Allow and Drop packets between vlan

RouterOS Beginner Basics
1

Hello every one
In my network I have 3 vlan and microtik router RB951Ui
Vlan 10
Vlan 20
Vlan 50
How I can do this :
-Vlan 50 can access vlan 20 and vlan 10 with Internet
-Vlan 20 can access vlan 10 but cant access vlan 50 and internet
-Vlan 10 cant access vlan 20 , vlan 10 and internet

Thank you very much

2

Using firewall filter rules …

3

I tried but it didn’t work
Please how can I doit
What is the fliter rule for vlan 50 . 20 and 10

4

It depends on how is your router configured. Export the following configs and post them here in [__code] [/code] environment (execute commands in terminal window):

/interface export
/ip export

and anonymize public IP address(es) if they are displayed in the export.

5

This is my config
I tried so many by using firewall filter rules but didn’t work as what I need

/ip pool
add name=dhcp_pool0 ranges=192.168.88.200-192.168.88.254
add name=dhcp_pool1 ranges=10.48.100.50-10.48.100.225
add name=dhcp_pool2 ranges=10.48.6.50-10.48.6.225
add name=dhcp_pool3 ranges=10.10.10.50-10.10.10.225
add name=dhcp_pool4 ranges=192.168.90.50-192.168.90.225
add name=dhcp_pool5 ranges=10.10.20.50-10.10.20.225
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=IT_Department_Network \
    lease-time=3d name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan10-CCBS lease-time=8h \
    name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan20-BSS lease-time=8h \
    name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=vlan50-ALL-Networks \
    lease-time=8h name=dhcp4
add address-pool=dhcp_pool4 disabled=no interface=vlan60-Just-Internet \
    lease-time=8h name=dhcp5
add address-pool=dhcp_pool5 disabled=no interface=vlan70-Local_Network \
    lease-time=8h name=dhcp6
/ip address
add address=10.10.10.254/24 interface=vlan50-ALL-Networks network=10.10.10.0
add address=10.48.100.253/24 interface=vlan10-CCBS network=10.48.100.0
add address=10.48.6.253/24 interface=vlan20-BSS network=10.48.6.0
add address=10.10.20.254/24 interface=vlan70-Local_Network network=10.10.20.0
add address=192.168.88.1/24 interface=IT_Department_Network network=\
    192.168.88.0
add address=192.168.12.126/30 interface=ether1 network=192.168.12.124
add address=192.168.90.1/24 interface=vlan60-Just-Internet network=192.168.90.0
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.20.20,8.8.8.8 gateway=10.10.10.254
add address=10.10.20.0/24 dns-server=10.10.20.20 gateway=10.10.20.254
add address=10.48.6.0/24 dns-server=10.10.20.20 gateway=10.48.6.253
add address=10.48.100.0/24 dns-server=10.10.20.20 gateway=10.48.100.253
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
add address=192.168.90.0/24 dns-server=199.85.126.20,199.85.127.20 gateway=\
    192.168.90.1
/ip dns
set servers=10.10.20.20,199.85.126.20,199.85.127.20
set servers=10.10.20.20,199.85.126.20,199.85.127.20
/ip route
add distance=1 gateway=192.168.12.125 routing-mark=IT_Dept_5M_internet
add distance=1 gateway=8M_ADSL_OUT routing-mark=Just_Internet_8M_Mobile
add distance=1 dst-address=10.0.28.0/24 gateway=10.48.6.1
add distance=1 dst-address=10.0.30.0/24 gateway=10.48.6.1
add distance=1 dst-address=10.64.0.0/16 gateway=10.48.100.254
add distance=1 dst-address=10.69.96.0/24 gateway=10.48.100.254


