firewall filter with internet allow unauthorized LAN trafic

dzint · October 10, 2020, 2:47pm

Hello,

This is my goal :

VLAN-40 access to VLAN-41 = accept
VLAN-40 access to VLAN-50 = drop
VLAN-40 access to VLAN-51 = drop
VLAN-40 access to internet = accept

and

VLAN-50 access to VLAN-51 = accept
VLAN-50 access to VLAN-40 = drop
VLAN-50 access to VLAN-41 = drop
VLAN-50 access to internet = accept

when i add two line to go to internet, all VLAN-40 talk with VLAN-50 and vise-ver-sa

/ip firewall address-list
add address=0.0.0.0/8 list=not_in_internet
add address=10.0.0.0/8 list=not_in_internet
add address=127.0.0.0/8 list=not_in_internet
add address=169.254.0.0/16 list=not_in_internet
add address=192.0.2.0/24 list=not_in_internet
add address=192.88.99.0/24 list=not_in_internet
add address=198.18.0.0/15 list=not_in_internet
add address=198.51.100.0/24 list=not_in_internet
add address=203.0.113.0/24 list=not_in_internet
add address=224.0.0.0/4 list=not_in_internet


add address=192.168.40.0/24 list=vlan-40-intern-list
add address=192.168.50.0/24 list=vlan-50-direction-list


add address=192.168.41.0/24 list=vlan-41-prod-list
add address=192.168.51.0/24 list=vlan-51-prod-list




/ip firewall filter
add chain=forward dst-address-list=not_in_internet action=drop comment="protection"
add chain=input connection-state=invalid action=drop comment="protection"
add chain=input connection-state=established,related action=accept comment="protection"  
add chain=forward connection-state=invalid protocol=tcp action=drop comment="protection"  
add chain=forward connection-state=established,related action=accept comment="protection"
add chain=input in-interface=bridge-trunk src-address-list=vlan-250-wifi-guest-list dst-port=21,22,23,8291 protocol=tcp action=drop comment="protection"


add chain=forward src-address-list=vlan-40-intern-list dst-address-list=vlan-41-prod-list action=accept comment="VLAN-40-to-VLAN-41"
add chain=forward src-address-list=vlan-50-direction-list dst-address-list=vlan-51-prod-list action=accept comment="VLAN-50-to-VLAN-51"


####problem####
add chain=forward src-address-list=vlan-40-intern-list dst-address=0.0.0.0/0 action=accept comment="VLAN-40-INTERNE-to-internet" 
add chain=forward src-address-list=vlan-50-direction-list dst-address=0.0.0.0/0 action=accept comment="VLAN-50-DIRECTION-to-internet"      
####problem####


add chain=input action=drop comment="DENY-ALL"
add chain=forward action=drop comment="DENY-ALL"

mikrotik-bridge-MultiWAN.pdf (140 KB)
Could you please tell me if any other solution to do this :

VLAN-40 access to VLAN-41 = accept
VLAN-40 access to VLAN-50 = drop
VLAN-40 access to VLAN-51 = drop
VLAN-40 access to internet = accept

and

VLAN-50 access to VLAN-51 = accept
VLAN-50 access to VLAN-40 = drop
VLAN-50 access to VLAN-41 = drop
VLAN-50 access to internet = accept

Many thanks per advance for your great help

Best regards:

p.s: if you want to see my mangle configuration, you can check this http://forum.mikrotik.com/t/problem-high-ping-latency-multiwan/143312/1

anav · October 10, 2020, 2:58pm

/export hide-sensitive file=anynameyouwish

dzint · October 10, 2020, 3:21pm

pleasse see post #4 for new config with mangle PPPoE

dzint · October 10, 2020, 3:29pm

Hello @anav ,

Thank you very much for your help

attached file with mangle PPPoE :
export-dzint-10102020-15h27.txt (17.5 KB)
this is the config :

