Block ethernet interface to VLAN - Bridge?

TvdN · February 21, 2019, 8:19pm

Dear all,

What I have:

RB4011
Some VLAN’s configured on a bonding interface.
Device directly connected to eth6 in same subnet as VLAN15 (not changeable)

What I want:

Control access from and to eth6 from and to the VLAN’s.

What I tried:

Created a bridge between VLAN 15 and eth6 without VLAN filtering and so forth. Just the default settings.
This way I was able to reach the device on eth6 from VLAN 15 and by turning on “Use IP Firewall” in the global bridge setting I am able to control the traffic from and to ETH6 (In bridge port & out bridge port).
BUT when using firewall rules like “block: in:all-vlan out:all-vlan” there was still communication from the VLAN 15 I bridged with the ethernet port because that traffic was originating from the bridge instead of the VLAN.
And I think this there must be a better way of achieving this goal.

Interfaces

/interface bridge
add comment="Bridge ASA-ADM" name=ASA-Bridge
add admin-mac=B8:69:F4:E6:7F:A3 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="Etherchannel Link 1"
set [ find default-name=ether3 ] comment="Etherchannel Link 2" mac-address=B8:69:F4:E6:7F:A3
set [ find default-name=ether6 ] comment=ASA
set [ find default-name=ether10 ] comment="PIN Keuken"
/interface bonding
add comment="Uplink to Switch" mode=802.3ad name=Etherchannel slaves=ether2,ether3 transmit-hash-policy=layer-2-and-3
/interface vlan
add interface=Etherchannel name=VL-ADM-Servers vlan-id=14
add interface=Etherchannel name=VL-ADM-Workstations vlan-id=15
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name="ADM LAN"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=ASA-Bridge interface=VL-ADM-Workstations
add bridge=ASA-Bridge interface=ether6
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Etherchannel list="ADM LAN"

Thanks a lot!

sebastia · February 21, 2019, 11:14pm

Hey

Think of vlan as just another subnet / independent port of the router. The your problem because “just” a routing / forwarding control issue.
You can solve / control it in firewall filter table or by using specific routing table. What kind of control do you search for?

TvdN · February 22, 2019, 7:01am

Hey sebastia, Thanks for your message.
I updated my post; the device on ETH6 is in the same subnet as VLAN15. This makes it somewhat more complicated.