/interface bridge
add name=IT_Department_Network
/interface ethernet
set [ find default-name=ether1 ] comment=5M_From_POP
set [ find default-name=ether2 ] comment=Master_Port_To_Core-Switch
set [ find default-name=ether3 ] comment=8M_From_ADSL_Modem
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    To_IT_Depatment
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether3 name=8M_ADSL_OUT \
    password=223585 user=itdpt@pronet.sy
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=MikroTik-Core
/interface vlan
add interface=ether2 name=vlan10-CCBS vlan-id=10
add interface=ether2 name=vlan20-BSS vlan-id=20
add interface=ether2 name=vlan50-ALL-Networks vlan-id=50
add interface=ether2 name=vlan60-Just-Internet vlan-id=60
add interface=ether2 name=vlan70-Local_Network vlan-id=70
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=\
    998877665544332211
/interface bridge port
add bridge=IT_Department_Network interface=ether5
add bridge=IT_Department_Network interface=wlan1
6

No firewall filter rules means nothing is dropped. It also means connection tracking is disabled right now and adding a single firewall filter rule will enable connection tracking, which in turn means considerable routing performance drop. Be prepared for it.

So you actually need a few rules. Keep in mind that default (implicit) rule is to accept packets and for security sake it’s probably best to construct chain of rules which explicitly allows needed/wanted things and drop all the rest.
The first rule below handles most of packets, including reply packets of allowed connections (regardless the direction). The invalid packets are handled by second rule and the rest of packets are packets belonging to “new” connections and we have to deal with them according to requirements …
The network layout is not clear to me, so rules shown are just an example and you have to adjust them to your layout …

/ip firewall filter
add chain=forward action=accept connection-state=established,related,untracked
add chain=forward action=drop connection-state=invalid
add chain=forward action=accept in-interface=vlan50-ALL-Networks out-interface=vlan20-BSS
add chain=forward action=accept in-interface=vlan50-ALL-Networks out-interface=vlan10-CCBS
add chain=forward action=accept in-interface=vlan20-BSS out-interace=vlan10-CCBS
# add more rules as needed
add chain=forward action=drop

The rules above allow connections originating in VLAN 50 and terminating in VLANs 10 and 20, connections originating in VLAN 20 and terminating in VLAN 10. The rest are blocked by ultimate rule.

I’m not sure how pppoe-out interface 8M_ADSL_OUT fits in … it doesn’t seem to be proper internet access … you don’t have and NAT rule …

Another remark: rules are executed to-to-bottom, so place rules which will handle more packets higher the list which will lower load on RB.

7

Thank u very very very much
That is excatly what I need
So if I need to do the opposite choice
That I want to allow every packets but drop some , because in that scenario I should manaually add the packet that what I need to allow
But if I want to allow every packets and just drop some , Like just drop vlan 10 to access vlan 20 bit vlan 20 can access to vlan 10
What the filter rules should I do
In the end I am so grateful for your help

8

I’m in dilemma whether using the first rule would still be benefitial in case where you pass except what you don’t (meaning that likely there are less rules in total). Probably yes, so here are some rules:

/ip firewall filter
add chain=forward action=accept connection-state=established,related,untracked
add chain=forward action=drop in-interface=vlan10-CCBS out-interface=vlan20-BSS

The first rule deals with all packets belonging to already accepted connections, which include packets from VLAN 10 to VLAN 20 but are part of connections initiated from VLAN 20.

The second rule then blocks packets that are belonging to new connections and that are initiated in VLAN 10 targeting VLAN 20. If there wasn’t rule #1, then this (drop) rule would need connection-state=new included, without this part rule blocks packets which are part of established connections as well.

Note that I omited the “drop invalid” rule … as it seems you don’t care about security in particular. If you’d like to add just a bit of security, then you can add that rule (placement is not particularly important, not many packets will hit any of rules below the first one).

