Firewall drop rule not working

ressof · December 1, 2021, 9:52am

Hi
I have an Mikrotik Hap AC2 router that I have managed to get a vlan on ether4 with a subnet 192.168.10.0/24. Now I want to only allow traffic on port 1883 from vlan to my other subnet 192.168.0.0/24
First i added this rule

add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.10.0/24

to the end of firewall to drop all traffic from vlan to lan but the traffic is still allowed

This is my complete firewall settings

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.10.0/24

anav · December 1, 2021, 11:49am

If you dont know what the problem is, why do you think only showing us part of the config will help?

Please post your config
/export hide-sensitive file=anynameyouwish

Seeing as you only wanted one port the rule could be refined to
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.10.0/24 dst-port=!1883

ressof · December 1, 2021, 12:21pm

Sorry

Here is my config

# dec/01/2021 13:14:45 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=ether4 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan10 ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan10 disabled=no interface=vlan10 name=\
    dhcp_vlan10
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=defconf
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=defconf
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=defconf
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=defconf
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=defconf
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=defconf
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=defconf
add address=192.168.0.14 mac-address=9C:93:4E:6C:CF:C2 server=defconf
add address=192.168.0.30 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=defconf
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=defconf
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=defconf
add address=192.168.0.3 mac-address=C0:74:AD:23:CD:90 server=defconf
add address=192.168.0.2 mac-address=C0:74:AD:1B:5E:C4 server=defconf
add address=192.168.0.11 client-id=1:0:c:29:4f:ed:80 mac-address=\
    00:0C:29:4F:ED:80 server=defconf
add address=192.168.10.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan10
add address=192.168.10.11 mac-address=40:F5:20:01:8F:75 server=dhcp_vlan10
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=defconf
add address=192.168.10.12 mac-address=40:F5:20:01:64:4F server=dhcp_vlan10
add address=192.168.10.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan10
add address=192.168.10.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan10
add address=192.168.10.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan10
add address=192.168.10.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan10
add address=192.168.10.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan10
add address=192.168.10.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan10
add address=192.168.10.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan10
add address=192.168.10.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan10
add address=192.168.0.12 client-id=1:0:c:29:b3:3e:a8 mac-address=\
    00:0C:29:B3:3E:A8 server=defconf
add address=192.168.10.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan10
add address=192.168.10.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan10
add address=192.168.0.13 mac-address=00:09:DC:80:05:EB server=defconf
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=defconf
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
add address=192.168.0.2-192.168.0.254 list=LAN
add address=192.168.10.2-192.168.10.254 list=Smarthome
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=\
    192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 \
    protocol=tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · December 1, 2021, 7:48pm

Why is ether4 on the Bridge?
Should be removed.
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4

To help decide the above…what is attached to ether4?

If you dont need this, suggest setting to NONE as its known to cause issues from time to time.
/interface detect-internet
set detect-interface-list=all

Missing Line
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN

As stated modify the firewall rule to that required which will state, drop all traffic TO bridge from vlan10 for all ports except 1883.
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=
192.168.10.0/24 dst-port=**!**1883

ressof · December 2, 2021, 5:59am

Thank you

To ether 4 is a WiFI AP attached with two SSID. SSID 1 is on the 192.168.0.0 subnet with VLAN ID 1. SSID 2 is on the 192.168.10.0 subnet with VLAN ID 10.

I thought that ether4 must be on the bridge for SSID 1 to work?

anav · December 2, 2021, 2:01pm

I see what you have done, okay in that case leave ether4 on the bridge…

I would never do it that way because I dont like mixing bridge dhcp and vlan DHCP on the same port and implicitly using vlan1 like that.
I always prefer to have vlan1 NEVER carrying data and assign other vlans to do that.

ressof · December 3, 2021, 6:24am

Hi

I made the changes above and added the firewall rule without the port to see if it was blocking all traffic but it didnt work. Traffic still were able to access 192.168.0.0/24 from 192.168.10.0/24

