I have problems when configuring vlan on mikrotik router.
I have 10 VLAN: 10 → 20
I want to block traffic between vlans
But, I write too many rules but it doesn’t work
Instead of explicitly blocking each VLAN, Block everything with a not interface command (note the explanation point before the interface name):
add action=drop chain=forward comment=\
"Block all interfaces except internet from VLAN 10" out-interface=\
!E1-p10_DSL_Internet in-interface=VLAN_10
You would obviously need whatever filtering in front of this, but this would prevent anything from VLAN 10 from getting to any other LAN except the internet. You still need a similar rule for each VLAN, but it’s only one per VLAN rather than a dozen (or whatever) per VLAN.
Clean way.
/ip firewall filter
{input chain}
allow established related
block invalid
allow icmp
allow admin to router
allow lan requests for DNS tcp/udp
drop all else
{forward chain}
fastrack allow established related
allow established related
+++++++++++++++++++++++++
drop all else.
With this setup you have no traffic to the internet or between Lans at layer 3. Layer 2 is blocked by virtue of traffic being separated by vlans.
Where the +++++++++++++++++++++++++++ is located is where you want to put what is allowed as everything is blocked by the last rule.
examples
allow port forwarding
allow homelan to WAN
allow VLANS to WAN
(for a group rule easier to create an interface list for all the vlans) and then apply the rule using the interface list)
add action=accept chain=forward in-interface-list=vlan_list out-interface=eth1-wan
The drop rule looks like
add action=drop chain=forward (very simple)
I am wondering a similar thing. I really like the clean way as things getting complicated has really been bugging me. I have noticed my VLAN wants to talk to itself a lot, where I have a rule accept forward VLAN18 in and VLAN18 out. No idea why.
as far as
allow homelan to WAN
allow VLANS to WAN
That would be as simple as allow forward WAN (interface group) I guess, with an in interface if I want to restrict it to specific VLANs..
to allow port forwards, I can just edit the last rule to add ! dstnat correct?
Thinking about how to communicate from my trusted VLAN to the untrusted VLAN, say if I had a printer on the untrusted VLAN. I guess the best way is just 2 separate /24 networks connected by the router, only thing is I wouldnt be able to broadcast to the untrusted domain (?)
@solar77: The src-address-type=local means addresses assigned directly to router. So it will stop router talking to itself, but not traffic bettween vlans.
If “allow what I want and block the rest” (as presented by anav) is not good for someone for any reason, there’s also in/out-interface=all-vlan, so you can have:
If you mean yours, then no, because forward chain is before srcnat. And there the destination is non-local address (either what client wanted, or where dstnat sent it) and source is non-local address too.