9

Hello my friend
After execution my scenario in my network , some thing still wrong
this is my config

# jan/02/1970 02:48:14 by RouterOS 6.43.12
# software id = 9QWX-3BYM
#
# model = 2011UiAS-2HnD
# serial number = B9070A08F018
/interface bridge
add name=IT-Bridge
/interface ethernet
set [ find default-name=ether1 ] comment=From-POP-5M
set [ find default-name=ether2 ] comment=To-CoreSwitch-Trunk
/interface pppoe-client
add disabled=no interface=ether4 name=pppoe-out1-8M password=223585 user=\
    itdpt@pronet.sy
/interface wireless
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface vlan
add interface=ether2 name=vlan1-CCBS vlan-id=10
add interface=ether2 name=vlan2-BBS vlan-id=20
add interface=ether2 name="vlan3-HQ-ALL network" vlan-id=50
add interface=ether2 name=vlan4-Just-Mobiles-internet vlan-id=60
add interface=ether2 name="vlan5-Local Network" vlan-id=70
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.48.100.50-10.48.100.225
add name=dhcp_pool2 ranges=10.48.6.50-10.48.6.225
add name=dhcp_pool3 ranges=10.10.10.50-10.10.10.225
add name=dhcp_pool4 ranges=192.168.90.2-192.168.90.254
add name=dhcp_pool5 ranges=192.168.88.50-192.168.88.199
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan1-CCBS name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan2-BBS name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface="vlan3-HQ-ALL network" \
    name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=vlan4-Just-Mobiles-internet \
    name=dhcp4
add address-pool=dhcp_pool5 disabled=no interface=IT-Bridge name=dhcp5
/interface bridge port
add bridge=IT-Bridge interface=wlan1
add bridge=IT-Bridge interface=ether6
add bridge=IT-Bridge interface=ether3
/ip address
add address=192.168.12.126/30 interface=ether1 network=192.168.12.124
add address=10.48.100.253/24 interface=vlan1-CCBS network=10.48.100.0
add address=10.48.6.253/24 interface=vlan2-BBS network=10.48.6.0
add address=10.10.10.254/24 interface="vlan3-HQ-ALL network" network=\
    10.10.10.0
add address=192.168.90.1/24 interface=vlan4-Just-Mobiles-internet network=\
    192.168.90.0
add address=192.168.88.1/24 interface=wlan1 network=192.168.88.0
add address=10.10.20.254/24 interface="vlan5-Local Network" network=\
    10.10.20.0
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.20.20,8.8.8.8 gateway=10.10.10.254
add address=10.48.6.0/24 dns-server=10.10.20.20 gateway=10.48.6.253
add address=10.48.100.0/24 dns-server=10.10.20.20 gateway=10.48.100.253
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
add address=192.168.90.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.90.1
/ip firewall address-list
add address=10.48.100.0/24 list=CCBS
add address=10.64.0.0/16 list=CCBS
add address=10.69.96.0/24 list=CCBS
add address=10.0.28.0/24 list=BSS
add address=10.0.30.0/24 list=BSS
add address=10.48.6.0/24 list=BSS
add address=10.10.20.0/24 list="Local Network"
add address=10.0.28.0/24 list=ALL-Internal-Address
add address=10.0.30.0/24 list=ALL-Internal-Address
add address=10.48.6.0/24 list=ALL-Internal-Address
add address=10.48.100.0/24 list=ALL-Internal-Address
add address=10.64.0.0/16 list=ALL-Internal-Address
add address=10.69.96.0/24 list=ALL-Internal-Address
add address=10.10.20.0/24 list=ALL-Internal-Address
add address=192.168.90.0/24 list=ALL-Internal-Address
/ip firewall filter
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward dst-address-list="Local Network" src-address=\
    10.48.6.0/24
add action=accept chain=forward dst-address-list="Local Network" src-address=\
    10.48.100.0/24
add action=accept chain=forward dst-address-list=BSS src-address=\
    10.48.100.0/24
add action=accept chain=forward dst-address-list="Local Network" src-address=\
    10.10.10.0/24
add action=accept chain=forward dst-address-list=BSS src-address=\
    10.10.10.0/24
add action=accept chain=forward dst-address-list=CCBS src-address=\
    10.10.10.0/24
add action=accept chain=forward out-interface=pppoe-out1-8M src-address=\
    10.10.10.0/24
add action=accept chain=forward out-interface=pppoe-out1-8M src-address=\
    192.168.90.0/24
add action=accept chain=forward out-interface=all-ethernet src-address=\
    192.168.88.0/24
add action=accept chain=forward out-interface=all-vlan src-address=\
    192.168.88.0/24

