Bridge VLAN Filtering & Firewall

Mike65Rivne · August 31, 2024, 6:10pm

Hello !

I am configuring VLANs for my network (VLAN 88 → home network, untagged / VLAN 10 → guest network, tagged / VLAN 20 → IoT network, tagged).
As mentioned in Bridge VLAN Filtering (https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering) -
“Make sure you have added all needed interfaces to the bridge VLAN table when using bridge VLAN filtering. For routing functions to work properly on the same device through ports that use bridge VLAN filtering, you will need to allow access to the bridge interface (this automatically include a switch-cpu port when HW offloaded vlan-filtering is used, e.g. on CRS3xx series switches), this can be done by adding the bridge interface itself to the VLAN table, for tagged traffic you will need to add the bridge interface as a tagged port and create a VLAN interface on the bridge interface. Examples can be found in the inter-VLAN routing and Management port sections.”

So I have this:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3,ether4,ether5  vlan-ids=88 
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether4,ether5  vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether4,ether5  vlan-ids=20

Also said that “Optional step is to set frame-types=admit-only-vlan-tagged on the bridge interface in order to disable the default untagged VLAN 1 (pvid=1).”
So I have also this:

/interface bridge set bridge1 frame-types=admit-only-vlan-tagged

But also said that “When allowing access to the CPU, you are allowing access from a certain port to the actual router/switch, this is not always desirable. Make sure you implement proper firewall filter rules to secure your device when access to the CPU is allowed from a certain VLAN ID and port, use firewall filter rules to allow access to only certain services.”

As i understand now i have access to CPU from all 3 VLANS. I want only access to device from VLAN88 - so what firewall rules I need for that ?

Thank You.

mkx · August 31, 2024, 6:23pm

So you have 3 VLAN interfaces

/interface/vlan
add interface=bridge1 name=vlan88 vlan-id=88
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20

and you have appropriate IP addresses set on all 3 vlan interfaces.

Now device will route traffic between the 3 subnets. If you want to block traffic between some pair of devices, then you need a firewall rule which blocks that traffic.

Default firewall setup uses LAN interface list and WAN interface list. And uses last rule which drops all traffic from WAN which is not DST-NATed. Which makes all the rest allowed (doesn’t matter if interface is part of LAN interface list). Adding a rule (in dedault firewall setup can even be the last rule)

/ip/firewall/filter
add chain=forward action=drop in-interface=vlan10 out-interface=vlan88

will block connections, started in VLAN 10 and targeting destinations in VLAN 88. But won’t block connections in the opposite direction … which is a feature. If you want to block connections in the other direction, you need a similar rule, but reversed in- and out-interface.

What the highlited quote is telling is, that devices in those subnets will have also access to services of router itself, e.g. DHCP server and DNS (probably this is desired), but also ssh and webfig (which may be fine for certain subnet but not for the rest of subnets). To regulate this accessibility, you have to add appropriate firewall rules for chain=input.

The way firewall rules have to be adapted very much depends on how your network looks like and what kind of connectivity is needed. ROS is very flexible as to what admin can do, but this also means that admin better knows what (s)he is doing …

Mike65Rivne · August 31, 2024, 6:34pm

Thank you!

One more i want to ask - I have such rules in “Routes List” - is it the same or firewall is better ?

anav · August 31, 2024, 6:56pm

What most do is simply have a rule at the end of the forward chain for example

add chain=forward action=drop comment=Drop all Else

Thus unless you have rules above this allowing traffic, EVERYTHING else is blocked.
So typcially one has
allow LAN interface list to WAN interface list for internet
allow admin to all subnets
allow LAN interface list to shared printer
etc…

Mike65Rivne · August 31, 2024, 7:29pm

Thanks a lot!

Mike65Rivne · August 31, 2024, 8:26pm

But if I have this:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3,ether4,ether5  vlan-ids=88 
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether4,ether5  vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether4,ether5  vlan-ids=20

does it mean that access to CPU can be made from vlan 10 or vlan 20 - those 2 vlans didn’t need to communicate with vlan 88 to access bridge - or not? What sense in blocking subnets from access to each other to prevent them from access to device- or somewhere in settings does exist some parameter that define address of device is only 192.168.88.1 and not 182.168.10.1(or 192.168.20.1) ? - sorry for maybe stupid question …

neki · August 31, 2024, 10:16pm

Do you mean ip address?

/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0

anav · August 31, 2024, 10:34pm

Traffic flow is directed by the /interface bridge ports and /interface bridge vlans.
In other words they instruct where VLANX goes in and out of ports and whether or not its flowing out of a port tagged or untagged and whether or not its tagged coming into a port etc..
The firewall rules are there to allow one to poke holes in the vlans so to speak, so that for example VLANX can use a printer on VLANY at Layer 3.
Separation between vlans is automatic due to L2 separation, firewall rules prevent the router from routing between vlans.

So I am not understanding your question.

Mike65Rivne · September 1, 2024, 7:16am

I mean next:

I have 3 VLANs : VLAN88, VLAN10, VLAN20
Also I have 3 networks: 192.168.88.0/24, 192.168.10.0/24, 192.168.20.0/24
When I make VLAN88 unreachable from VLAN10 and VLAN20, PC connected to VLAN20 still will be able to get access to router via address 192.168.20.1

So how to allow access to router only from VLAN88 ?

I think I found something in section “Protect the router itself” (https://help.mikrotik.com/docs/display/ROS/Filter#Filter-Protecttherouteritself):

/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input

So will it works if i make interface list “allowed_to_router” and place only VLAN88 to that list and in rule instead of src-address-list place in-interface-list ?

anav · September 1, 2024, 11:32am

Sounds like your firewall rules are the problem…

use something like the default rule set with proper modifications

/ip firewall address-list { dhcp leases set statically }
add address=adminIP1 list=Authorized comment=adminPC
add address=adminIP2 list=Authorized comment=adminlaptop
add address=adminIP3 list=Authorized comment=adminsmartphone

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“accept ICMP” protocol=icmp
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=“users to services” dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“users to services” dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else" { put this rule in last to avoid getting locked out }
++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
add action=drop chain=forward comment=“drop all else”

@@@ Here is where you put any rules you need to ALLOW traffic as all traffic is blocked by the last rule.

Mike65Rivne · September 1, 2024, 11:38am

This code

/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input

i see in help.mikrotik.com

i plan to change it to my network in such way:

/interface list
add name=allowed_to_router
/interface list member
add interface=VLAN88 list=allowed_to_router
/ip firewall filter
add action=accept chain=input in-interface-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input

off course all other rules exist in firewall - this is only part related to router access from VLAN88…

Mike65Rivne · September 1, 2024, 2:20pm

Thanks everyone for explaining firewall logic!