Here is my complete config after changes

# dec/03/2021 07:11:13 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=ether4 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan10 ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan10 disabled=no interface=vlan10 name=\
    dhcp_vlan10
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=defconf
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=defconf
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=defconf
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=defconf
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=defconf
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=defconf
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=defconf
add address=192.168.0.14 mac-address=9C:93:4E:6C:CF:C2 server=defconf
add address=192.168.0.30 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=defconf
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=defconf
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=defconf
add address=192.168.0.3 mac-address=C0:74:AD:23:CD:90 server=defconf
add address=192.168.0.2 mac-address=C0:74:AD:1B:5E:C4 server=defconf
add address=192.168.0.11 client-id=1:0:c:29:4f:ed:80 mac-address=\
    00:0C:29:4F:ED:80 server=defconf
add address=192.168.10.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan10
add address=192.168.10.11 mac-address=40:F5:20:01:8F:75 server=dhcp_vlan10
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=defconf
add address=192.168.10.12 mac-address=40:F5:20:01:64:4F server=dhcp_vlan10
add address=192.168.10.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan10
add address=192.168.10.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan10
add address=192.168.10.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan10
add address=192.168.10.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan10
add address=192.168.10.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan10
add address=192.168.10.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan10
add address=192.168.10.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan10
add address=192.168.10.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan10
add address=192.168.0.12 client-id=1:0:c:29:b3:3e:a8 mac-address=\
    00:0C:29:B3:3E:A8 server=defconf
add address=192.168.10.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan10
add address=192.168.10.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan10
add address=192.168.0.13 mac-address=00:09:DC:80:05:EB server=defconf
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=defconf
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
add address=192.168.0.2-192.168.0.254 list=LAN
add address=192.168.10.2-192.168.10.254 list=Smarthome
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=\
    192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 \
    protocol=tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I would never do it that way because I dont like mixing bridge dhcp and vlan DHCP on the same port and implicitly using vlan1 like that.
I always prefer to have vlan1 NEVER carrying data and assign other vlans to do that.

So I should create two more VLANS? One for the other WLAN and one for wired stuff? And each VLAN must have a DHCP server with it own subnet?

anav · December 3, 2021, 7:14pm

/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=vlan20 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN

/ip dhcp-server
add address-pool=dhcp interface=vlan20 name=main_dhcp
add address-pool=dhcp_pool_vlan10 interface=vlan10 name=dhcp_vlan10

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether3 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether4 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether5 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=wlan1 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=wlan2 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority

/interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether5,wlan1,wlan2 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10

/ip address
add address=192.168.0.1/24 interface=vlan20 network=192.168.0.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0

/ip firewall address
add chain=forward action=drop in-interface=vlan10 out-interface=vlan20 dst-port=**!**1883

LAST change go to BRIDGE setting and change vlan filtering from NO to YES.

AS TO YOUR QUESTION…
If WLAN1 is home wifi VLAN20
and you want another WLAN for guests lets make it vlan30
Then
add interface=bridge name=vlan30 vlan-id=30
and needs–> pool, ip address, dhcp server and dhcp server network
Plus (add)
/interface list member
add interface=vlan30 list=LAN

/interface bridge port
add bridge=bridge comment=defconf interface=wlan2 pvid=30 ingress-filtering=yes frame-types=only-untagged-and-priority

/interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether5,wlan1 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wlan2 vlan-ids=30

I do note that this rule has no such defined firewall address list…??? besides the fact that its not a wan address.
add action=dst-nat chain=dstnat dst-address-list=dst-port=443
protocol=tcp to-addresses=192.168.0.10

ressof · December 4, 2021, 12:07pm

It was an error in my config. I have now corrected it. Can you please remove ******.se from your post or replace it with WAN-IP?

anav · December 4, 2021, 1:31pm

What was the error?? I couldnt find it.

ressof · December 15, 2021, 10:20am

Hi

I have not had the time to test this until now.

But when I try to add your rules above I loose access to router and internet when I added this command

add address=192.168.0.1/24 interface=vlan20 network=192.168.0.0

Is there any special order to add the commands? Or can I do it all together?

anav · December 15, 2021, 2:58pm

You will need to repost the latest config for me to make sense of the question and any potential answer.