# oct/10/2020 15:27:46 by RouterOS 6.46.7
# software id =
#
#
#
/interface bridge
add name=bridge-trunk protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] disable-running-check=no name=WAN-09-ADAPTER
set [ find default-name=ether4 ] disable-running-check=no name=WAN-12-ADAPTER
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface pppoe-client
add disabled=no interface=WAN-09-ADAPTER name=pppoe-wan1 password=pass1 user=user1
add disabled=no interface=WAN-12-ADAPTER name=pppoe-wan2 password=pass2 user=user2
/interface vlan
add interface=bridge-trunk name=VLAN-10-SALLE-01 vlan-id=10
add interface=bridge-trunk name=VLAN-11-PROD-SALLE-01 vlan-id=11
add interface=bridge-trunk name=VLAN-17-SERVER vlan-id=17
add interface=bridge-trunk name=VLAN-20-SALLE-02 vlan-id=20
add interface=bridge-trunk name=VLAN-21-PROD-SALLE-02 vlan-id=21
add interface=bridge-trunk name=VLAN-30-SALLE-03 vlan-id=30
add interface=bridge-trunk name=VLAN-31-PROD-SALLE-03 vlan-id=31
add interface=bridge-trunk name=VLAN-40-INTERNE vlan-id=40
add interface=bridge-trunk name=VLAN-50-DIRECTION vlan-id=50
add interface=bridge-trunk name=VLAN-70-FORMATEUR vlan-id=70
add interface=bridge-trunk name=VLAN-250-GUEST-STAGIAIRE vlan-id=250
add interface=bridge-trunk name=VLAN-251-PROD-STAGIAIRE vlan-id=251
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=VLAN-10-SALLE-01 lease-time=12w6d name=dhcp-server-salle-01
add disabled=no interface=VLAN-20-SALLE-02 lease-time=12w6d name=dhcp-server-salle-02
add disabled=no interface=VLAN-30-SALLE-03 lease-time=12w6d name=dhcp-server-salle-03
add disabled=no interface=VLAN-40-INTERNE lease-time=12w6d name=dhcp-server-interne
add disabled=no interface=VLAN-50-DIRECTION lease-time=12w6d name=dhcp-server-direction
add disabled=no interface=VLAN-70-FORMATEUR lease-time=12w6d name=dhcp-server-formateur
/ip pool
add name=dhcp-pool-prod-salle-01 ranges=192.168.11.1-192.168.11.253
add name=dhcp-pool-prod-salle-02 ranges=192.168.21.1-192.168.21.253
add name=dhcp-pool-prod-salle-03 ranges=192.168.31.1-192.168.31.253
add name=dhcp-pool-guest ranges=192.168.250.1-192.168.250.150
add name=dhcp-pool-prod-stagiaire ranges=192.168.251.1-192.168.251.253
/ip dhcp-server
add address-pool=dhcp-pool-guest disabled=no interface=VLAN-250-GUEST-STAGIAIRE lease-time=12w6d name=dhcp-server-guest
add address-pool=dhcp-pool-prod-salle-01 disabled=no interface=VLAN-11-PROD-SALLE-01 lease-time=12w6d name=dhcp-server-prod-salle-01
add address-pool=dhcp-pool-prod-salle-02 disabled=no interface=VLAN-21-PROD-SALLE-02 lease-time=12w6d name=dhcp-server-prod-salle-02
add address-pool=dhcp-pool-prod-salle-03 disabled=no interface=VLAN-31-PROD-SALLE-03 lease-time=12w6d name=dhcp-server-prod-salle-03
add address-pool=dhcp-pool-prod-stagiaire disabled=no interface=VLAN-251-PROD-STAGIAIRE lease-time=12w6d name=dhcp-server-prod-stagiaire
/interface bridge port
add bridge=bridge-trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5
add bridge=bridge-trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether6
/interface bridge vlan
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=10
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=20
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=30
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=40
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=50
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=70
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=250
add bridge=bridge-trunk tagged=bridge-trunk,ether6 vlan-ids=11
add bridge=bridge-trunk tagged=bridge-trunk,ether6 vlan-ids=21
add bridge=bridge-trunk tagged=bridge-trunk,ether6 vlan-ids=31
add bridge=bridge-trunk tagged=bridge-trunk,ether6 vlan-ids=17
add bridge=bridge-trunk tagged=bridge-trunk,ether6 vlan-ids=251
/ip address
add address=192.168.10.254/24 interface=VLAN-10-SALLE-01 network=192.168.10.0
add address=192.168.20.254/24 interface=VLAN-20-SALLE-02 network=192.168.20.0
add address=192.168.30.254/24 interface=VLAN-30-SALLE-03 network=192.168.30.0
add address=192.168.40.254/24 interface=VLAN-40-INTERNE network=192.168.40.0
add address=192.168.50.254/24 interface=VLAN-50-DIRECTION network=192.168.50.0
add address=192.168.70.254/24 interface=VLAN-70-FORMATEUR network=192.168.70.0
add address=192.168.250.254/24 interface=VLAN-250-GUEST-STAGIAIRE network=192.168.250.0
add address=192.168.11.254/24 interface=VLAN-11-PROD-SALLE-01 network=192.168.11.0
add address=192.168.21.254/24 interface=VLAN-21-PROD-SALLE-02 network=192.168.21.0
add address=192.168.31.254/24 interface=VLAN-31-PROD-SALLE-03 network=192.168.31.0
add address=172.17.10.254/24 interface=VLAN-17-SERVER network=172.17.10.0
add address=192.168.251.254/24 interface=VLAN-251-PROD-STAGIAIRE network=192.168.251.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.10.1 mac-address=00:50:79:66:68:05 server=dhcp-server-salle-01
add address=192.168.20.1 mac-address=00:50:79:66:68:0A server=dhcp-server-salle-02
add address=192.168.30.1 mac-address=00:50:79:66:68:00 server=dhcp-server-salle-03
add address=192.168.40.1 mac-address=00:50:79:66:68:02 server=dhcp-server-interne
add address=192.168.50.1 mac-address=00:50:79:66:68:03 server=dhcp-server-direction
add address=192.168.40.2 mac-address=00:50:79:66:68:0E server=dhcp-server-interne
add address=192.168.50.2 mac-address=00:50:79:66:68:09 server=dhcp-server-direction
add address=192.168.70.1 mac-address=00:50:79:66:68:04 server=dhcp-server-formateur
add address=192.168.250.151 mac-address=00:50:79:66:68:07 server=dhcp-server-guest
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.10.254
add address=192.168.11.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.11.254
add address=192.168.20.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.20.254
add address=192.168.21.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.21.254
add address=192.168.30.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.30.254
add address=192.168.31.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.31.254
add address=192.168.40.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.40.254
add address=192.168.50.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.50.254
add address=192.168.70.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.70.254
add address=192.168.250.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.250.254
add address=192.168.251.0/24 dns-server=172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=192.168.251.254
/ip firewall address-list
add address=0.0.0.0/8 list=not_in_internet
add address=10.0.0.0/8 list=not_in_internet
add address=127.0.0.0/8 list=not_in_internet
add address=169.254.0.0/16 list=not_in_internet
add address=192.0.2.0/24 list=not_in_internet
add address=192.88.99.0/24 list=not_in_internet
add address=198.18.0.0/15 list=not_in_internet
add address=198.51.100.0/24 list=not_in_internet
add address=203.0.113.0/24 list=not_in_internet
add address=224.0.0.0/4 list=not_in_internet
add address=192.168.10.1-192.168.10.16 list=vlan-10-salle-01-list
add address=192.168.20.1-192.168.20.8 list=vlan-20-salle-02-list
add address=192.168.30.1-192.168.30.8 list=vlan-30-salle-03-list
add address=192.168.10.17 list=vlan-10-formateur-salle-01-list
add address=192.168.20.9 list=vlan-20-formateur-salle-02-list
add address=192.168.30.9 list=vlan-30-formateur-salle-03-list
add address=192.168.40.20 list=vlan-40-printer-list
add address=192.168.40.21 list=vlan-40-printer-list
add address=192.168.40.0/24 list=vlan-40-intern-list
add address=192.168.50.0/24 list=vlan-50-direction-list
add address=192.168.70.1-192.168.70.80 list=vlan-70-formateur-salle-01-list
add address=192.168.70.81-192.168.70.160 list=vlan-70-formateur-salle-02-list
add address=192.168.70.161-192.168.70.240 list=vlan-70-formateur-salle-03-list
add address=192.168.250.1-192.168.250.150 list=vlan-250-wifi-guest-list
add address=192.168.250.151-192.168.250.253 list=vlan-250-stagiaire-list
add address=192.168.11.0/24 list=vlan-11-prod-salle-01-list
add address=192.168.21.0/24 list=vlan-21-prod-salle-02-list
add address=192.168.31.0/24 list=vlan-31-prod-salle-03-list
add address=192.168.251.0/24 list=vlan-251-prod-stagiaire-list
add address=172.17.10.100 list=vlan-17-server-partage-list
add address=172.17.10.100 list=vlan-17-server-list
add address=172.17.10.10 list=vlan-17-server-list
add address=172.17.10.102 list=vlan-17-server-list
add address=172.17.10.103 list=vlan-17-server-list
add address=172.17.10.110 list=vlan-17-dns-list
add address=172.17.10.111 list=vlan-17-dns-list
add address=172.17.10.10 list=vlan-17-dns-list
add address=172.17.10.1 list=vlan-17-vmware-list
add address=172.17.10.2 list=vlan-17-vmware-list
add address=172.17.10.3 list=vlan-17-vmware-list
add address=172.17.10.94 list=vlan-17-vmware-list
/ip firewall filter
add action=drop chain=forward comment=protection dst-address-list=not_in_internet
add action=drop chain=input comment=protection connection-state=invalid
add action=accept chain=input comment=protection connection-state=established,related
add action=drop chain=forward comment=protection connection-state=invalid protocol=tcp
add action=accept chain=forward comment=protection connection-state=established,related
add action=drop chain=input comment=protection dst-port=21,22,23,8291 in-interface=bridge-trunk protocol=tcp src-address-list=vlan-250-wifi-guest-list
add action=accept chain=forward comment=Salle-01-to-PROD-01 dst-address-list=vlan-11-prod-salle-01-list src-address-list=vlan-10-salle-01-list
add action=accept chain=forward comment=Salle-02-to-PROD-02 dst-address-list=vlan-21-prod-salle-02-list src-address-list=vlan-20-salle-02-list
add action=accept chain=forward comment=Salle-03-to-PROD-03 dst-address-list=vlan-31-prod-salle-03-list src-address-list=vlan-30-salle-03-list
add action=accept chain=forward comment=Formateur-to-Salle-01 dst-address-list=vlan-10-salle-01-list src-address-list=vlan-10-formateur-salle-01-list
add action=accept chain=forward comment=Formateur-to-Salle-02 dst-address-list=vlan-20-salle-02-list src-address-list=vlan-20-formateur-salle-02-list
add action=accept chain=forward comment=Formateur-to-Salle-03 dst-address-list=vlan-30-salle-03-list src-address-list=vlan-30-formateur-salle-03-list
add action=accept chain=forward comment=Formateur-to-PROD-01 dst-address-list=vlan-11-prod-salle-01-list src-address-list=vlan-10-formateur-salle-01-list
add action=accept chain=forward comment=Formateur-to-PROD-02 dst-address-list=vlan-21-prod-salle-02-list src-address-list=vlan-20-formateur-salle-02-list
add action=accept chain=forward comment=Formateur-to-PROD-03 dst-address-list=vlan-31-prod-salle-03-list src-address-list=vlan-30-formateur-salle-03-list
add action=accept chain=forward comment=Formateur-Wifi-to-Salle-01 dst-address-list=vlan-10-salle-01-list src-address-list=vlan-70-formateur-salle-01-list
add action=accept chain=forward comment=Formateur-Wifi-to-Salle-02 dst-address-list=vlan-20-salle-02-list src-address-list=vlan-70-formateur-salle-02-list
add action=accept chain=forward comment=Formateur-Wifi-to-Salle-03 dst-address-list=vlan-30-salle-03-list src-address-list=vlan-70-formateur-salle-03-list
add action=accept chain=forward comment=Formateur-Wifi-to-PROD-01 dst-address-list=vlan-11-prod-salle-01-list src-address-list=vlan-70-formateur-salle-01-list
add action=accept chain=forward comment=Formateur-Wifi-to-PROD-02 dst-address-list=vlan-21-prod-salle-02-list src-address-list=vlan-70-formateur-salle-02-list
add action=accept chain=forward comment=Formateur-Wifi-to-PROD-03 dst-address-list=vlan-31-prod-salle-03-list src-address-list=vlan-70-formateur-salle-03-list
add action=accept chain=forward comment=VLAN-40-INTERNE-to-Printers dst-address-list=vlan-40-printer-list src-address-list=vlan-40-intern-list
add action=accept chain=forward comment=Printers-to-ALL dst-address-list=vlan-17-server-partage-list src-address-list=vlan-40-printer-list
add action=accept chain=forward comment=Direction-to-ALL src-address-list=vlan-50-direction-list
add action=accept chain=forward comment=Stagiaire-to-PROD-Stagiaire dst-address-list=vlan-251-prod-stagiaire-list src-address-list=vlan-250-stagiaire-list
add action=accept chain=forward comment=All-to-AD-NAS-MDT-WSUS dst-address-list=vlan-17-server-list src-address-list=!vlan-250-wifi-guest-list
add action=accept chain=forward comment=All-to-DNS dst-address-list=vlan-17-dns-list dst-port=53 protocol=udp
add action=accept chain=forward comment=VLAN-50-DIRECTION-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-50-direction-list
add action=accept chain=forward comment=VLAN-40-INTERNE-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-40-intern-list
add action=accept chain=forward comment=pc-instructeur-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-70-formateur-salle-01-list
add action=accept chain=forward comment=pc-instructeur-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-70-formateur-salle-02-list
add action=accept chain=forward comment=pc-instructeur-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-70-formateur-salle-03-list
add action=accept chain=forward comment=salle1-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-10-salle-01-list
add action=accept chain=forward comment=salle2-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-20-salle-02-list
add action=accept chain=forward comment=salle3-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-30-salle-03-list
add action=accept chain=forward comment=PROD-01-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-11-prod-salle-01-list
add action=accept chain=forward comment=PROD-02-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-21-prod-salle-02-list
add action=accept chain=forward comment=PROD-03-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-31-prod-salle-03-list
add action=accept chain=forward comment=dns-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-17-dns-list
add action=accept chain=forward comment=server-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-17-server-list
add action=accept chain=forward comment=vmware-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-17-vmware-list
add action=drop chain=input comment=DENY-ALL
add action=drop chain=forward comment=DENY-ALL
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=local in-interface=bridge-trunk
# pppoe-wan1 not ready
add action=accept chain=prerouting dst-address-list=local in-interface=pppoe-wan1
# pppoe-wan2 not ready
add action=accept chain=prerouting dst-address-list=local in-interface=pppoe-wan2
# pppoe-wan1 not ready
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-wan1 new-connection-mark=WAN-09-CONNECTION
# pppoe-wan2 not ready
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-wan2 new-connection-mark=WAN-12-CONNECTION
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!local dst-port=80,443 in-interface=bridge-trunk new-connection-mark=WAN-09-CONNECTION \
    per-connection-classifier=both-addresses:2/0 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!local dst-port=80,443 in-interface=bridge-trunk new-connection-mark=WAN-12-CONNECTION \
    per-connection-classifier=both-addresses:2/1 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!local in-interface=bridge-trunk new-connection-mark=WAN-09-CONNECTION per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!local in-interface=bridge-trunk new-connection-mark=WAN-12-CONNECTION per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN-09-CONNECTION in-interface=bridge-trunk new-routing-mark=to-WAN-09
add action=mark-routing chain=prerouting connection-mark=WAN-12-CONNECTION in-interface=bridge-trunk new-routing-mark=to-WAN-12
add action=mark-routing chain=output connection-mark=WAN-09-CONNECTION new-routing-mark=to-WAN-09
add action=mark-routing chain=output connection-mark=WAN-12-CONNECTION new-routing-mark=to-WAN-12
/ip firewall nat
# pppoe-wan1 not ready
add action=masquerade chain=srcnat out-interface=pppoe-wan1
# pppoe-wan2 not ready
add action=masquerade chain=srcnat out-interface=pppoe-wan2
/ip route
add check-gateway=ping distance=1 gateway=pppoe-wan1 routing-mark=to-WAN-09
add check-gateway=ping distance=1 gateway=pppoe-wan2 routing-mark=to-WAN-12
add check-gateway=ping distance=1 gateway=pppoe-wan1
add check-gateway=ping distance=2 gateway=pppoe-wan2

