Couple questions about interface lists and drop rules. I’ll put the relevant parts of my router below, I assume its enough info. In short, I have a few VLANs each on their own physical interface. I made a LAN interface list and set it to include all and exclude WAN (which is a single interface from the ISP). I had a drop rule at the end of input chain dropping everything not coming from LAN. I assumed this was sufficient. Today I added an identical rule but dropped everything not coming from “Office” and it immediately started getting packet count increases while the drop all from LAN above it stayed the same. Disabling the Office drop rule did not start to increase the packet count on the drop all from LAN. So I would have to assume that the include all/exclude WAN settings don’t actually cover VLANs. As a test, I added the Office VLAN to the “LAN” interface list and disabled the Office interface list. But again the packet count on the drop all from LAN did not increase as I expected it would.
So, based on the info I’ve given, which hopefully makes some sense, do I need to create a drop rule for all of my interfaces?
/interface vlan
add comment=“Camera Traffic” interface=ether2 name=vlan2-Camera vlan-id=2
add comment=“Secure Office Traffic” interface=combo1 name=vlan3-Office vlan-id=
3
add comment=“Trusted Local Traffic” interface=ether4 name=vlan4-TrustedLocal
vlan-id=4
add comment=“Guest Traffic” interface=ether5 name=vlan5-Guest vlan-id=5
/interface list
add name=WAN
add exclude=WAN include=all name=LAN
add name=Office
add name=Cameras
add name=TrustedLocal
add name=Guest
/interface list member
add interface=ether7 list=WAN
add interface=ether1 list=LAN
add interface=vlan3-Office list=Office
add interface=vlan2-Camera list=Cameras
add interface=vlan4-TrustedLocal list=TrustedLocal
add interface=vlan5-Guest list=Guest
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“VPN ipsec” protocol=ipsec-esp
add action=accept chain=input comment=“VPN ipsec” dst-port=500,4500,1701
protocol=udp
add action=drop chain=input comment=“Drop Invalid DNS Connections” dst-port=53
in-interface-list=!LAN protocol=tcp
add action=drop chain=input comment=“Drop Invalid DNS Connections” dst-port=53
in-interface-list=!LAN protocol=udp
add action=drop chain=input comment=“Drop Inbound SNMP” dst-port=161,162
in-interface-list=!LAN protocol=tcp
add action=drop chain=input comment=“Drop Inbound SNMP” dst-port=161,162
in-interface-list=!LAN protocol=udp
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop all not coming from Office
in-interface-list=!Office
add action=fasttrack-connection chain=forward comment="defconf: fasttrack
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec polic
ipsec-policy=out,ipsec
add action=drop chain=forward comment=“defconf: drop invalid” connection
invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dst
connection-state=new in-interface-list=WAN