I am trying to create a firewall rule that will drop all traffic from one vlan101 to a list of multiple vlan100, vlan102, vlan103, vlan104
can i achieve this with a single firewall rule?
right now i have to create 8 rules, one for forward and one for input for all 4 vlans i want to block traffic to
can i do this in one single firewall rule? how about just 2 firewall rules forward/input?
thanks
Do you try to use address list? You can add list with destination IPs and it would be 1 rule.
Use interface list for dropping.
You can use interface list … which will reduce number of rules. I’m not sure I understand which traffic you want to block though … if you want to block traffic originating from vlan101 targeting other VLANs and router itself, then you need 5 rules without using either interface list or address list. If you’re trying to block traffic originating from the rest of VLANs and targeting either vlan101 or router itself, then indeed you currently need 8 rules. Either way you’ll need two rules when using lists (interface list or address list). Assuming you’re trying to block connections originating from vlan101 the config might be something like this:
/interface list
add comment="should not connect to vlan101" name=not_from_vlan101
/interface list member
add list=not_from_vlan101 interface=vlan100
add list=not_from_vlan101 interface=vlan102
add list=not_from_vlan101 interface=vlan103
add list=not_from_vlan101 interface=vlan104
/ip firewall filter
# arrange the following rules to make sure that not wanted traffic is blocked while the rest of traffic is still allowed to pass
# you might want to create some rules allowing specific traffic and place them above these drop rules (e.g. allow DHCP from clients)
add action=drop chain=input in-interface=vlan101
add action=drop chain=forward in-interface=vlan101 out-interface-list=not_from_vlan101
Beware that with stateful firewall blocking rules are “uni directional” … which means that traffic originating in the opposite direction will be allowed. Firewall rules effectively work on initial packets, the rest are usually treated by generic “allow established,related” rules (yes, two … the “normal” and the fasttrack rules).
So essentially i need so many rules, then what is use of the interface list then?
What i want is to block all traffic from vlan101 to the other vlans 100,102,103, 104
I do want to allow traffic from some of the vlans 100, 104 to vlan101
When using interface lists, it doesn’t matter how many “forbidden” VLANs there are, you only add interface to interface list and the rest remains the same. Can even be dynamic (e.g. via scheduled script or whatever), the firewall remains exactly the same. I guess the firewall performance might be better with interface list than with multiple firewall rules involving individual interfaces.
However, if there are many of “this yes, that no, that yes” combinations, it still might make sense to use individual rules to keep things more readable.
As they say, there are many ways to skin a cat …
is it possible to block ALL traffic from vlan 101 to vlan100
but allow ALL traffic from vlan100 to vlan101?
is this possible?. because i noticed when block traffic one way, it blocks traffic from other way also
Sure, is perfectly possible.
Post the rules you currently use.
This is easy, first of all ignore all the previous advice.
You need one rule to start with at the end of the forward chain
add action=drop chain=forward.
Now ALL VLAN traffic anywhere is blocked, DONE!
You will need to add LAN to WAN traffic or any other traffic you wish to allow.
Interface lists are BEST for whole subnets (vlans are usually whole subnets so they are good candidates).
If you have to make rules for two or more subnets that are similar in nature then the idea is to group these into interface lists.
It is best to use Firewall address lists when you have one or more IPs in a subnet (but not a full subnet) or a mix of IPs in different subnets or a combination of the IPs AND whole subnets to describe a grouping that makes sense for rules.
For an individual subnet one can use xx.xx.xx.xx/24 or its interface name vlan12 etc…
Now POST your config when you fix up your firewall rules and interface lists and we will have a look
/export hide-sensitive file=anynameyouwish
Any reason not to just set this up in the Bridge with vlan-filtering=yes or via the Switch menu?
It depends how exactly you block traffic between two vlans. Take, for example, these simple rules:
/ip firewall filter
add chain=forward action=accept connection-state=established,related,untracked
add chain=forward action=accept in-interface=vlan101 out-interface=vlan100
add chain=forward action=drop
And think about how packets are treated depending on direction and connection tracking state.
Neither raw firewall nor bridge filters can deal with it with such ease.
Good I can use your avatar to shoot you, nonsense invoking the use of complex bridge filters when standard forward chain filters sufficeth… I hope all your gunpowder gets wet. 
How do i export my config by showing only active /ip firewall filter rules? when i exported i am seeing rules that are disabled but will be great to show only enabled commands in config
If you know where the issues are, then why are you here?
If we want to see the whole config the please post the whole config as many parts are interrelated.
If you feel naked about it, just ensure no public IPs or public gateways are shown (be they your ISP or your VPN provider etc…)