to easy understand my topology i draw in visio only 02 vlans ( VLAN-40 and VLAN-50 ) but actually i have multiple VLAN ( like you see in file attached

VLAN-40 access to VLAN-41 = accept
VLAN-40 access to VLAN-50 = drop
VLAN-40 access to VLAN-51 = drop
VLAN-40 access to internet = accept

and

VLAN-50 access to VLAN-51 = accept
VLAN-50 access to VLAN-40 = drop
VLAN-50 access to VLAN-41 = drop
VLAN-50 access to internet = accept

Thank you per advance for your help

Best regards

anav · October 10, 2020, 7:10pm

Okay
What I see are 12 vlans and yet only
I only see 6 DHCP servers
I see only only 5 dhcp pools
Then I see 5 more DHCP servers WTF is going on??
So thats a total of 11 DHCP servers.
Then I see 12 more vlans (same as above but duplicated…

Please provide the output as requested not made up shit
/export hide-sensitive file=anyname you wish notepad++ is the best to use.

Yay!!, I see 12 IP addresses that match the 12 vlans, finally some good news LOL.
I see 11 DHCP-server-network settings so SHY one, but this at least matches the 11 DHCP-Servers.
+++++++++++++++++++++++++++++

By my count you are missing
1x DHCP server (vlan17)
1x DHCP server-network (vlan 17)
7x pools (vlans-10,17,20,30,40,50,70)

Okay the only two ether ports 5,6 are attached to the bridge (ether3,4 to the wan) leaving 1,2,7,8 unassigned??

You could simplify the rules if you wished…
/interface bridge vlan
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=10,20,30,40,50,70,250
add bridge=bridge-trunk tagged=bridge-trunk,ether6 vlan-ids=11,17,21,31,251

Now I dread looking at firewall rules…
First I need to see the in order, its best to place the INPUT chain rules first followed by the FORWARD chain rules.
I am going to ignore all mangle rules as that is not my area of knowledge.

