I have two VLAN’s and default the are routed between eachother.
As sample VLAN-30 and VLAN 40
To disable communication (except pinging) between eachother I have made 2 ruls for each VLAN
VLAN 30:
Chan: Forward
Protocol: (!) 1 ICMP (is not)
Out Interface: Bridge_VLAN30
Action: Drop
Chan: Forward
Protocol: (!) 1 ICMP (is not)
In Interface: Bridge_VLAN30
Action: Drop
VLAN 40:
Chan: Forward
Protocol: (!) 1 ICMP (is not)
Out Interface: Bridge_VLAN40
Action: Drop
Chan: Forward
Protocol: (!) 1 ICMP (is not)
In Interface: Bridge_VLAN40
Action: Drop
This will works fine (for me).
But now I will access from VLAN 30 to VLAN 40 the webserver on port 443.
With one rul it will not work. Is it necessary to create two rules? That does not look so neat. This way the port is always open from the other side.
Normally your first rule in the FORWARD chain would be “accept connection state established, related” and your second rule would not be required (covered by that).
When you do not want such a rule, you will need the two rules for each exception.
Typically VLANs should not have any routing between them.
The better way IMHO to setup your router rules is to drop everything and only explicitly allow traffic you wish to authorize.
In my setup for example, my forward chain is basically
-allow established, related
-drop invalid packets
-allow LAN to WAN
-allow VLAN10 to WAN
-allow VLAN20 to WAN
-allow destination nat connections-
-drop all else.
With this setup the VLANs (which are on the same bridge) cannot be routed over layer 3. I dont need to make ‘extra rules’!!
I do not know why you would want to be able to ping between vlans… but if so then it would be simple one rule!
-allow vlan10 to ping vlan20
and the return traffic (the response) is permitted as its now an established or related connection in connection tracking.
One would still need to create another allow rule if one wanted the reverse, ping the other way, and thus traffic ORIGINATING on VLAN20 to ping VLAN10
-allow vlan20 to ping vlan10
Now in the case of port 443, the rule application is consistent… Vlan30 needs access to a server on vlan40
-allow vlan30 to access tcp dst port 443 on vlan 40 to vlan40 IP, thats all that is required (the first rule you have)
/ip firewall filter becomes…
-allow established, related
-drop invalid packets
-allow LAN to WAN
-allow VLAN30 to WAN
-allow VLAN40 to WAN
-allow vlan30 to ping VLAN40
-allow vlan30 to access server on VLAN40
-allow destination nat connections-
-drop all else.
I have " first rule in the FORWARD chain would be “accept connection state established, related” " and remove the second rul, but the connections will not total accepted. The last rul blocked the connection (-drop all else)
This way the port is always open from the other side.