the proper method.
Some firewalls allow inter-vlan traffic by default, some don't.
Adding/modifying the security rules is the proper method.
Sounds like you did a nice job.
Another way to accomplish this is a more manual approach, but also workable.
You would need an additional equipment.
Internet feed --> to WAN Port on Router (in bridge mode) serving multiple public IPs -->> Router's Ethernet Port to -->> Port 1 on a basic 4-port switch (100/1000) switch (managed or unmanaged):
Switch Port 2) to -->> to Firewall A untrust Port, Subnet A -->> Switch A for Network A
Switch Port 3) to -->> to Firewall B untrust port, Subnet B -->> Switch B for Network B
Result: Two Networks, Two Subnets, One Internet Feed no cross talk.
Downside, higher equipment cost. I would keep what you have.
Another way to accomplish this is a more manual approach, but also workable.
You would need an additional equipment.
Internet feed --> to WAN Port on Router (in bridge mode) serving multiple public IPs -->> Router's Ethernet Port to -->> Port 1 on a basic 4-port switch (100/1000) switch (managed or unmanaged):
Switch Port 2) to -->> to Firewall A untrust Port, Subnet A -->> Switch A for Network A
Switch Port 3) to -->> to Firewall B untrust port, Subnet B -->> Switch B for Network B
Result: Two Networks, Two Subnets, One Internet Feed no cross talk.
Downside, higher equipment cost. I would keep what you have.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Tired of waiting for your show or movie to load? Are buffering issues a constant problem with your internet connection? Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month9 days, 6 hours left to enroll
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.