These rules need some work potentially.
/ip firewall filter
(1) add action=drop chain=forward comment=protection dst-address-list=not_in_internet
(what are you trying to say here… the last rule in forward chain will drop any traffic not allowed which should include this no?
(or are you saying that you wish to allow traffic from vlans to the internet but not to the above address lists??)

(2) add action=drop chain=input comment=protection dst-port=21,22,23,8291 in-interface=bridge-trunk protocol=tcp src-address-list=vlan-250-wifi-guest-list
Why do you have this rule? No one except the admin should have access to the ROUTER (ie input chain)
Instead put in a rule that states admin access accept and make a list of IPs or the source vlan that will house the admin as having access…

(3) Okay these ones made no sense to me because you are forwarding traffic to the same vlan ??? Not required, within a vlan connectivity is already there at layer 2.
add action=accept chain=forward comment=Formateur-to-Salle-01 dst-address-list=vlan-10-salle-01-list src-address-list=vlan-10-formateur-salle-01-list
add action=accept chain=forward comment=Formateur-to-Salle-02 dst-address-list=**vlan-20-**salle-02-list src-address-list=vlan-20-formateur-salle-02-list
add action=accept chain=forward comment=Formateur-to-Salle-03 dst-address-list=vlan-30-salle-03-list src-address-list=vlan-30-formateur-salle-03-list
add action=accept chain=forward comment=VLAN-40-INTERNE-to-Printers dst-address-list=**vlan-40-**printer-list src-address-list=vlan-40-intern-list

(4), Not sure what you mean by this rule???
add action=accept chain=forward comment=Direction-to-ALL src-address-list=vlan-50-direction-list

(5) Not sure what you are attempting to do on this rule?? (by that I mean put it into words)
add action=accept chain=forward comment=All-to-AD-NAS-MDT-WSUS dst-address-list=vlan-17-server-list src-address-list=!vlan-250-wifi-guest-list

(6) DNS rules should normally be in the INPUT Chain. Remember I stated only give admin access to input chain, the exception is services required for users. So if users need dns then they need toa access port 53 on the input chain tcp and udp.
add action=accept chain=forward comment=All-to-DNS dst-address-list=vlan-17-dns-list dst-port=53 protocol=udp

(7) The rest of these are bizarre too, what is the intent here? Is this the way to give them internet access or something else…

add action=accept chain=forward comment=VLAN-50-DIRECTION-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-50-direction-list
add action=accept chain=forward comment=VLAN-40-INTERNE-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-40-intern-list
add action=accept chain=forward comment=pc-instructeur-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-70-formateur-salle-01-list
add action=accept chain=forward comment=pc-instructeur-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-70-formateur-salle-02-list
add action=accept chain=forward comment=pc-instructeur-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-70-formateur-salle-03-list
add action=accept chain=forward comment=salle1-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-10-salle-01-list
add action=accept chain=forward comment=salle2-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-20-salle-02-list
add action=accept chain=forward comment=salle3-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-30-salle-03-list
add action=accept chain=forward comment=PROD-01-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-11-prod-salle-01-list
add action=accept chain=forward comment=PROD-02-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-21-prod-salle-02-list
add action=accept chain=forward comment=PROD-03-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-31-prod-salle-03-list
add action=accept chain=forward comment=dns-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-17-dns-list
add action=accept chain=forward comment=server-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-17-server-list
add action=accept chain=forward comment=vmware-to-internet dst-address=0.0.0.0/0 src-address-list=vlan-17-vmware-list

Why not group some of your vlans into INTERFACE lists, and then its much easier, one rule add action=accept chain=forward in-interface-list=Vlans_allowed_internet out-interface-list=WAN

Note you can use interface lists on all firewall rules. such as input chain
add action=accept chain=input in-interface-list=Vlans_need_DNS protocol=udp/tcp dst-port=53

dzint · October 24, 2020, 1:06pm

Hello @anav,

firstly, thank you very much for your precious help. i don’t know how i can solve this problem without your advise

Please find attach export file with all your recommandation
config-24102020-1347.txt.rsc (21 KB)
you can see export from routeur 24/10/2020 :

