I have some VLANs running on one main bridge. Everything is working with use IP Firewall turned off, but when I turn it on DNS resolution stops working. I have the appropriate DNS rules to allow input to router from these networks specified with address lists.
Vlan filtering is used on the bridge with specific ports for trunk, access, hybrid etc… all working properly.
I some guest vlan users on wifi and lan connection and am trying to isolate them from one another. That part works but breaks the DNS for all other subnets.
The system is working with this unchecked. I have an input rules working that allows in UDP, TCP requests from the lan port 53 while blocking WAN requests. Name resolution is working properly. When I turn on Bridge / use IP firewall /use VLAN that rule stops running.
Thank you all for your replies. I have narrowed it down some, but must admit I am not sure why it is failing to work. I have a NAT redirect rule for DNS. That is the rule the stops the DNS from resolving with IP firewall and VLAN use turned on. When they are disabled DNS works fine. In torch - the moment those are turned on the dns/53 packets disappear but the counter on then nat rule runs… I tried an action dst-nat rule to send them to the router for dns but that failed as well. I think this is working the way it is supposed to, and getting the DNS allowed is where I am going wrong and I just don’t get it. Any help or education is appreciated. Sometimes I love ROS and sometimes it makes me crazy…
So if I get you right: you used to have a completely working firewall, and the only thing you’ve done is that you’ve set both use-ip-firewall and use-ip-firewall-for-vlan to yes in /interface bridge settings, and your DNS handling rule “stopped working”, or, more exactly, the clients stopped receiving DNS responses from the Mikrotik itself?
If so, something in chain=prerouting of your /ip firewall raw or /ip firewall mangle rules may block or redirect DNS requests coming from the clients connected to bridge ports to the IP address of your Mikrotik itself - see these pictures for how /interface bridge settings set use-ip-firewall=yes changes the path of the packet through the system. In another words, in this case, the ip firewall rules mentioned above are used in addition to the /interface bridge filter rules, so even if the bridge filter rule table is empty, the ip firewall rules affect the packet flow.
Well yes - to put it a different way. The firewall works as I desire, but when I added the NAT redirect rule the clients stop getting DNS resolution from the router. This is with the use-ip-firewall and use-ip-firewall-for-vlan enabled on the bridge. The NAT rule keeps counting but the clients get no DNS resolution.
If I disable use-ip-firewall and use-ip-firewall-for-vlan - the redirect rule will start working.
I will check the prerouting mangle and raw rules and report back. I have not put anything there but perhaps the default rules are a problem. I will study the drawing as well.
Well, when I started writing my response, your configuration export wasn’t there yet, and I haven’t noticed it to appear while sending my response.
The dstnat chain of nat is also part of the “prerouting” path through the IP firewall, so I would suspect that the action=redirect may get confused in the bridging phase and it may set the new destination address to something weird. So I’d try to replace action=redirect by action=dst-nat and specify that hazy “one of routers’s own addresses” explicitly using the to-addresses parameter.
Other than that I cannot spot anything suspicious in your configuration.
I guess the reason for things stopping with use-ip-firewall-for-vlan is that you allow DNS requests from interface list LAN, but that one doesn’t contain ether ports … and those are ports seen by firewall when used for vlan filtering.
Out of curiosity, why do you want to use firewall on traffic between hosts in vlan90 iff they communicate via routerboard? Vlan firewall doesn’t add security for devices which are not in same vlan (their traffic will pass the usual IP firewall anyway) and doesn’t filter anything if devices can talk to each other directly (i.e. they are connected to same downstream L2 switch).
@mkx, I’m only theoretising here, but the choice between INPUT and FORWARD paths takes place after the ip firewall handling in bridge has already been done, so the /ip firewall filter chain=input should not affect bridge processing even if use-ip-firewall=yes in /interface bridge settings.
Thank you again very much for your help. I have done just that with the same no-client response. I have tried a dst-nat to the router address 192.168.90.1 for example with and with out the port. It is getting confused for sure . Thanks again very much.
Good question - I have a guest wlan along with a couple of guest LAN ports. In this configuration I was just trying to figure out the DNS issues, but in other versions I do block that traffic.
It is more important to me to isolate the guest traffic than to do redirect rule. Although I would like to have both .
I gave the above a shot and moved to and scr address list as opposed to the interface list. Posted below, the result is the same. No client DNS resolution.
I then simply allowed all DNS in but had the same no-go result. Thanks for the idea.
. Thanks again very much.