Hi everyone, i´m new in the forum.

I have a mikrotic RB1100AHx4 and the thing is that I´ve been trying to deny all traffic between vlans but it´s been impossible.

I´ve been doing the following steps (In the GUI):
1. Identify VLANs
2. Navigate to Firewall Rules: In the Winbox GUI, go to IP -> Firewall.
3. Add New Rule: Click on the "Filter Rules" tab and then click the "+" button to add a new firewall rule.
4. Configure Rule: In the new rule window, I've configure the conditions under which traffic should be blocked.
5. Set the Chain to forward.
6. Define the source and destination addresses, ports, and protocols for the traffic I wanted to block.
7. Set the Action to Drop to block the traffic.
8. Apply the Rule
9. Move the rule up the list to give it more priority.
10.Test: Ping between vlans ips (But they never stopped reaching out to each other)
(I´ve some rules created that allows conection VPN and two others that allow traffic from the vlans to the wan and from the wan to the vlans. (I don't know if this can affect the rules I'm trying to create but just in case I'm clarifying)

The Switch i´m using has a Realtek RTL8367 chip, i don´t know if this has anything to do with it but just in case I'll clarify it too)

I would really appreciate if anyone can give me any ideas on what to do.

Thanks.

Export and post your configuration. Without that, we're guessing. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.

In my configs, I usually do this:

* Create an Interface list "VLAN"
* Add all vlans that should not have access to other vlans to this VLAN list.
* Have the interface list LAN includes the list VLAN, as an example:


* Put the main bridge or other vlans that can have unrestricted access to other vlans into the LAN interface list
* Add the rule that blocks traffic from the interface list VLAN to the interface list LAN


Traffic from all interfaces in the VLAN list will be blocked when being sent to any interface in the LAN list (this list includes all interfaces in the VLAN list too). If an interface is in the LAN list but not the VLAN list (for example the main bridge), it will still be able to access the other interfaces, assuming that a rule like


Is already placed above the drop rule.