Disable communication between subnets but allow net access

masonandgray · December 23, 2013, 3:48am

Hi,

I recently came across Mikrotik products and so far I am loving it. I bought a couple of RB750GLs and RB751U-2HNDs. I am using a RB750GL with VLANS in a “Router on a stick” situation. It works great and clients on the appropriate VLAN are able to DHCP and acquire their correct IP addresses from the router. The router is providing NATing to allow clients to access the internet and all works well. The only issue is that clients from one VLAN are able to communicate with clients on another VLAN and I know that this is the router doing its job. Is there a way to disable inter vlan communication? Right now there are only 3 VLANs but this should grow later on.

I have rules like:

Drop traffic from VLAN A to VLAN B
Drop traffic from VLAN B to VLAN A
Drop traffic from VLAN A to VLAN C
Drop traffic from VLAN C to VLAN A
Drop traffic from VLAN B to VLAN C
Drop traffic from VLAN C to VLAN B
…

You could see how this will not scale as the number of VLANs increase.

Is there a better way to accomplish this?

Thanks.

c0d3rSh3ll · December 23, 2013, 2:32pm

Your nat rule (masquerade) set as follow:
Ip firewall nat add chain=scr-nat out-interface=wan action=masquerade

Send from my mobile phone using Tapatalk.

efaden · December 23, 2013, 4:41pm

Add something like this:
/interface bridge filter
add action=drop chain=forward in-interface=!ether1 out-interface=!ether1

masonandgray · January 3, 2014, 4:43pm

Hi,

Happy new year. Thanks a lot for the responses. My NAT masquerade rules look like

add action=masquerade chain=srcnat comment="NATing for 192.168.10.0/24 Network" out-interface=ether1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="NATing for 192.168.12.0/24 Network" out-interface=ether1 src-address=192.168.12.0/24
add action=masquerade chain=srcnat comment="NATing for 192.168.11.0/24 Network" out-interface=ether1 src-address=192.168.11.0/24

Hi efaden. Can you please explain your rule to me? I am trying to understand what it does.

Thanks.

masonandgray · January 8, 2014, 7:19pm

Hi,

Here is what my configuration looks like. I have 3 VLANS for now and looking at possibly adding more in the future.

/interface bridge
add l2mtu=1598 name="B - VLAN 10"
add name="B - VLAN 11"
add name="B - VLAN 12"

/interface vlan
add interface=ether2 l2mtu=1594 name="VLAN 10" vlan-id=10
add interface=ether2 l2mtu=1594 name="VLAN 11" vlan-id=11
add interface=ether2 l2mtu=1594 name="VLAN 12" vlan-id=12

/interface bridge port
add bridge="B - VLAN 10" interface="VLAN 10"
add bridge="B - VLAN 11" interface="VLAN 11"
add bridge="B - VLAN 12" interface="VLAN 12"
add bridge="B - VLAN 10" interface=ether5
add bridge="B - VLAN 10" interface=ether3
add bridge="B - VLAN 11" interface=ether4

/ip address
add address=192.168.10.1/24 interface="VLAN 10" network=192.168.10.0
add address=192.168.11.1/24 interface="VLAN 11" network=192.168.11.0
add address=192.168.12.1/24 interface="VLAN 12" network=192.168.12.0

/ip firewall nat
add action=masquerade chain=srcnat comment="NATing for 192.168.10.0/24 Network" out-interface=ether1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="NATing for 192.168.12.0/24 Network" out-interface=ether1 src-address=192.168.12.0/24
add action=masquerade chain=srcnat comment="NATing for 192.168.11.0/24 Network" out-interface=ether1 src-address=192.168.11.0/24

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24 ntp-server=192.168.10.1
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1 netmask=24 ntp-server=192.168.11.1
add address=192.168.12.0/24 dns-server=192.168.12.1 gateway=192.168.12.1 netmask=24 ntp-server=192.168.12.1

I have port 2 of the mikrotik connected to a trunk port on a switch and then wireless wired and wireless clients are able to DHCP and browse the net fine in their respective VLANS. For now, I have put away the wireless access point and switch and am connecting two laptops to port 4 and 5 on the mikrotik router which are in VLANS 11 and 10 respectively. How would the bridge filter work in this case? Have I implemented the VLANS correctly? The only thing that I have issues with is separating the traffic from routing across the VLANS through the router. Also, is there a way to allow specific traffic to be router across the VLANS? I have looked at http://forum.mikrotik.com/t/multiple-dhcp-servers-networks-vlan-help-one-doesnt-work/72992/1 and see something similar to what I want to do but I am not sure whether how to apply it to my situation. Am I confusing things with the bridges?

Thanks.