Firewall rules for vlan not working

lostb1t · May 2, 2024, 2:49pm

Hello, I have configured 2 vlans: vlan10_iot and vlan20_iot, which are working fine. Except they don’t seem isolated from each other by default.
But when I want to isolate them with a firewall nothing happens. The counters for the firewall rules are zero and I can’t still access vlan to vlan.

The idea is to have an isolate vlan named vlan20_iot. It should not be able to access other vlans and interfaces. But vice versa is fine.

# 2024-05-02 16:40:18 by RouterOS 7.14.3
# software id = R9HX-AU3V
#
# model = RB5009UPr+S+
# serial number = ***
/interface bridge
add name=lan port-cost-mode=short vlan-filtering=yes
add comment="off bridge port for management" name=management
/interface wireguard
add listen-port=7887 mtu=1420 name=mullvad-upstream
/interface vlan
add disabled=yes interface=lan name=mullvad vlan-id=60
add interface=lan name=vlan10 vlan-id=10
add interface=lan name=vlan20_iot vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface lte apn
add apn=internet.access.nl name=simpel
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.254
add name=vlan10 ranges=10.0.10.2-10.0.10.100
add name=vlan20_iot ranges=10.0.20.2-10.0.20.100
/ip dhcp-server
add address-pool=dhcp_pool0 interface=lan lease-time=10m name=dhcp1
add address-pool=vlan10 interface=vlan10 name=vlan10
add address-pool=vlan20_iot interface=vlan20_iot name=vlan20_iot
/routing table
add fib name=mullvad
/interface bridge port
add bridge=lan disabled=yes interface=ether2 internal-path-cost=10 path-cost=\
    10
add bridge=lan interface=ether6 internal-path-cost=10 path-cost=10
add bridge=lan interface=ether5 internal-path-cost=10 path-cost=10
add bridge=lan comment=yo interface=ether7
add bridge=management interface=ether8
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=lan tagged=ether5,ether6,lan,ether7 vlan-ids=10
add bridge=lan tagged=lan,ether5,ether6,ether7 vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=185.65.134.83 endpoint-port=\
    51820 interface=mullvad-upstream persistent-keepalive=25s public-key=\
    "***************"
/ip address
add address=10.0.0.1/24 interface=lan network=10.0.0.0
add address=10.70.125.149 interface=mullvad-upstream network=10.124.0.40
add address=192.168.88.1/24 interface=management network=192.168.88.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20_iot network=10.0.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
/ip firewall address-list
add address=10.0.0.2-10.0.0.254 disabled=yes list=device-based-vpn
/ip firewall filter
add action=accept chain=forward comment="allow test (FOR TESTING)" disabled=\
    yes
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=forward in-interface=vlan20_iot out-interface=vlan10
add action=drop chain=input comment="block everything else" in-interface=\
    ether1
add action=accept chain=input comment=wireguard dst-port=51820 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=10.70.125.149 routing-table=\
    mullvad
add check-gateway=none comment="wg-vpn mark" disabled=no distance=10 \
    dst-address=0.0.0.0/0 gateway=mullvad-upstream pref-src="" routing-table=\
    mullvad scope=30 suppress-hw-offload=no target-scope=10
add dst-address=0.0.0.0/0 gateway=10.124.0.40 routing-table=mullvad
/ip service
set ssh port=2222
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=drop chain=input in-interface=ether1 log=yes log-prefix=\
    dropLL_from_public src-address=fe80::/10

anav · May 2, 2024, 4:35pm

Your setup is confused.
One bridge, use three vlans.
The subnet you make the bridge use, just change into another vlan, so we are simplifying the config.
For the management subnet, just assign it directly to whatever port is called management, it would appear this is simply a backup off bridge config access port, which works well. In other words get rid of the second bridge.

What is at the other end of etherports ( dumb pc, managed switch, something else? )
2,3,4,5,6,7 ??

And which etherport is named management ??

Why do you have three routes for mulvad.
There should only be one?

If not using IPV6 disable it and you can remove all associated lists and firewall rules.

Speaking of which why did you get rid of the default firewall rules???

If going out on wireguard to mullvad you dont need an input chain rule.

Finally, what users or subnets need to go out mullvad for internet, its not clear ???

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

lostb1t · May 2, 2024, 5:04pm

thanks for the fast reply. For some reason it actually started working.

But yeas the config got a bit messy in the process thanks for the feedback, will clean it up. And also bring back the default firewall. Aka block everything and then allow what i need