# jan/02/1970 00:25:30 by RouterOS 6.43.16
# software id = GHPB-B6YG
#
# model = CCR1036-8G-2S+
# serial number = 9F1D0ACE6F99
/interface bridge
add name=bridge-trunk protocol-mode=mstp vlan-filtering=yes
/interface pppoe-client
add disabled=no interface=ether3 name=pppoe-wan1 user=021774609
add disabled=no interface=ether4 name=pppoe-wan2 user=021774612
/interface vlan
add interface=bridge-trunk name=VLAN-10-SALLE-01 vlan-id=10
add interface=bridge-trunk name=VLAN-11-PROD-SALLE-01 vlan-id=11
add interface=bridge-trunk name=VLAN-17-SERVER vlan-id=17
add interface=bridge-trunk name=VLAN-20-SALLE-02 vlan-id=20
add interface=bridge-trunk name=VLAN-21-PROD-SALLE-02 vlan-id=21
add interface=bridge-trunk name=VLAN-30-SALLE-03 vlan-id=30
add interface=bridge-trunk name=VLAN-31-PROD-SALLE-03 vlan-id=31
add interface=bridge-trunk name=VLAN-40-INTERNE vlan-id=40
add interface=bridge-trunk name=VLAN-50-DIRECTION vlan-id=50
add interface=bridge-trunk name=VLAN-60-PEARSONVUE vlan-id=60
add interface=bridge-trunk name=VLAN-70-FORMATEUR vlan-id=70
add interface=bridge-trunk name=VLAN-250-GUEST-STAGIAIRE vlan-id=250
add interface=bridge-trunk name=VLAN-251-PROD-STAGIAIRE vlan-id=251
/interface list
add name=WAN
add name=vlan-allowed-internet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=VLAN-10-SALLE-01 lease-time=12w6d name=\
    dhcp-server-salle-01
add disabled=no interface=VLAN-20-SALLE-02 lease-time=12w6d name=\
    dhcp-server-salle-02
add disabled=no interface=VLAN-30-SALLE-03 lease-time=12w6d name=\
    dhcp-server-salle-03
add disabled=no interface=VLAN-40-INTERNE lease-time=12w6d name=\
    dhcp-server-interne
add disabled=no interface=VLAN-50-DIRECTION lease-time=12w6d name=\
    dhcp-server-direction
add disabled=no interface=VLAN-60-PEARSONVUE lease-time=12w6d name=\
    dhcp-server-pearsonvue
add disabled=no interface=VLAN-70-FORMATEUR lease-time=12w6d name=\
    dhcp-server-formateur
/ip pool
add name=dhcp-pool-prod-salle-01 ranges=192.168.11.1-192.168.11.253
add name=dhcp-pool-prod-salle-02 ranges=192.168.21.1-192.168.21.253
add name=dhcp-pool-prod-salle-03 ranges=192.168.31.1-192.168.31.253
add name=dhcp-pool-guest ranges=192.168.250.1-192.168.250.150
add name=dhcp-pool-prod-stagiaire ranges=192.168.251.1-192.168.251.253
/ip dhcp-server
add address-pool=dhcp-pool-guest disabled=no interface=\
    VLAN-250-GUEST-STAGIAIRE lease-time=12w6d name=dhcp-server-guest
add address-pool=dhcp-pool-prod-salle-01 disabled=no interface=\
    VLAN-11-PROD-SALLE-01 lease-time=12w6d name=dhcp-server-prod-salle-01
add address-pool=dhcp-pool-prod-salle-02 disabled=no interface=\
    VLAN-21-PROD-SALLE-02 lease-time=12w6d name=dhcp-server-prod-salle-02
add address-pool=dhcp-pool-prod-salle-03 disabled=no interface=\
    VLAN-31-PROD-SALLE-03 lease-time=12w6d name=dhcp-server-prod-salle-03
add address-pool=dhcp-pool-prod-stagiaire disabled=no interface=\
    VLAN-251-PROD-STAGIAIRE lease-time=12w6d name=dhcp-server-prod-stagiaire
/interface bridge port
add bridge=bridge-trunk frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=ether5
add bridge=bridge-trunk frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=ether6
/interface bridge vlan
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=\
    10,20,30,40,50,60,70,250
add bridge=bridge-trunk tagged=bridge-trunk,ether6 vlan-ids=11,21,31,17,251
/interface list member
add interface=pppoe-wan1 list=WAN
add interface=pppoe-wan2 list=WAN
add interface=VLAN-10-SALLE-01 list=vlan-allowed-internet
add interface=VLAN-20-SALLE-02 list=vlan-allowed-internet
add interface=VLAN-30-SALLE-03 list=vlan-allowed-internet
add interface=VLAN-40-INTERNE list=vlan-allowed-internet
add interface=VLAN-50-DIRECTION list=vlan-allowed-internet
add interface=VLAN-60-PEARSONVUE list=vlan-allowed-internet
add interface=VLAN-70-FORMATEUR list=vlan-allowed-internet
add interface=VLAN-250-GUEST-STAGIAIRE list=vlan-allowed-internet
add interface=VLAN-11-PROD-SALLE-01 list=vlan-allowed-internet
add interface=VLAN-21-PROD-SALLE-02 list=vlan-allowed-internet
add interface=VLAN-31-PROD-SALLE-03 list=vlan-allowed-internet
add interface=VLAN-17-SERVER list=vlan-allowed-internet
add interface=VLAN-251-PROD-STAGIAIRE list=vlan-allowed-internet
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0
add address=192.168.10.254/24 interface=VLAN-10-SALLE-01 network=192.168.10.0
add address=192.168.20.254/24 interface=VLAN-20-SALLE-02 network=192.168.20.0
add address=192.168.30.254/24 interface=VLAN-30-SALLE-03 network=192.168.30.0
add address=192.168.40.254/24 interface=VLAN-40-INTERNE network=192.168.40.0
add address=192.168.50.254/24 interface=VLAN-50-DIRECTION network=\
    192.168.50.0
add address=192.168.60.254/24 interface=VLAN-60-PEARSONVUE network=\
    192.168.60.0
add address=192.168.70.254/24 interface=VLAN-70-FORMATEUR network=\
    192.168.70.0
add address=192.168.250.254/24 interface=VLAN-250-GUEST-STAGIAIRE network=\
    192.168.250.0
add address=192.168.11.254/24 interface=VLAN-11-PROD-SALLE-01 network=\
    192.168.11.0
add address=192.168.21.254/24 interface=VLAN-21-PROD-SALLE-02 network=\
    192.168.21.0
add address=192.168.31.254/24 interface=VLAN-31-PROD-SALLE-03 network=\
    192.168.31.0
add address=172.17.10.254/24 interface=VLAN-17-SERVER network=172.17.10.0
add address=192.168.251.254/24 interface=VLAN-251-PROD-STAGIAIRE network=\
    192.168.251.0
/ip dhcp-server lease
add address=192.168.10.1 mac-address=FC:45:96:78:E2:9D server=\
    dhcp-server-salle-01
add address=192.168.10.2 mac-address=FC:45:96:78:E3:63 server=\
    dhcp-server-salle-01
add address=192.168.10.3 mac-address=FC:45:96:78:E2:79 server=\
    dhcp-server-salle-01
add address=192.168.10.4 mac-address=FC:45:96:AE:45:5E server=\
    dhcp-server-salle-01
add address=192.168.10.5 mac-address=1C:39:47:B1:8A:F3 server=\
    dhcp-server-salle-01
add address=192.168.10.6 mac-address=1C:39:47:B1:88:4B server=\
    dhcp-server-salle-01
add address=192.168.10.7 mac-address=1C:39:47:B1:8B:5B server=\
    dhcp-server-salle-01
add address=192.168.10.8 mac-address=1C:39:47:B1:8B:2B server=\
    dhcp-server-salle-01
add address=192.168.10.9 mac-address=1C:39:47:B1:8A:8E server=\
    dhcp-server-salle-01
add address=192.168.10.10 mac-address=1C:39:47:B1:8B:3C server=\
    dhcp-server-salle-01
add address=192.168.10.11 mac-address=1C:39:47:B4:D0:3A server=\
    dhcp-server-salle-01
add address=192.168.10.12 mac-address=1C:39:47:B4:D2:0F server=\
    dhcp-server-salle-01
add address=192.168.10.13 mac-address=1C:39:47:B1:88:F8 server=\
    dhcp-server-salle-01
add address=192.168.10.14 mac-address=1C:39:47:B1:89:CB server=\
    dhcp-server-salle-01
add address=192.168.10.15 mac-address=1C:39:47:B1:88:E5 server=\
    dhcp-server-salle-01
add address=192.168.10.16 mac-address=1C:39:47:B1:88:B1 server=\
    dhcp-server-salle-01
add address=192.168.10.17 mac-address=30:9C:23:B1:9B:AB server=\
    dhcp-server-salle-01
add address=192.168.20.1 mac-address=FC:45:96:AE:44:67 server=\
    dhcp-server-salle-02
add address=192.168.20.2 mac-address=FC:45:96:AE:44:6C server=\
    dhcp-server-salle-02
add address=192.168.20.3 mac-address=FC:45:96:AE:46:07 server=\
    dhcp-server-salle-02
add address=192.168.20.4 mac-address=FC:45:96:AE:43:F6 server=\
    dhcp-server-salle-02
add address=192.168.20.5 mac-address=FC:45:96:AE:46:AB server=\
    dhcp-server-salle-02
add address=192.168.20.6 mac-address=FC:45:96:AE:5C:11 server=\
    dhcp-server-salle-02
add address=192.168.20.7 mac-address=FC:45:96:AE:44:EC server=\
    dhcp-server-salle-02
add address=192.168.20.8 mac-address=FC:45:96:78:E2:AC server=\
    dhcp-server-salle-02
add address=192.168.40.1 mac-address=54:B8:0A:02:39:10 server=\
    dhcp-server-interne
add address=192.168.40.2 mac-address=C8:3D:DC:81:A4:BB server=\
    dhcp-server-interne
add address=192.168.40.3 mac-address=54:B8:0A:02:38:CA server=\
    dhcp-server-interne
add address=192.168.40.4 mac-address=00:2F:93:48:08:65 server=\
    dhcp-server-interne
add address=192.168.40.5 mac-address=54:B8:0A:02:37:E8 server=\
    dhcp-server-interne
add address=192.168.40.6 mac-address=90:78:B2:48:9A:F9 server=\
    dhcp-server-interne
add address=192.168.40.7 mac-address=00:1B:38:B4:6D:70 server=\
    dhcp-server-interne
add address=192.168.40.8 mac-address=64:CC:2E:B9:0C:AE server=\
    dhcp-server-interne
add address=192.168.40.9 mac-address=90:06:28:D2:06:AB server=\
    dhcp-server-interne
add address=192.168.40.10 mac-address=54:B8:0A:02:38:C3 server=\
    dhcp-server-interne
add address=192.168.40.11 mac-address=B4:69:21:8C:94:16 server=\
    dhcp-server-interne
add address=192.168.40.12 mac-address=E8:6A:64:39:24:06 server=\
    dhcp-server-interne
add address=192.168.40.13 mac-address=20:34:FB:FA:DF:B6 server=\
    dhcp-server-interne
add address=192.168.40.14 mac-address=80:CE:B9:91:F3:5B server=\
    dhcp-server-interne
add address=192.168.40.15 mac-address=80:CE:B9:A0:BF:E9 server=\
    dhcp-server-interne
add address=192.168.40.16 mac-address=F4:81:39:E8:16:B8 server=\
    dhcp-server-interne
add address=192.168.40.17 mac-address=80:C5:F2:D0:6C:4B server=\
    dhcp-server-interne
add address=192.168.40.18 mac-address=00:0C:29:7B:AD:B5 server=\
    dhcp-server-interne
add address=192.168.40.19 mac-address=EC:B5:FA:06:27:48 server=\
    dhcp-server-interne
add address=192.168.50.1 mac-address=30:9C:23:B1:9A:CB server=\
    dhcp-server-direction
add address=192.168.50.2 mac-address=0C:4D:54:D4:16:5A server=\
    dhcp-server-direction
add address=192.168.50.3 mac-address=C4:85:08:41:41:0F server=\
    dhcp-server-direction
add address=192.168.50.4 mac-address=6C:C7:EC:1E:7C:A8 server=\
    dhcp-server-direction
add address=192.168.50.5 mac-address=9C:B6:D0:BB:58:C3 server=\
    dhcp-server-direction
add address=192.168.50.6 mac-address=00:17:61:12:64:99 server=\
    dhcp-server-direction
add address=192.168.50.7 mac-address=74:C1:4F:7A:6B:59 server=\
