I’am searching for a comfortable way to block traffic between VLANs on an Mikrotik router.
For example I have a CCR1009 with the SFP+ port as VLAN-trunk with VLAN IDs 10, 20 and 100. The only way I found in the forums was to make individual firewall rules for each VLAN and each direction. So in this case I would need six rules:
Now, for few VLANs this might be an option, but as more and more VLANs will join this trunk, it would be some kind of uncomfortable (for 4 VLANs I would need 12 rules, for 5 VLANs there will be 20 rules and so on…).
So, is there a nicer way to do this - especially if there will be more new VLANs in time?
The only scalable way is using one firewall rule with either interface list (layer 2) or address list (layer 3).
Create interface (or address) list and add firewall rule that states that in (source) interface (address) list can’t talk to the same out (destination) interface (address) list. You only need to update interace (address) list when adding new VLAN (subnet).
This seems to be somewhat applicable to what is being discussed here so I will give it a shot!
For example… three different type of interfaces on your network and we are keying in on the VLAN networks. /interface list add name=“UntrustedVLANs” comment=“Untrusted InterVLAN traffic”
/interface list add name=“Trusted” comment=“Trusted networks”
/interface list add name=“Guest Wireless” comment=“Guest Wireless”
identify all the vlans…
/interface list member add list=UntrustedVLANs interface=vlan10=“nameofnetwork10”
/interface list member add list=UntrustedVLANS interface=vlan20=“nameofnetwork20”
TO
/interface list member add list=UntrustedVLANs interface=vlan100=“name of network100”
The following single rule would apply…
/ip firewall filter add chain=forward in-interface-list=UnTrustedVLANs out-interface=UnTrustedVLANS action=drop comment=“Block InterVLAN traffic”
So I just did a quick lab-test with this scenario:
One CRR1009 with VLANs 10,20,30 an 100, DHCP-server on every VLAN interface. With an old HP switch I distributed this VLANs to connect some devices in severals VLANs.
First I tried the method described by anav and che:
I created an interface-list with all the VLANs inside and made the following filter-rule:
add action=drop chain=forward in-interface-list=seperateVLANs out-interface-list=seperateVLANs comment=“drop all inter-VLAN traffic”
This works! Unless I’am in VLAN10, I can’t ping any devices within this VLAN.
Second, I tried the method described by Sob:
add action=drop chain=forward comment=“drop all inter-VLAN traffic” in-interface=all-vlan out-interface=all-vlan
This also works! Same behaviour as with the first method. To allow traffic between some VLANs, I just had to create a suitable filter-rule for that.
Example:
add action=accept chain=forward in-interface=intVLAN30 out-interface=intVLAN10
add action=accept chain=forward in-interface=intVLAN10 out-interface=intVLAN30
Unless there are any disadvantages (…I only will get out in working environment) I would prefer the second method, as it is very quick and simple. I also think it is a bit clearer as you only have to take care of the filter-rules when controlling inter-VLAN traffic and don’t have to take care of interface- or address-lists.
High AZ, Sob wins again LOL.
No worries, my concern was primarily which was more efficient
interface list layer2 or
address list layer3
and hopefully SOB will tell me and why.
I initially thought SOBs method was using address lists but upon closer inspection and reading your last post I realized SOB was advising a completely different approach that I do not understand.
What the heck is all-vlan? Is this a special function or pull down menu selection that already exists? Where is it found and what is its purpose? (I had assumed all-VLAN was simply a name given to an address list of all the vlan).
I wanted to point you to the manual, as a wonderful resource, but it doesn’t seem to be documented there (except being mentioned in some RouterOS v6 announcement). But you can see it in WinBox (all-ether, all-wireless, all-vlan, all-ppp) and the names sounds pretty self-explanatory.
Edit: And regarding your question about effectiveness, interface list is for interfaces and address list for IP addresses, two different things. There may be some overlap in specific cases where you could use both. But what’s better depends on exact details, and for just few items there’s probably hardly any measurable difference.
What the heck is all-vlan? Is this a special function or pull down menu selection that already exists? Where is it found and what is its purpose? (I had assumed all-VLAN was simply a name given to an address list of all the vlan).
I think this option will handle all existing vlan-interfaces in a way. I also searched for a documentary but did’nt find anything.
I also think it’s a matter of what you want to achieve, weather you are using interface-lists or address-lists…it depents on your scenario.
If it is enough just to work with your VLAN-interfaces, than an interface-list will be sufficient. For this case the “all-vlan” option will do nearly the same.
But maybe you want to filter traffic more in detail (for example you just want to block a small IP-range of a VLAN) - than an address-list will be needed.
all-vlan is a special interface name that was already there before the “interface list” feature appeared.
so you select it in in-interface rather than in-interface-list.
This special interface should probably be migrated to a special interface list in RouterOS, similar to the “all”, “none” and “dynamic” special lists.
“all ethernet”, “all ppp”, “all vlan” and “all wireless” are in this same category.
Making them a special interface list would be clearer, now that is possible.
The easy way to block vlans at L3, the fact that users/devices are withing vlans means L2 separation is achieved, in the forward firewall filter set, is simply to set the last rule as block all else. add chain=forward action=drop comment=“Drop all Else”
This has the effect of ensuring no traffic anywhere unless it is specifically allowed above the drop rule.
Examples of allowed rules might be
Allow internet traffic add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
Allow access to a common printer add chain=forward action=accept in-interface-list=LAN dst=address=SharedPrinter_IP
I’m having a similar situation and followed @anav sugestion, but I noticed that some connnections problems started to happen.
What I did to fix was to add this two new rules:
Sounds like you may be having port forward issues,
the simple single rule for the forward chain that you seek is. add chain=forward action=accept comment=“port forwarding” connection-nat-state=dstnat
If you are still having issues, then its elsewhere in the config.
