Block inter-vlan traffic in one direction

Hi All
I followed this guide to setup VLAN’s ( https://youtu.be/mKmE9Iv3lhY )

All hosts are allowed internet access
I want to allow all traffic from VLAN100 to VLAN200
I want to block all traffic from VLAN200 to VLAN100

I added rules to /ip firewall filter,

/ip firewall filter
add action=accept chain=forward in-interface=bridgeVLAN100 out-interface=bridgeVLAN200
add action=drop chain=forward in-interface=bridgeVLAN200 out-interface=bridgeVLAN100

however this is blocking all traffic in BOTH directions

what have I done wrong? what do I need to do?

thanks for your help..

here is the config

# model = CRS326-24G-2S+

/interface bridge
add name=bridgeVLAN100
add name=bridgeVLAN200

/interface vlan
add interface=bridgeVLAN100 name=vlan100 vlan-id=100
add interface=bridgeVLAN200 name=vlan200 vlan-id=200
/interface list
add name=WAN
add name=LAN


/ip pool
add name=dhcp_pool5 ranges=192.168.1.101-192.168.1.199
add name=dhcp_pool6 ranges=192.168.200.101-192.168.200.199

/ip dhcp-server
add address-pool=dhcp_pool5 disabled=no interface=bridgeVLAN100 name=dhcp1
add address-pool=dhcp_pool6 disabled=no interface=bridgeVLAN200 name=dhcp2

/interface bridge port
add bridge=localbridge comment=defconf disabled=yes interface=ether1
add bridge=localbridge comment=defconf interface=ether2
add bridge=localbridge comment=defconf interface=ether3
add bridge=localbridge comment=defconf interface=ether4
add bridge=localbridge comment=defconf interface=ether5
add bridge=localbridge comment=defconf interface=ether6
add bridge=localbridge comment=defconf interface=ether7
add bridge=localbridge comment=defconf interface=ether8
add bridge=localbridge comment=defconf interface=ether9
add bridge=bridgeVLAN200 comment=defconf interface=ether10
add bridge=localbridge comment=defconf interface=ether11
add bridge=localbridge comment=defconf interface=ether12
add bridge=localbridge comment=defconf interface=ether13
add bridge=localbridge comment=defconf interface=ether14
add bridge=localbridge comment=defconf interface=ether15
add bridge=localbridge comment=defconf interface=ether16
add bridge=localbridge comment=defconf interface=ether17
add bridge=localbridge comment=defconf interface=ether18
add bridge=localbridge comment=defconf interface=ether19
add bridge=localbridge comment=defconf interface=ether20
add bridge=localbridge comment=defconf interface=ether21
add bridge=localbridge comment=defconf interface=ether22
add bridge=bridgeVLAN100 comment=defconf interface=ether23
add bridge=bridgeVLAN100 comment=defconf interface=sfp-sfpplus1
add bridge=localbridge comment=defconf interface=sfp-sfpplus2
add bridge=bridgeVLAN100 interface=ether24

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=pppoe-out1 list=WAN
add interface=localbridge list=LAN


/ip address
add address=192.168.1.1/24 interface=bridgeVLAN100 network=192.168.1.0
add address=192.168.200.1/24 interface=bridgeVLAN200 network=192.168.200.0

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1 netmask=24
add address=192.168.200.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.200.1

/ip dns
set servers=8.8.8.8

/ip firewall address-list
add address=192.168.1.0/24 list=vlan100
add address=192.168.200.0/24 list=vlan200

/ip firewall filter
add action=accept chain=forward in-interface=bridgeVLAN100 out-interface=bridgeVLAN200
add action=drop chain=forward in-interface=bridgeVLAN200 out-interface=bridgeVLAN100

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 out-interface-list=WAN

First, the firewall rules in your configuration block packets from one VLAN to another but do not protect the router itself from attacks via WAN. So if you get a public WAN address via PPPoE from your ISP, your router may have already have been infected by malware.

Second, it depends on what you call “traffic”. A typical client-server traffic requires a bidirectional packet exchange even if the payload information is transported in only one direction, because the sender usually wants to know whether the recipient has received the data, and re-send them if not. Exceptions exist, but not many.

So if what you actually want is that clients from VLAN A can establish connections to servers in VLAN B, but clients in VLAN B cannot establish connections to servers in VLAN A, you have to have a look on how a stateful firewall works. I don’t know whether a youtube video on stateful firewalls exists, but I have described the principle multiple times here on the forum. The firewall rules from the default configuration of SOHO models of Mikrotik (hEX, hAP, …) set up a stateful firewall, so you can add just rules to handle the first packet of each new connection. If the first packet is accepted, the rest of the connection is permitted bi-directionally. If the first packet is dropped, no further packets ever come.

/export hide-sensitive file=anynameyouwish

Then we will be able to comment on the config in a more complete sense as often rules and config are interactive.