Block Between VLANs In the Same Bridge

RouterOS Beginner Basics
1

I currently have configured my Mikrotik as a Router with a Single Bridge setup containing multiple VLANs with L3 Routing, and I want to be able to block a particular VLAN from communicating with other VLANs but still have internet access. I’ve tried various firewall rules, and I need help to get them to work. Below is an example of what I currently have set up.

Bridge

  • VLAN2
  • VLAN3
  • VLAN4
  • VLAN5-Kids
  • VLAN6

I want to block VLAN5-Kids from communicating with other VLANs while still having internet.

I tried the following rule, but that doesn’t do anything.
/ip firewall filter
add action=drop chain=forward in-interface=“VLAN5-Kids” out-interface=“VLAN2”
add action=drop chain=forward in-interface=“VLAN5-Kids” out-interface=“VLAN3”
add action=drop chain=forward in-interface=“VLAN5-Kids” out-interface=“VLAN4”
add action=drop chain=forward in-interface=“VLAN5-Kids” out-interface=“VLAN6”

Any guidance would greatly appreciated.

Sanity check for hybrid router setup with vlans
2

Maybe the order of rules are not correct, you must be careful about that, i have same firewall rules for my VLAN’s and they are working fine but all my drop rules came after accept rules.

3

some things to note:

  1. indeed order of rules matters, your rules must be before any rule that could accept the traffic. but normally after the “established/related” rule.
  2. inserting rules that block traffic after established/related will block only NEW traffic. when you have a ping going on and then insert the rule, the ping will continue working.
  3. when you want to regulate such a many-to-many configuration it is more efficient to use interface lists. e.g. make an interface list “protected”, add VLAN 2,3,4,6 to that interface list, and then use:
    /ip firewall filter
    add action=drop chain=forward in-interface=“VLAN5-Kids” out-interface-list=“protected”

you probably also want:
add action=drop chain=forward in-interface-list=“protected” out-interface=“VLAN5-Kids”

4

https://forum.mikrotik.com/viewtopic.php?t=180838

5

I tried to use the following order, but I can still ping and connect to all my other VLAN for some reason and I cannot access the internet either.

Interface List:
WAN = eth1 (Internet)
LAN = VLAN2,VLAN3,VLAN4,VLAN6
Guest = VLAN5-Kids


/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Block Guest From LAN" in-interface=VLAN5-Kids out-interface-list=LAN
add action=accept chain=forward comment="Allow Guest to Internet"  in-interface=VLAN5-Kids out-interface-list=!LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
6

Lets be clear.
The ability to ping an interface does not equate to accessing the vlan.
In other words you are pinging a router interface, not any of the devices on the vlan (aka user and servers). This is normal expected behaviour.
You will find that with firewall rules applied, you cannot access any ones devices on another vlan.

Furthermore, I dont comment on half bits of information.
If you want assistance, since many parts of a config are related, please post the entire config.

/export file=anynameyouwish ( minus router serial number and any public WANIP information )

1 Like
7

how about this

Bridge
- VLAN2 = 20.0/24
- VLAN3 = 30.0/24
- VLAN4 = 40.0/24
- VLAN5-Kids = 50.0/24
- VLAN6 = 60.0/24

ip firewall list add kids address 50.0/24
ip firewall list add adults address 20, 30, 40, 60.0/24
ip firewall filter add chain input in interface bridge src-addr=kids dst-addr=adults action drop

maybe something like that?

wan masquerade as usual.

hope this helps.

8

UNWISE - turn into the tin man??
much more efficient to have a drop rule at the end of the forward chain.
All vlans are thus blocked from each other at layer 3, no rules are necessary other than needed traffic,
such as what lan to wan traffic is required for example OR management vlan to all vlans etc…

9

much more efficient to have a drop rule at the end of the forward chain.

absolutely,
but just for trouble shooting - sometimes we need to do top to bottom approach @anav :wink:

if it is harder to filter in layer 2 - how about we do it on upper layer 3

10

We can ignore PING for now. I have several web server that is hosted in VLAN2 and with the firewall filter in place to drop the connection, I was still able to browse those webpages via IP address.
Here is my entire setup.

