Access single server across VLANs

RouterOS General
1

I am trying to allow access to a single server in LAN_VLAN to the KIDS_VLAN. I’ve read on the forum that it’s simply a firewall rule addition, but I can’t seem to get the firewall rule to work properly. I’ve added a rule but I can see in Winbox that it never processes any packets. I’ve tried moving it around thinking it was an ordering thing, but no dice. Would appreciate another set of eyes on this config to see what I am doing wrong.

Thanks!

# 2024-02-08 22:09:41 by RouterOS 7.12.1
#
# model = L009UiGS
/interface bridge
add name=BR0 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR0 name=GUEST_VLAN vlan-id=40
add interface=BR0 name=IOT_VLAN vlan-id=30
add interface=BR0 name=KID_VLAN vlan-id=20
add interface=BR0 name=LAN_VLAN vlan-id=10
add interface=BR0 name=WAN_VLAN vlan-id=201
/interface list
add name=WAN
add name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN_POOL ranges=10.20.30.100-10.20.30.254
add name=KID_POOL ranges=10.20.40.10-10.20.40.254
add name=IOT_POOL ranges=10.20.60.10-10.20.60.254
add name=GUEST_POOL ranges=10.20.50.10-10.20.50.254
/ip dhcp-server
add address-pool=LAN_POOL interface=LAN_VLAN lease-time=3d name=LAN_DHCP
add address-pool=KID_POOL interface=KID_VLAN lease-time=3d name=KID_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN lease-time=3d name=IOT_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN lease-time=4h name=\
    GUEST_DHCP
/port
set 0 name=serial0
/queue simple
add max-limit=500M/500M name=KID_QUEUE target=10.20.40.0/24
add max-limit=200M/200M name=GUEST_QUEUE target=10.20.50.0/24
add max-limit=100M/100M name=IOT_QUEUE target=10.20.60.0/24
/snmp community
set [ find default=yes ] addresses=10.20.30.0/24
/interface bridge port
add bridge=BR0 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=10
add bridge=BR0 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=10
add bridge=BR0 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=10
add bridge=BR0 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=10
add bridge=BR0 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=10
add bridge=BR0 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether7 pvid=20
add bridge=BR0 frame-types=admit-only-vlan-tagged interface=ether8
add bridge=BR0 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether1 pvid=201
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BR0 tagged=BR0,ether8 untagged=ether2,ether3,ether4,ether5,ether6 \
    vlan-ids=10
add bridge=BR0 tagged=BR0,ether8 untagged=ether7 vlan-ids=20,30,40
add bridge=BR0 tagged=BR0 vlan-ids=201
/interface list member
add interface=WAN_VLAN list=WAN
add interface=LAN_VLAN list=MANAGE
add interface=KID_VLAN list=LAN
add interface=LAN_VLAN list=LAN
add interface=IOT_VLAN list=LAN
add interface=GUEST_VLAN list=LAN
/ip address
add address=10.20.30.1/24 interface=LAN_VLAN network=10.20.30.0
add address=10.20.40.1/24 interface=KID_VLAN network=10.20.40.0
add address=10.20.60.1/24 interface=IOT_VLAN network=10.20.60.0
add address=10.20.50.1/24 interface=GUEST_VLAN network=10.20.50.0
/ip dhcp-client
add interface=WAN_VLAN
/ip dhcp-server lease
add address=10.20.30.228 client-id=1:40:b8:9a:c0:b8:20 mac-address=\
    40:B8:9A:C0:B8:20 server=LAN_DHCP
add address=10.20.30.133 client-id=1:b8:27:eb:78:b4:49 mac-address=\
    B8:27:EB:78:B4:49 server=LAN_DHCP
/ip dhcp-server network
add address=10.20.30.0/24 dns-server=10.20.30.40 gateway=10.20.30.1
add address=10.20.40.0/24 dns-server=1.1.1.1 gateway=10.20.40.1
add address=10.20.50.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.20.50.1
add address=10.20.60.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.20.60.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow SSH from management" \
    dst-address=10.20.30.1 dst-port=22 in-interface-list=MANAGE protocol=tcp
add action=accept chain=input comment="Allow WinBox from management" \
    dst-address=10.20.30.1 dst-port=8291 in-interface-list=MANAGE protocol=\
    tcp
add action=accept chain=input comment="Allow SNMP from LAN" dst-address=\
    10.20.30.1 dst-port=161 in-interface-list=MANAGE protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Kids access Plex" \
    connection-nat-state="" connection-state="" connection-type="" \
    dst-address=10.20.30.21 dst-port=443 in-interface=KID_VLAN out-interface=\
    LAN_VLAN protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.20.30.0/24
set api disabled=yes
set api-ssl address=10.20.30.0/24
/snmp
set enabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=red
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
2

These look a bit dubious

** add bridge=BR0 tagged=BR0,ether8 untagged=ether7 vlan-ids=20,30,40

Perhaps
add bridge=BR0 tagged=BR0,ether8 untagged=ether7 vlan-ids=20
add bridge=BR0 tagged=BR0,ether8 vlan-ids=30,40

Also
** add bridge=BR0 tagged=BR0 vlan-ids=201

Perhaps
add bridge=BR0 tagged=BR0 untagged=ether1 vlan-ids=201

3

Why does the WAN have a vlan? Does your ISP provide it in a vlan?
In any case it should not normally be part of the bridge…suggest remove it.

4

Yes, my ISP requires it. And the config 100% doesn’t work with it not in the bridge. I’ve tried.

5

The rule

add action=accept chain=forward comment="Kids access Plex" \
    connection-nat-state="" connection-state="" connection-type="" \
    dst-address=10.20.30.21 dst-port=443 in-interface=KID_VLAN out-interface=\
    LAN_VLAN protocol=tcp

should just be

add action=accept chain=forward comment="Kids access Plex" \
    dst-address=10.20.30.21 dst-port=443 in-interface=KID_VLAN out-interface=\
    LAN_VLAN protocol=tcp

Specifically, some quick testing indicates that you can have blank connection-nat-state and connection-state and the rule will still work. Blank connection-type will block. But better just clear all three if you’re not going to use them.

6

Something like:

add action=accept chain=forward comment="Kids access to server" out-interface=LAN_VLAN dst-address=[IP single server]

You can add protocol or port as well, now the complete server is reachable.