add action=drop chain=forward
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=Mobile-Internet-8M \
    passthrough=yes src-address=192.168.90.0/24
add action=mark-routing chain=prerouting dst-address-list=CCBS \
    new-routing-mark=IT-To-CCBS passthrough=yes src-address=192.168.88.0/24
add action=mark-routing chain=prerouting dst-address-list=\
    !ALL-Internal-Address new-routing-mark=IT-Department-internet-5M \
    passthrough=yes src-address=192.168.88.0/24
add action=mark-routing chain=prerouting dst-address-list=\
    !ALL-Internal-Address new-routing-mark="Qun-PCs-To Internet" passthrough=\
    yes src-address=10.10.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1-8M src-address=\
    192.168.90.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1-8M src-address=\
    10.10.10.0/24
add action=masquerade chain=srcnat src-address=10.10.10.0/24
add action=src-nat chain=srcnat dst-address-list=!ALL-Internal-Address \
    out-interface=ether1 routing-mark=IT-Department-internet-5M src-address=\
    192.168.88.0/24 to-addresses=91.144.20.34
add action=masquerade chain=srcnat src-address=10.48.100.0/24
add action=masquerade chain=srcnat dst-address-list=CCBS routing-mark=\
    IT-To-CCBS src-address=192.168.88.0
/ip route
add distance=1 gateway=pppoe-out1-8M routing-mark=Mobile-Internet-8M
add distance=1 gateway=192.168.12.125 routing-mark=IT-Department-internet-5M
add distance=1 gateway=pppoe-out1-8M routing-mark="Qun-PCs-To Internet"
add distance=1 dst-address=10.0.28.0/24 gateway=10.48.6.1
add distance=1 dst-address=10.0.30.0/24 gateway=10.48.6.1
add distance=1 dst-address=10.64.0.0/16 gateway=10.48.100.254
add distance=1 dst-address=10.69.96.0/24 gateway=10.48.100.254

the problem is that ip range 192.168.88.0/24 should access to all vlan but in real it can access just vlan 70

So what is the matter

10

Mr.MKX
I hope just to check my config and tell me what is the matter
Because if the problem in my router I will replace it with Microtik 2011 router
thank u very much

11

What in particular doesn’t work according to your expectations?

IMHO one of reasons you have hard time to write correct firewall filter rules is that you describe wanted connectivity using VLANs and then you implement it partially considering VLANs and partly considering IP subnets. It is easier either to think of L2 network (interfaces and VLANs) or of L3 (IP) network, just try to not mix them both.

I’m sorry, but I don’t have time and energy to (mentally) visualize your physical and logical layout and think of all necessary firewall filter rules. So either draw a detailed plan with all IP subnets and interfaces and mark which connections are allowed and which not, then create needed rules. Or stick to what you have now and add a rule whenever you find some problem (either connection which passes but should not or connection which is blocked but should be allowed).

12

Mr mkx
thank you for your help
I solved all matter except one which
ip range 192.168.88.0/24 should access all vlan
but in real it can only access internet and vlan 70

13

One thing in your setup which is not quite right, is setup about 192.168.88.0/24. You have the address set on wlan1 interface, however that interface is bridge port. While ROS doesn’t seem to force correct setting, the correct setting is to bind L3 setup (IP address, services) to bridge interface and not to one of member ports.
This forum had seen some weird behaviour in similar conditions …