    dhcp-server-direction
add address=192.168.50.8 mac-address=9C:B6:D0:C0:71:1F server=\
    dhcp-server-direction
add address=192.168.50.9 mac-address=38:00:25:0C:25:4C server=\
    dhcp-server-direction
add address=192.168.60.1 mac-address=6C:4B:90:90:74:CD server=\
    dhcp-server-pearsonvue
add address=192.168.60.2 mac-address=6C:4B:90:90:75:8C server=\
    dhcp-server-pearsonvue
add address=192.168.60.200 mac-address=00:D8:61:59:9D:C0 server=\
    dhcp-server-pearsonvue
add address=192.168.70.1 mac-address=50:B7:C3:52:02:55 server=\
    dhcp-server-formateur
add address=192.168.70.2 mac-address=C8:0A:A9:A5:9D:D7 server=\
    dhcp-server-formateur
add address=192.168.250.151 mac-address=E8:2A:EA:A1:28:7C server=\
    dhcp-server-guest
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.10.254
add address=192.168.11.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.11.254
add address=192.168.20.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.20.254
add address=192.168.21.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.21.254
add address=192.168.30.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.30.254
add address=192.168.31.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.31.254
add address=192.168.40.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.40.254
add address=192.168.50.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.50.254
add address=192.168.60.0/24 dns-server=8.8.8.8,8.8.4.4 domain=formini.local \
    gateway=192.168.60.254
add address=192.168.70.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.70.254
add address=192.168.250.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.250.254
add address=192.168.251.0/24 dns-server=\
    172.17.10.110,172.17.10.111,172.17.10.10 domain=formini.local gateway=\
    192.168.251.254
/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=10.0.0.0/8 list=bogons
add address=127.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.88.99.0/24 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=224.0.0.0/4 list=bogons
add address=192.168.10.1-192.168.10.16 list=vlan-10-salle-01-list
add address=192.168.20.1-192.168.20.8 list=vlan-20-salle-02-list
add address=192.168.30.1-192.168.30.8 list=vlan-30-salle-03-list
add address=192.168.40.20 list=vlan-40-printer-list
add address=192.168.40.21 list=vlan-40-printer-list
add address=192.168.40.0/24 list=vlan-40-intern-list
add address=192.168.50.0/24 list=vlan-50-direction-list
add address=192.168.50.2 list=vlan-50-admin-list
add address=192.168.60.1 list=vlan-60-pearsonvue-list
add address=192.168.60.2 list=vlan-60-pearsonvue-list
add address=192.168.60.200 list=vlan-60-pearsonvue-list
add address=192.168.70.1-192.168.70.80 list=vlan-70-formateur-salle-01-list
add address=192.168.70.81-192.168.70.160 list=vlan-70-formateur-salle-02-list
add address=192.168.70.161-192.168.70.240 list=\
    vlan-70-formateur-salle-03-list
add address=192.168.250.1-192.168.250.150 list=vlan-250-wifi-guest-list
add address=192.168.250.151-192.168.250.253 list=vlan-250-stagiaire-list
add address=192.168.11.0/24 list=vlan-11-prod-salle-01-list
add address=192.168.21.0/24 list=vlan-21-prod-salle-02-list
add address=192.168.31.0/24 list=vlan-31-prod-salle-03-list
add address=192.168.251.0/24 list=vlan-251-prod-stagiaire-list
add address=172.17.10.100 list=vlan-17-server-partage-list
add address=172.17.10.100 list=vlan-17-server-list
add address=172.17.10.10 list=vlan-17-server-list
add address=172.17.10.102 list=vlan-17-server-list
add address=172.17.10.103 list=vlan-17-server-list
add address=172.17.10.110 list=vlan-17-dns-list
add address=172.17.10.111 list=vlan-17-dns-list
add address=172.17.10.10 list=vlan-17-dns-list
add address=172.17.10.1 list=vlan-17-vmware-list
add address=172.17.10.2 list=vlan-17-vmware-list
add address=172.17.10.3 list=vlan-17-vmware-list
add address=172.17.10.94 list=vlan-17-vmware-list
add address=0.0.0.0/8 list=local
add address=10.0.0.0/8 list=local
add address=100.64.0.0/10 list=local
add address=127.0.0.0/8 list=local
add address=169.254.0.0/16 list=local
add address=172.16.0.0/12 list=local
add address=192.0.0.0/24 list=local
add address=192.0.0.0/29 list=local
add address=192.0.2.0/24 list=local
add address=192.88.99.0/24 list=local
add address=192.168.0.0/16 list=local
add address=198.18.0.0/15 list=local
add address=198.51.100.0/24 list=local
add address=203.0.113.0/24 list=local
add address=240.0.0.0/4 list=local
add address=255.255.255.255 list=local
/ip firewall filter
add action=accept chain=input in-interface=ether1 src-address=192.168.88.2
add action=drop chain=input comment=protection connection-state=invalid
add action=accept chain=input comment=protection connection-state=\
    established,related
add action=drop chain=forward comment=protection connection-state=invalid \
    protocol=tcp
add action=accept chain=forward comment=protection connection-state=\
    established,related
add action=accept chain=input comment=protection dst-port=21,22,23,8291 \
    in-interface=bridge-trunk protocol=tcp src-address-list=\
    vlan-50-admin-list
add action=accept chain=forward comment=Direction-to-ALL src-address-list=\
    vlan-50-direction-list
add action=accept chain=forward comment=PEARSONVUE-to-ALL src-address-list=\
    vlan-60-pearsonvue-list
add action=accept chain=input comment=All-to-DNS dst-address-list=\
    vlan-17-dns-list dst-port=53 protocol=udp
add action=accept chain=input comment=All-to-DNS dst-address-list=\
    vlan-17-dns-list dst-port=53 protocol=tcp
add action=drop chain=input comment=DROP-ALL-DNS dst-port=53 protocol=udp
add action=drop chain=input comment=DROP-ALL-DNS dst-port=53 protocol=tcp
add action=accept chain=forward comment=Salle-01-to-PROD-01 dst-address-list=\
    vlan-11-prod-salle-01-list src-address-list=vlan-10-salle-01-list
add action=accept chain=forward comment=Salle-02-to-PROD-02 dst-address-list=\
    vlan-21-prod-salle-02-list src-address-list=vlan-20-salle-02-list
add action=accept chain=forward comment=Salle-03-to-PROD-03 dst-address-list=\
    vlan-31-prod-salle-03-list src-address-list=vlan-30-salle-03-list
add action=accept chain=forward comment=Formateur-Wifi-to-Salle-01 \
    dst-address-list=vlan-10-salle-01-list src-address-list=\
    vlan-70-formateur-salle-01-list
add action=accept chain=forward comment=Formateur-Wifi-to-Salle-02 \
    dst-address-list=vlan-20-salle-02-list src-address-list=\
    vlan-70-formateur-salle-02-list
add action=accept chain=forward comment=Formateur-Wifi-to-Salle-03 \
    dst-address-list=vlan-30-salle-03-list src-address-list=\
    vlan-70-formateur-salle-03-list
add action=accept chain=forward comment=Formateur-Wifi-to-PROD-01 \
    dst-address-list=vlan-11-prod-salle-01-list src-address-list=\
    vlan-70-formateur-salle-01-list
add action=accept chain=forward comment=Formateur-Wifi-to-PROD-02 \
    dst-address-list=vlan-21-prod-salle-02-list src-address-list=\
    vlan-70-formateur-salle-02-list
add action=accept chain=forward comment=Formateur-Wifi-to-PROD-03 \
    dst-address-list=vlan-31-prod-salle-03-list src-address-list=\
    vlan-70-formateur-salle-03-list
add action=accept chain=forward comment=Stagiaire-to-PROD-Stagiaire \
    dst-address-list=vlan-251-prod-stagiaire-list src-address-list=\
    vlan-250-stagiaire-list
add action=accept chain=forward comment=All-to-AD-NAS-MDT-WSUS \
    dst-address-list=vlan-17-server-list src-address-list=\
    !vlan-250-wifi-guest-list
add action=accept chain=forward comment="to internet" in-interface-list=\
    vlan-allowed-internet out-interface-list=WAN
add action=accept chain=forward comment="to internet" in-interface-list=WAN \
    out-interface-list=vlan-allowed-internet
add action=drop chain=forward comment=DENY-ALL
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=local in-interface=\
    bridge-trunk
# pppoe-wan1 not ready
add action=accept chain=prerouting dst-address-list=local in-interface=\
    pppoe-wan1
# pppoe-wan2 not ready
add action=accept chain=prerouting dst-address-list=local in-interface=\
    pppoe-wan2
# pppoe-wan1 not ready
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-wan1 new-connection-mark=WAN-09-CONNECTION
# pppoe-wan2 not ready
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-wan2 new-connection-mark=WAN-12-CONNECTION
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!local dst-port=80,443 in-interface=bridge-trunk \
    new-connection-mark=WAN-09-CONNECTION per-connection-classifier=\
    both-addresses:2/0 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!local dst-port=80,443 in-interface=bridge-trunk \
    new-connection-mark=WAN-12-CONNECTION per-connection-classifier=\
    both-addresses:2/1 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!local in-interface=bridge-trunk new-connection-mark=\
    WAN-09-CONNECTION per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!local in-interface=bridge-trunk new-connection-mark=\
    WAN-12-CONNECTION per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN-09-CONNECTION \
    in-interface=bridge-trunk new-routing-mark=to-WAN-09
add action=mark-routing chain=prerouting connection-mark=WAN-12-CONNECTION \
    in-interface=bridge-trunk new-routing-mark=to-WAN-12
add action=mark-routing chain=output connection-mark=WAN-09-CONNECTION \
    new-routing-mark=to-WAN-09
add action=mark-routing chain=output connection-mark=WAN-12-CONNECTION \
    new-routing-mark=to-WAN-12
/ip firewall nat
# no interface
add action=masquerade chain=srcnat out-interface=pppoe-wan1
# no interface
add action=masquerade chain=srcnat out-interface=pppoe-wan2
/ip route
add check-gateway=ping distance=1 gateway=pppoe-wan1 routing-mark=to-WAN-09
add check-gateway=ping distance=1 gateway=pppoe-wan2 routing-mark=to-WAN-12
add check-gateway=ping distance=1 gateway=pppoe-wan1
add check-gateway=ping distance=1 gateway=pppoe-wan2

