Firewall Filter rules for Microtik as Router on Stick configuration with D Link Switch

RouterOS General
1

Dear Support Team,

As per “VLAN Setup Diagram” i am doing configuration of Microtik as Router on Stick configuration with D Link Switch,
Here i have made 3 VLAN and for each VLAN assigned a separate Subnet and DHCP Pool.

Now i checked and found that may be due to Inter VLAN Routing, all the VLAN communicating to each other.
So, i have made a filter rules to stop it and want to make a rules further :

to communicate few IPs of a VLAN to a particular VLAN in upstream rules.
to communicate a Particular VLAN to a particular VLAN in upstream rules.

So, please help how i can do it.
IP Pool.jpg
NAT.jpg
Networks.jpg
VLAN.jpg
DHCP Server.jpg
Filter Rules.jpg
Interfaces.jpg
Address List.jpg
VLAN Setup.jpg

2

Please post complete configuration … in text form. You can get it by opening terminal window (you can open it from winbox) and execute command /export hide-sensitive (the leading slash is important). Before posting, obfuscate public IP address (if it’s set statically) … and post ti inside [__code] environment for better readability.

3

Thanks for your valuable time and support me…

As required, please find the configuration in txt format:

\

sep/02/2019 11:05:19 by RouterOS 6.37.3

software id = 76R1-UJ2M

/interface vlan
add interface=ether2 loop-protect-disable-time=0s loop-protect-send-interval=
0s name=E2/Accountvi vlan-id=4
add interface=ether2 loop-protect-disable-time=0s loop-protect-send-interval=
0s name=E2/Server vlan-id=2
add interface=ether2 loop-protect-disable-time=0s loop-protect-send-interval=
0s name=E2/Shipping vlan-id=3
/ip pool
add name=VLAN3 ranges=192.168.7.2-192.168.7.254
add name=VLAN4 ranges=192.168.8.2-192.168.8.254
add name=VLAN2 ranges=192.168.5.2-192.168.5.254
/ip dhcp-server
add address-pool=VLAN3 disabled=no interface=E2/Shipping name=VLAN3
add address-pool=VLAN4 disabled=no interface=E2/Accountvi name=VLAN4
add address-pool=VLAN2 disabled=no interface=E2/Server name=VLAN2
/interface bridge port
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether1
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.7.1/24 interface=E2/Shipping network=192.168.7.0
add address=192.168.8.1/24 interface=E2/Accountvi network=192.168.8.0
add address=192.168.5.1/24 interface=E2/Server network=192.168.5.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=8.8.8.8 gateway=192.168.5.1 netmask=24
add address=192.168.7.0/24 dns-server=8.8.8.8 gateway=192.168.7.1 netmask=24
add address=192.168.8.0/24 dns-server=8.8.8.8 gateway=192.168.8.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.1.0/24 list=192.168.1.0
add address=192.168.2.0/24 list=192.168.2.0
add address=192.168.3.0/24 list=192.168.3.0
add address=192.168.3.0/24 list=192.168.4.0
add address=192.168.5.0/24 list=192.168.5.0
add address=192.168.6.0/24 list=192.168.6.0
add address=192.168.7.0/24 list=192.168.7.0
add address=192.168.8.0/24 list=192.168.8.0
/ip firewall filter
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Asia/Kolkata

4

Before we get into details let me explain some basic stuff…

Bridge functions very sim8larly to a switch, forwarding packets between member ports. Right now your RB has all ether ports member of same bridge. Which is kind of a problem due to 3 reasons:

  1. it seems like ether1 interface is used as WAN interface. WAN should not have direct connectivity with LAN, now some packets might escape router processing (NAT, firewall).
    Cure: remove ether1 from the bridge. The rest of WAN config seems sensible (DHCP client on ether1)
  2. you wrote you wanted to create “router on a stick”, which means only one of its interfaces should carry all of LAN traffic (possibly also WAN traffic). Right now all 5 ether interfaces are bridged, meaning any of those interfaces can be used to carry any part (or whole) of traffic.
  3. if interface is member of a bridge, no other configuration should be done in that interface. Currently all of LAN setup (including VLAN stuff) is set up on ether2 which is slave interface of a bridge. In this case most of stuff seems to work, but many users of this forum reported weird behaviour which ceased after things got properly configured on bridge.

There are a few more problems with your current setup (including almost non-existing firewall), but think about problems of physical layout config for now. After we deal with it, we can move forward to inter-VLAN accessibility.