/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes

/interface ethernet
set [ find default-name=qsfpplus1-1 ] name=qsfpplus1-1-nas
set [ find default-name=qsfpplus2-1 ] name=qsfpplus2-1-nas
set [ find default-name=sfp-sfpplus1 ] name=eth1-WAN
set [ find default-name=sfp-sfpplus2 ] name=sfp2-downstairs-netgeear
set [ find default-name=sfp-sfpplus3 ] name=sfp3-upstairs-netgear
set [ find default-name=sfp-sfpplus4 ] name=sfp4-workstation-hub
set [ find default-name=sfp-sfpplus5 ] name=sfp5-desktopComputer
set [ find default-name=sfp-sfpplus6 ] name=sfp6-pve
set [ find default-name=sfp-sfpplus7 ] name=sfp7-pve
set [ find default-name=sfp-sfpplus8 ] name=sfp8-pve
set [ find default-name=sfp-sfpplus9 ] name=sfp9-pve
set [ find default-name=sfp-sfpplus10 ] name=sfp10-pve
set [ find default-name=sfp-sfpplus11 ] name=sfp11-pve
set [ find default-name=sfp-sfpplus12 ] name=sfp12

/interface vlan
add interface=bridge name=VLAN2 vlan-id=2
add interface=bridge name=VLAN3 vlan-id=3
add interface=bridge name=VLAN4 vlan-id=4
add interface=bridge name=VLAN5-Kids vlan-id=5
add interface=bridge name=VLAN6 vlan-id=6

/interface bonding
add mode=802.3ad name=40G-Bond slaves=qsfpplus1-1-nas,qsfpplus2-1-nas transmit-hash-policy=layer-2-and-3

/interface ethernet switch
set 0 l3-hw-offloading=yes

/interface ethernet switch port
set 1 l3-hw-offloading=no

/interface list
add name=WAN
add name=LAN
add name=Guest

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool2 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool3 ranges=192.168.5.2-192.168.5.254
add name=dhcp_pool4 ranges=192.168.6.2-192.168.6.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=VLAN3 name=dhcp1
add address-pool=dhcp_pool1 interface=VLAN2 name=dhcp2
add address-pool=dhcp_pool2 interface=VLAN4 name=dhcp3
add address-pool=dhcp_pool4 interface=VLAN6 name=dhcp5
add address-pool=dhcp_pool3 interface=VLAN5-Kids name=dhcp4

/port
set 0 name=serial0

/interface bridge port
add bridge=bridge interface=sfp6-pve pvid=2
add bridge=bridge interface=sfp2-downstairs-netgeear pvid=100
add bridge=bridge interface=sfp3-upstairs-netgear pvid=100
add bridge=bridge interface=sfp7-pve pvid=2
add bridge=bridge interface=sfp8-pve pvid=2
add bridge=bridge interface=sfp9-pve pvid=2
add bridge=bridge interface=sfp10-pve pvid=2
add bridge=bridge interface=sfp11-pve pvid=2
add bridge=bridge interface=sfp4-workstation-hub pvid=3
add bridge=bridge interface=sfp5-desktopComputer pvid=3
add bridge=bridge interface=40G-Bond pvid=2

/interface bridge vlan
add bridge=bridge tagged=bridge,sfp2-downstairs-netgeear,sfp3-upstairs-netgear,sfp6-pve,sfp7-pve,sfp8-pve,sfp9-pve,sfp10-pve,sfp11-pve untagged=sfp4-workstation-hub,sfp5-desktopComputer vlan-ids=3
add bridge=bridge tagged=bridge,sfp3-upstairs-netgear,sfp2-downstairs-netgeear untagged=40G-Bond,sfp6-pve,sfp7-pve,sfp8-pve,sfp9-pve,sfp10-pve,sfp11-pve vlan-ids=2
add bridge=bridge tagged=bridge,sfp2-downstairs-netgeear,sfp3-upstairs-netgear vlan-ids=4
add bridge=bridge tagged=bridge,sfp2-downstairs-netgeear,sfp3-upstairs-netgear vlan-ids=5
add bridge=bridge tagged=bridge,sfp2-downstairs-netgeear,sfp3-upstairs-netgear vlan-ids=6

/interface list member
add interface=eth1-WAN list=WAN
add interface=VLAN2 list=LAN
add interface=VLAN3 list=LAN
add interface=VLAN4 list=LAN
add interface=VLAN6 list=LAN
add interface=VLAN5-Kids list=Guest

/ip address
add address=192.168.3.1/24 interface=VLAN3 network=192.168.3.0
add address=xx.xx.xx.xx/29 interface=eth1-WAN network=xx.xx.xx.xx
add address=192.168.2.1/24 interface=VLAN2 network=192.168.2.0
add address=192.168.4.1/24 interface=VLAN4 network=192.168.4.0
add address=192.168.5.1/24 interface=VLAN5-kids network=192.168.5.0
add address=192.168.6.1/24 interface=VLAN6 network=192.168.6.0

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1
add address=192.168.6.0/24 dns-server=192.168.6.1 gateway=192.168.6.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip firewall address-list
add address=192.168.2.0/24 list=“LAN”
add address=192.168.3.0/24 list=“LAN”
add address=192.168.4.0/24 list=“LAN”
add address=192.168.6.0/24 list=“LAN”
add address=192.168.5.0/24 list=“Guest”
add address=xx.xx.xx.xx list=WAN