for VLAN17 all server are configured with manual address IP, so no dhcp-server for VLAN17

@anav Could you please tell me if any lines on firewall configuration are wrong ?

Best regards

anav · October 24, 2020, 1:30pm

Strange config as things dont show up together…
In any case here is what is missing… the next post will look at FW rules.

13 vlans
2 wans
7 dhcp servers (missing 6)
5 pools (missing 8 - vlans 10,17,20,30,40,50,60,70)
5 dhcp servers (now only missing 1 - vlan17)
2 bridge ports defined (etherports 5,6) both trunk ports
8vlans on ether5
5vlans on ether6 (total of 13 vlans on the two bridge ports - check)
13 IP addresses - check (didnt count the default leftover 88.1 not being used)
12 dhcp-server-networks (missing one - vlan17)

anav · October 24, 2020, 2:17pm

(1) I still see you have not moved your fw filter rules around so that all INPUT are viewed together and all FORWARD are viewed together makes it hard to read…

(2) /ip firewall filter
add action=accept chain=input in-interface=ether1 src-address=192.168.88.2
This rule should be removed, you are saying let traffic in from the WAN from an address that it shouldnt allow big security flaw if true…
Get rid of it for now, not needed for sure.

(3) Your two invalid rules…
add action=drop chain=input comment=protection connection-state=invalid (move this rule to AFTER input rule of connection state-established rule - simply more efficient as most traffic will not be invalid)
add action=drop chain=forward comment=protection connection-state=invalid (same for forward chain move drop invalid rule to right after connection-stat rule - also drop the TCP part of that rule not required)

(4) Good, although why are you limiting admin access to only some ports on the router, you should be able to access all of them as admin… and dont limit yourself to tcp.
add action=accept chain=input comment=protection dst-port=21,22,23,8291
in-interface=bridge-trunk protocol=tcp src-address-list=
vlan-50-admin-list
to
add action=accept chain=input comment=“protection” in-interface=bridge-trunk
src-address-list=vlan-50-admin-list

(5) This rule is too vague and not clear to the reader… If your intent is to allow vlan-50 access to all other vlans then better stated
add action=accept chain=forward comment=Direction-to-ALL src-address-list=
vlan-50-direction-list

add action=accept chain=forward comment=AccessAll_Vlans src-address-list=vlan-50-direction-list
out-interface-list=vlan-allowed-internet

PLEASE REPEAT FOR ALL OTHER FORWARD RULES WITH A VAGUE FORWARD ALL…
for example:
add action=accept chain=forward comment=PEARSONVUE-to-ALL src-address-list=
vlan-60-pearsonvue-list

add action=accept chain=forward comment=PEARSONVUE-to-ALL src-address-list=vlan-60-pearsonvue-list
out-interface-list=vlan-allowed-internet

ALSO on that note, you need one for internet access…
If internet access is the primary activity then put this as first rule after default top rules (connection established and invalid)
add action=accept chain=forward in-interface-list=vlan-allowed-internet out-interface-list=WAN
I see you already have this rule… just place it up higher.

