If I have 3 VLANs on a MikroTik and I want to prohibit traffic from one talking to another, what's the best way to do that?

Obviously I can setup firewall rules, but before I do this I wanted to see if there was a simpler way, or a simple set of firewall rules that might do it?

Seriously? Not even a hint of a link somewhere?

Nope the firewall is the simplest way.

Nope the firewall is the simplest way.

OK. I tried the firewall and it seemed to block more than it should have (e.g. no Internet access).

The network is setup as such:

Router:
10.200.91.1 - VLAN1
10.200.92.1 - VLAN2
10.200.93.1 - VLAN3

Is there an easier way than making a rule on each VLAN specifically blocking access to the other VLANs?

For example a rule like (if dst-address!=10.200.93.1 then block). Problem with this rule is it blocks Internet access as well. I guess I could create an ip-list and then include that but I feel like I'm duplicating things over and over.

You need something more like this assuming you are using /24.

You need something more like this assuming you are using /24.

Code: Select all

/ip firewall filter add action=drop chain=forward disabled=no dst-address=10.200.92.0/23 src-address=10.200.91.0/24
/ip firewall filter add action=drop chain=forward disabled=no dst-address=10.200.91.0/23 src-address=10.200.93.0/24
/ip firewall filter add action=drop chain=forward disabled=no dst-address=10.200.91.0/24 src-address=10.200.92.0/24
/ip firewall filter add action=drop chain=forward disabled=no dst-address=10.200.93.0/24 src-address=10.200.92.0/24

Yeah I guess that's where I'll end up going. That just seemed like it was a lot of duplication. What exactly is putting the /23 in there going to do? That doesn't seem like it would work out properly.

Why not?

Why not?

A /24 is the entire 255.255.255.0 subnet.

Oh I guess it will sort of work. I was thinking a /23 was invalid since everything was /24, but I guess it does encompass two subnets in one rule.

Exactly. Good luck!