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“Block Guest From LAN” in-interface=VLAN5-Kids out-interface-list=LAN
add action=accept chain=forward comment=“Allow Guest to Internet” in-interface=VLAN5-Kids out-interface-list=!LAN
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=input comment=“Drop if DNS Query Coming From Internet” in-interface=eth1-WAN protocol=tcp src-port=53
add action=drop chain=input in-interface=eth1-WAN protocol=udp src-port=53
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall mangle
add action=mark-connection chain=prerouting comment=“Mark connections for hairpin NAT” dst-address-list=WAN new-connection-mark=“Hairpin NAT” passthrough=yes src-address-list=“Internal LAN”

/ip firewall nat
add action=masquerade chain=srcnat comment=“Hairpin NAT)” connection-mark=“Hairpin NAT”
add action=masquerade chain=srcnat comment=“NAT to Internet” out-interface-list=WAN

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.xx.xx pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10 vrf-interface=eth1-WAN

11

@ dungtran88

ok. let us see your cli output of

ip firewall filter print.

we just need to see your firewall sequence.

i think you need to put that kids to adults block rule on top of everything. and start doing ip based firewall instead of interface list. vlan is nothing without ip.

sorry, my eyes couldn’t read long config.

12

(1) Need to reconcile some possible errors but most likely its just a bunch of hybrid ports.

According to your /interface bridge ports and /interface bridge vlans
a. sfp2 and sfp3 are trunk ports carrying only vlans. ( 2,3,4,5,6 )
b. sfp6, sfp7, sfp8, sfp9, sfp10, sfp11 are HYBRID ports, carrying tagged vlan3 and untagged on vlan2
c, spf4, and spf5 are access ports untagged for vlan3

Can you confirm?

(2) Where is sfp2, sfp3 on /interface bridge ports ???

(3) No need to mangle for hairpin.

(4) Hairpin is only required for users that within the same subnet as the servers and need to access the server by WANIP ( not by the direct LANIP )
Please indicate which subnets have servers where this is true
Then we can create proper hairpin sourcenat rules.

(5) the VLAN5-Kids list=LAN is most likely required ( check your firewall rules where LAN is used!! )

(6) THere is no need to create firewall lists for whole subnets.
First you can identify a subnet in a rule by its subnet address
Second two more whole subnets are best identified by interface lists.

(7) Your rules are less then optimal, in that not even within an organized order by chain?
Also there is no reason to detail port 53…


FIXED…

/ip firewall filter
{input chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
(admin rules)
add action=accept chain=input comment=“allow only lan traffic” in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
{forward chain}
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“allow internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

With these rules, no traffic will pass between vlans.

13

I also tried to put the drop rule top most, but no success. I also tried to use Src Address and Dst Address, but same result.

Here is my Firewall Filter

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“Block Guest From LAN” in-interface=VLAN5-Kids out-interface-list=LAN
add action=accept chain=forward comment=“Allow Guest to Internet” in-interface=VLAN5-Kids out-interface-list=!LAN
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=input comment=“Drop if DNS Query Coming From Internet” in-interface=eth1-WAN protocol=tcp src-port=53
add action=drop chain=input in-interface=eth1-WAN protocol=udp src-port=53
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

14
16

Hey, I only have 2 hands …

17

You failed to answer my questions with any kind of necessary detail/accuracy.
The firewall rules I provided work.
GLuck

1 Like
18

According to what you’ve provided.
add action=accept chain=input comment=“allow only lan traffic” in-interface-list=LAN
add action=accept chain=input comment=“drop all else” <-----Is this supposed to be action-drop?

Regardless, I am still able to access websites from VLAN2 via IP address.

19

Correct but that would not affect forward chain behaviour.
Can you clarify what is is you can do, that seeems wrong.

Its not clear exactly

20

So the main goal is to isolate VLAN5-Kids so that they cannot communicate with any other VLAN within the same Bridge.
I have about 5 web servers hosted across VLAN2-VLAN4.

Example:
VLAN2 - have web server with IP:192.168.2.10
VLAN3 - have web server with IP:192.168.3.20
VLAN4 - have web server with IP:192.168.4.55

I tried all possible combination I can think of to Block the VLAN5-kids from accessing those web servers, but no success.

I validate that it doesn’t work by:

  • Create Firewall rules and move them all to the top.


  • Connect a laptop to the VLAN5-Kids and open the web browser to navigate to those web server via IP address. (http://192.168.2.10 or https://192.168.3.20)


  • Result: I can navigate and browse it without any issue.