(6) I dont understand your DNS rules in the input chain. The input chain is to permit access to the router, NOT TO ip addresses on the LAN, makes no sense!!
You really have to explain how you want DNS to work on your network. If I suspect you have a DNS Server on the vlan 17, then maybe what you want is to put direct all users directly to vlan 17 at the DHCP level OR, direct them to the router as is the default and then through IP DNS seetings enter in the IP on vlan 17 for the router to use… So users will go to the router, the router will use vlan 17 dns servers or its own cache.

add action=accept chain=input comment=All-to-DNS dst-address-list=
vlan-17-dns-list dst-port=53 protocol=udp
add action=accept chain=input comment=All-to-DNS dst-address-list=
vlan-17-dns-list dst-port=53 protocol=tcp

To
add action=accept chain=input comment=“allow users to access router tcp DNS services”
protocol=tcp dst-port=53 in-interface-list=vlan-allowed-internet
add action=accept chain=input comment=“allow users to access router udp DNS services”
protocol=udp dst-port=53 in-interface-list=vlan-allowed-internet

In addition you dont need these silly drop rules… AS the last rule in the input chain is DROP all. You have already covered dropping all traffic not allowed!!
add action=drop chain=input comment=DROP-ALL-DNS dst-port=53 protocol=udp
add action=drop chain=input comment=DROP-ALL-DNS dst-port=53 protocol=tcp

(7) TRY TO AVOID using ! in yuour firewall rules as there are many unintended consquences**!!!** (pun intended LOL)
I think I only found one…
add action=accept chain=forward comment=All-to-AD-NAS-MDT-WSUS
dst-address-list=vlan-17-server-list src-address-list=
!vlan-250-wifi-guest-list

What you have done is state ANYBODY on the LAN or WAN is allowed to access those destination address
Lets try this instead
add action=accept chain=forward comment=All-to-AD-NAS-MDT-WSUS
dst-address-list=vlan-17-server-list in-interface-list=vlan-allowed-internet src-address-list=
!vlan-250-wifi-guest-list

Meaning we are stating, okay we want to forward all requests to the vlan17server IPs, from the users on all the vlans, except if they are from vlan-250 etc…

(8) Okay as noted you have a general LAN to WAN internet rule which is great but suggested moving it up higher, but then whey did you make this nonsensical rule??
add action=accept chain=forward comment=“to internet” in-interface-list=WAN
out-interface-list=vlan-allowed-internet

This says, let me forward all WAN to LAN traffic… DANGER… no you dont!!!
DELETE THIS RULE!!!

dzint · October 25, 2020, 3:34pm

Hello @anav ,

another beautiful day when i read all your message. you save my life = )

i will apply all your recommandation. to understand my topology, please you need to know, i work in school, and we have 03 classes VLAN10 / VLAN20 / VLAN30

every week, we deliver courses which student may or may not require internet and depending on that I authorize or prohibit access to the internet.
therefore this list vlan-allowed-internet may change every week

in future , i will use this order

/ip firewall filter

add action=accept chain=input comment="protection" connection-state=established,related   
add action=drop   chain=input comment="protection" connection-state=invalid  
add action=accept chain=input comment="protection" in-interface=bridge-trunk src-address-list=vlan-50-admin-list

add action=accept chain=forward comment="protection" connection-state=established,related  
add action=drop   chain=forward comment="protection" connection-state=invalid
.........

this rules 192.168.88.2 is temporary because first time when i add firewall rules, i was blocked and can not managed the router.
i delete this rules.

3 )
You are right, i got blocked because invalid was before established

add action=accept chain=input comment="protection" connection-state=established,related   
add action=drop   chain=input comment="protection" connection-state=invalid  
add action=accept chain=input comment="protection" in-interface=bridge-trunk src-address-list=vlan-50-admin-list

add action=accept chain=forward comment="protection" connection-state=established,related  
add action=drop   chain=forward comment="protection" connection-state=invalid

you are right i choose to authorise all port for admin

add action=accept chain=input comment="protection" in-interface=bridge-trunk src-address-list=vlan-50-admin-list

vlan50 and vlan60 need to access to all destination LAN & internet with custom dns (8.8.8.8 / 8.8.4.4). no restriction is apply to this (02) two vlans, if you can help me to rewrite this two rules

add action=accept chain=forward comment="Direction-to-ALL" src-address-list=vlan-50-direction-list  
add action=accept chain=forward comment="PEARSONVUE-to-ALL" src-address-list=vlan-60-pearsonvue-list

in point number 6) i will talk about DNS Request, i want to add this rules AFTER DNS request block. Should i ?

add action=accept chain=forward in-interface-list=vlan-allowed-internet out-interface-list=WAN

i use (02) two PiHolehttps://pi-hole.net/ :

172.17.10.110
172.17.10.111

i need to control the DNS request in LAN. For example: if a user on his machine try to change default DNS to 8.8.8.8 , i need to block DNS request to all and allow only DNS request to PiHole than i can block some bad DNS request ( adult … etc )

could i change input to forward for DNS Request :

add action=accept chain=forward comment="All-to-PiHole-only" dst-address-list=vlan-17-dns-list dst-port=53 protocol=udp    
add action=accept chain=forward comment="All-to-PiHole-only" dst-address-list=vlan-17-dns-list dst-port=53 protocol=tcp    
add action=drop comment="DROP-ALL-DNS" chain=forward dst-port=53 protocol=udp    
add action=drop comment="DROP-ALL-DNS" chain=forward dst-port=53 protocol=tcp  
add action=accept chain=forward comment="to internet" in-interface-list=vlan-allowed-internet out-interface-list=WAN

understand, we need to be explicit i will try to not use ! BUT this list vlan-allowed-internet may change every week

Should i use this to block only vlan250 to access vlan17 ? Should i use bridge-trunk ( include all vlans interfaces ) rather than vlan-allowed-internet ?

add action=drop chain=forward comment=Drop_vlan_250_to_vlan_17 src-address-list=vlan-250-wifi-guest-list dst-address-list=vlan-17-server-list
add action=accept chain=forward comment=AccessAll_Vlans dst-address-list=vlan-17-server-list out-interface=bridge-trunk

You are 100% right and thank you for the explanation, i delete this Dangerous rule

dzint · October 25, 2020, 3:38pm

Hello @anav,

you can find attached my new export of 25/10/2020 with your recommandation
config-25102020-1551.conf.rsc (20.7 KB)
any sugestion will be very appreciate

Best regards

mkx · October 25, 2020, 3:57pm

in future , i will use this order

/ip firewall filter

add action=accept chain=input comment="protection" connection-state=established,related   
add action=drop   chain=input comment="protection" connection-state=invalid  
add action=accept chain=input comment="protection" in-interface=bridge-trunk src-address-list=vlan-50-admin-list

add action=accept chain=forward comment="protection" connection-state=established,related  
add action=drop   chain=forward comment="protection" connection-state=invalid
.........

this rules 192.168.88.2 is temporary because first time when i add firewall rules, i was blocked and can not managed the router.
i delete this rules.

You’ll have to get some things straight. One is the reason to get dropped: in-interface is not bridge-trunk, it’s VLAN-50-DIRECTION. So you’ll have to get familiar with interfaces and tgrir hierarchy.
And you’ll need one last rule chain=input action=drop at the end of rules for input chain. So you’ll have to understand how packets are processed by firewall (and learn that if packet is not processed by some explicit rule, it’ll be implicitly accepted).

anav · October 25, 2020, 6:30pm

I have not had a chance to review the config, but you can always have an interface list called LAN, and put all the vlans on that as well.
Then you can use the LAN in your interface lists to covers off all other rules and just use the VLAN interface lists for access to internet.
Otherwise gets a tad confusing… Will have a look later.