Do I need a firewall rule?

I have a router with 4 ports. One is for the servers (via a switch) and one is the pppoe interface towards my ISP.

I have the “default-route auto” on the pppoe interface. And a route to my subnet on the eth1 interface.

This gives me those routes: pppoe2 eth1 pppoe2

That’s fine and it’s working… now the question:

I’d like to use eth3 as a “service port” and I don’t want any routing to happen to or from this interface. I gave it the IP and it seems to work fine. But I can ping from the 192.168.68.x network (nothing else can be pinged, but this one address is possible). … what’s the recommendation here? Should I add a firewall rule to make sure that I will never have any routing from or to this eth3 port? Or is it just fine like that?? (it it routing by the way? or is what I see not real routing but just… don’t know… something that happens, because the router does have those 3 addresses and reacts on a query to also on the address/port?) … or, if that’s correct what it does… could I then delete the static route to my subnet on eth1 and it would still work? … is the routing “enabled by default”?

As I understand, IP is assigned to your router on pppoe interface. Also, you want to completely isolate network on eth3.
By default, all traffic is accepted if you don’t explictely forbid it. So, to forbid forwarding from eth3:

## 1st: create firewall chain, with only default-action drop
set firewall name ETH3-FWD default-action drop

## Attach firewall to eth3-in. This will drop all frowarding from eth3
set interfaces eth eth3 firewall in name ETH3-FWD

## If you also want to drop traffic from eth3 towards the router itself:
set interfaces eth eth3 firewall local name ETH3-FWD

## Commit and save
1 Like

thanks… that’s answering the question

but… I found an other possible solutions… could I also disable forwarding on this interface?

set interfaces ethernet eth3 ip disable-forwarding

As it is a management port, it shouldn’t take part in forwarding packets.
Instead of kernel options, I’d just go for ETH3_IN firewall ruleset , default blocking all traffic.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.