Best practice Firewall Inter-VLAN Routing

ihphar · May 27, 2020, 2:33pm

Hello,

I have a VLAN Setup using one shared Bridge and VLAN-Interfaces (see below) to the cpu.

Since this is a router i want it to route between the different VLANS and this works as expected.
To control the traffic between the VLANS i use the firewall of the router.

Is it now best practice in this setup to use the VLAN interfaces (V11_Config, V10_Lan) of the router, as source/destination identification for firewall rules?
Or is it recommended to use address spaces (10.10.10.0/24)? Or even just address lists (this seems not very practical)?
I have seen and tried them all successfully. Which one is most secure and recommended one or is it indeed irrelevant?
I would guess that using the VLAN-Interface is the best readable and scalable option.

Am i right that it is not possible to spoof Addresses from an other VLAN because the router would not be accessible as gateway on the respective interface?

Thank you for your opinion.

# model = RB750UPr2

##ADD shared Bridge
/interface bridge add name=bridge_VLAN vlan-filtering=yes

##ADD Vlan interfaces on VLAN-Bridge for Router IP-Interface
/interface vlan add interface=bridge_VLAN name=V10_Lan vlan-id=10
/interface vlan add interface=bridge_VLAN name=V11_Config vlan-id=11

/ip address add address=10.10.11.1/24 interface=V11_Config network=10.10.11.0
/ip address add address=10.10.10.1/24 interface=V10_Lan network=10.10.10.0

##DHCP-Server on LAN and CONFIG Vlan
/ip pool add name=dhcp_pool_LAN ranges=10.10.10.20-10.10.10.30
/ip pool add name=dhcp_pool_Config ranges=10.10.11.10-10.10.11.20

/ip dhcp-server add address-pool=dhcp_pool_LAN disabled=no interface=V10_Lan name=dhcp_Lan
/ip dhcp-server add address-pool=dhcp_pool_Config disabled=no interface=V11_Config name=dhcp_Config
/ip dhcp-server network add address=10.10.10.0/24 dns-none=yes gateway=10.10.10.1
/ip dhcp-server add address=10.10.11.0/24 dns-none=yes gateway=10.10.11.1

##TRUNK at eht1
##AccessPort VLAN11 on eth4
##AccessPort VLAN10 on eht5
/interface bridge port add bridge=bridge_VLAN interface=ether1
/interface bridge port add bridge=bridge_VLAN interface=ether4 pvid=11
/interface bridge port add bridge=bridge_VLAN interface=ether5 pvid=10

/interface bridge vlan add bridge=bridge_VLAN tagged=bridge_VLAN,ether1 untagged=ether4 vlan-ids=11
/interface bridge vlan add bridge=bridge_VLAN tagged=ether1,bridge_VLAN untagged=ether5 vlan-ids=10

anav · May 27, 2020, 3:10pm

One has TWO major tools in firewall rules (besides subnet addresses or singular addresses) to address users or groups of users.
Interface Lists and Firewall Address Lists. I tend to use vlans so then not so much so I use subnets themselves.

IF YOU HAVE MORE THAN ONE GROUP OF USERS - Interface lists are extremely useful.
IF YOU HAVE only one address, then source or destination address makes sense
IF YOU HAVE multiple addresses within a subnet you will need to allow/deny, then a firewall address list makes sense OR if you have a single address that may change fairly frequently
(works if you have multiple addresses across multiple subnets as well)
(By the way I avoid using bridges as interfaces a much as possible or for dhcp for that matter)

Consider an object oriented approach where, you rarely need to change the firewall rules themselves but add or subtract addresses from firewall address lists OR interfaces from
interface lists.

Consider Case
vlanA=LAN
vlanB=LAN
vlanC=LAN
vlanhome=LAN
vlanA=VLAN
vlanB=VLAN
vlanC=VLAN

Typical useful setup and rules.

(1) add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN {internet access for all}

(2) a. add chain=forward action=accept in-interface=vlanhome out-interface-list=VLAN (if you want home vlan to access all other vlans)
b. add chain=forward action=accept in-interface=vlanhome src-address-list=onlysomeusers out-interface-list=VLAN (if you want one or more specific users from the home vlan to access other vlans like admin desktop or admin laptop or admin ipad)

(3). add chain=input action=accept in-interface=vlanhome src-address-list=adminaccess (allow admin access to router)

(4) add chain=input action=accept in-interface-list=LAN FOR DNS for ex…

In summary, I tend to use interface lists for groups of users and firewall address for one or more users, but not a whole group, or if users are on diff subnets.

Note: Maybe I do it overboard in that this rule could be simplified…
add chain=input action=accept in-interface=vlanhome src-address-list=adminaccess (allow admin access to router)

To
add chain=input action=accept src-address-list=adminaccess (allow admin access to router)

However, I like to define exactly where and to as refined as possible.
In other words I am saying the request has to originate within a certain interface AND it has to come from these specific addresses.
The short rule just says, it has to come from these addresses. Thats a personal taste decision.
Just easier for me to understand what I am doing when reading the rules but dont know for sure if it has any other benefit, security or otherwise…