ressof · December 15, 2021, 6:34pm

I have renamed vlan10 to vlan20 and IP range to 192.168.20.0 for it

# dec/15/2021 19:31:22 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=ether4 name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_main ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_main disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan20 disabled=no interface=vlan20 name=\
    dhcp_vlan20
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.45 client-id=ff:90:1e:c1:ce:0:3:0:1:30:58:90:1e:c1:ce \
    mac-address=30:58:90:1E:C1:CE server=defconf
add address=192.168.0.42 mac-address=38:8B:59:89:95:23 server=defconf
add address=192.168.0.41 mac-address=48:D6:D5:D4:6D:EE server=defconf
add address=192.168.0.44 client-id=1:cc:d2:81:5e:e4:3b mac-address=\
    CC:D2:81:5E:E4:3B server=defconf
add address=192.168.0.9 client-id=1:b8:ae:ed:ea:e8:96 mac-address=\
    B8:AE:ED:EA:E8:96 server=defconf
add address=192.168.0.15 client-id=1:0:11:32:83:c0:1b mac-address=\
    00:11:32:83:C0:1B server=defconf
add address=192.168.0.10 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:7:fa:89:ae:f0:ef:23:2b mac-address=\
    00:0C:29:85:E8:C8 server=defconf
add address=192.168.0.14 mac-address=9C:93:4E:6C:CF:C2 server=defconf
add address=192.168.0.30 client-id=1:a4:2b:b0:13:21:13 mac-address=\
    A4:2B:B0:13:21:13 server=defconf
add address=192.168.0.43 mac-address=20:DF:B9:07:F7:A9 server=defconf
add address=192.168.0.40 mac-address=54:60:09:FC:3B:E8 server=defconf
add address=192.168.0.3 mac-address=C0:74:AD:23:CD:90 server=defconf
add address=192.168.0.2 mac-address=C0:74:AD:1B:5E:C4 server=defconf
add address=192.168.0.73 client-id=1:94:9a:a9:dc:b:e4 mac-address=\
    94:9A:A9:DC:0B:E4 server=defconf
add address=192.168.0.11 client-id=1:0:c:29:4f:ed:80 mac-address=\
    00:0C:29:4F:ED:80 server=defconf
add address=192.168.20.10 mac-address=3C:61:05:E3:56:4B server=dhcp_vlan20
add address=192.168.20.11 mac-address=40:F5:20:01:8F:75 server=dhcp_vlan20
add address=192.168.0.80 client-id=1:ea:f3:91:85:9e:2a mac-address=\
    EA:F3:91:85:9E:2A server=defconf
add address=192.168.20.12 mac-address=40:F5:20:01:64:4F server=dhcp_vlan20
add address=192.168.20.13 mac-address=84:F3:EB:32:D0:F6 server=dhcp_vlan20
add address=192.168.20.14 mac-address=80:7D:3A:5B:A5:D7 server=dhcp_vlan20
add address=192.168.20.15 mac-address=84:F3:EB:9F:5B:81 server=dhcp_vlan20
add address=192.168.20.16 mac-address=5C:CF:7F:36:FE:4B server=dhcp_vlan20
add address=192.168.20.17 mac-address=80:7D:3A:5B:25:45 server=dhcp_vlan20
add address=192.168.20.18 mac-address=60:01:94:07:12:BD server=dhcp_vlan20
add address=192.168.20.19 mac-address=B4:E6:2D:21:AA:71 server=dhcp_vlan20
add address=192.168.20.20 mac-address=EC:FA:BC:C4:E7:60 server=dhcp_vlan20
add address=192.168.0.12 client-id=1:0:c:29:b3:3e:a8 mac-address=\
    00:0C:29:B3:3E:A8 server=defconf
add address=192.168.20.21 mac-address=A0:20:A6:19:55:4B server=dhcp_vlan20
add address=192.168.20.22 mac-address=5C:CF:7F:AB:B8:A9 server=dhcp_vlan20
add address=192.168.0.13 mac-address=00:09:DC:80:05:EB server=defconf
add address=192.168.0.71 client-id=1:c4:57:6e:d2:e2:8 mac-address=\
    C4:57:6E:D2:E2:08 server=defconf
add address=192.168.0.46 mac-address=00:F6:20:C8:55:D9 server=defconf
add address=192.168.0.72 client-id=1:d8:a3:5c:7d:5d:c2 mac-address=\
    D8:A3:5C:7D:5D:C2 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · December 15, 2021, 6:50pm

The config looks okay, what is the issue now?

ressof · December 15, 2021, 7:29pm

When I have that config I cannot get the firewall rule to work.

I tried to implement your config like this

/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=vlan20 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN

/ip dhcp-server
add address-pool=dhcp interface=vlan20 name=main_dhcp
add address-pool=dhcp_pool_vlan10 interface=vlan10 name=dhcp_vlan10

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether3 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether4 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether5 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=wlan1 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=wlan2 pvid=20 ingress-filtering=yes frame-types=only-untagged-and-priority

/interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether5,wlan1,wlan2 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10

/ip address
add address=192.168.0.1/24 interface=vlan20 network=192.168.0.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0

/ip firewall address
add chain=forward action=drop in-interface=vlan10 out-interface=vlan20 dst-port=!1883

LAST change go to BRIDGE setting and change vlan filtering from NO to YES.

But then I cant access the router or internet and I had to factory reset the router

anav · December 15, 2021, 7:47pm

Okay, on the config without vlans try these two things.
I am going to assume that you want VLAN20 on ether4 (and only vlan20, no other subnets, assumes a smart device is not attached to ether4!!)

(1) remove ether4 from the bridge.

(2) We are going to remove this rule…
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

and replace it with 4 rules.

# dec/15/2021 19:31:22 by RouterOS 6.48.5
/interface bridge
add admin-mac=48:8F:5A:61:B1:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=
MikroTik-61B1D9 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor
mode=ap-bridge ssid=MikroTik-61B1DA wireless-protocol=802.11
/interface vlan
add interface=ether4 name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_main ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool_vlan20 ranges=192.168.20.100-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_main disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan20 disabled=no interface=vlan20 name=
dhcp_vlan20
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 REMOVE FROM BRIDGE
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan20 list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=
192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8,1.1.1.1 gateway=
192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=\ REMOVE THIS RULE
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment=“allow internet access”
add chain=forward action=accept add action=drop chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add chain=forward action=accept in-interface=vlan20 dst-address=192.168.0.0/24 dst-port=1883
add chain=forward action=drop comment=“drop all else”

/ip firewall nat
add action=masquerade chain=srcnat comment=“Hairpin NAT” dst-address=
192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=
tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443
protocol=tcp to-addresses=192.168.0.10
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

ressof · December 15, 2021, 9:11pm

On ether4 is one AP connected that have two SSIDs. One main with no vlan id (or vlan id 1) with normal wifi access. And the other SSID is for smarthome devices with vlan id 20.

anav · December 15, 2021, 11:23pm

Which AP is this… ? ( manufacturer and model #)

ressof · December 16, 2021, 7:48am

It is a AP from Grandstream that is called GWN7630. I have disabled the internal WiFi on my router and only use GWN7630 for WiFi

anav · December 16, 2021, 12:23pm

Well here is what I would do to get it working…
Go back to using both vlans and ether4 will be a trunk port to the Grandstream.
The important point is that the Grandstream needs an IP address itself on vlan10 subnet 192.168.0.0/24
Vlan10 being the home vlan. vlan20-guest for the wifi guests on AP.

But here is how we go about it.
First is to change ether5 to an emergency access port and we will do the changeback to vlans on that port (configuring either via laptop or desktop through that port).

So enter router as you are doing now…(presumably not from ether5)

Remove eth5 from the Bridge
rename it ether5-emerg
Give it an IP address of 192.168.5.2 network 19.2.168.5.0
add ether5 to the LAN interface list members
Then exit router and then plug in laptop.desktop into ether 5 after setting your ipv4 to 192.168.5.5 gateway 192.168.5.1 netmask 255.255.255.0
Confirm you can enter winbox and the router for configuration from ether5.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Now add back in vlans as indicated before…

/interface vlan
add interface=bridge name=vlan20-guests vlan-id=20
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=vlan20-guests list=LAN
add interface=vlan10 list=LAN
add interface=ether5-emerg list=LAN
add comment=defconf interface=ether1 list=WAN

/ip dhcp-server
add address-pool=dhcp interface=vlan10 name=main_dhcp
add address-pool=dhcp_pool_vlan20 interface=vlan20-guests name=dhcp_vlan20

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether3 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority
add bridge=bridge comment=defconf interface=ether4 ingress-filtering=yes frame-types=only-tagged
add bridge=bridge comment=defconf interface=wlan1 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority disabled=yes
add bridge=bridge comment=defconf interface=wlan2 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority disabled=yes

/interface bridge vlans
add bridge=bridge tagged=bridge,ether4 untagged=ether2,ether3,wlan1,wlan2 vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20

/ip address
add address=192.168.0.1/24 interface=vlan10 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20-guests network=192.168.20.0

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment=“allow internet access”
add chain=forward action=accept comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add chain=forward action=accept in-interface=vlan20 out-interface=vlan10 dst-port=1883
add chain=forward action=drop comment=“drop all else”

Ensure Bridge vlan filtering is set to yes.
When up and running you can add ethernet 5 back to the bridge or keep it as a separate entry point…
IF you add it back.
/interface bridge port
add bridge=bridge comment=defconf interface=ether5 pvid=10 ingress-filtering=yes frame-types=only-untagged-and-priority
/interface bridge vlans
add bridge=bridge tagged=bridge,ether4 untagged=ether2,ether3,ether5,wlan1,wlan2 vlan-ids=10