Firewall rules to seperate some vLANs

Hi,
I’m using Mikrotik devices for several years now, mostly with routed and unrouted vlans and basic switching.
For some reasons I want to implement a firewall to sperate some vLANs from the others.

In my setup I have a transfer-vlan that is connected to my ha pfsense boxes (in the future I will replace them but the transfer vlan should stay).
The central part of my lan consists of two crs317 which are configured redundant with vrrp and they are responsible for most internal routing.
In preparation of decommisionin g my pfsense I plan to put 2 networks which are internaly handled bei pfsense as a vlan on my mikrotik network. These should be separated from my other vlans but should also be accesible by others.

I’m glad I have some spare hex poe where I could setup a similar routing environment as my production one so I can test almost everything before trying it in production.
I have some experience with pfsense and sophos SG/XG but I donÄt get it using Mikrotik filters.
I read some things about firewalling mostly inspired by http://forum.mikrotik.com/t/inter-vlan-routing-and-default-firewall/146841/1 and http://forum.mikrotik.com/t/best-practice-firewall-inter-vlan-routing/139923/1 and thought this could not be that hard.

So for testing I setup two HEX PoE configured them with the needed vLANs, DHCP and vrrp to mostly match my production. I set up some lists and filter rules but they don’t work as expected.


my testing config looks like this:

/interface bridge
add name=bridge priority=0x1000 vlan-filtering=yes

/interface vlan
add interface=bridge name=vlan1-Default vlan-id=1
add interface=bridge name=vlan2-Schild vlan-id=2
add interface=bridge name=vlan3-Mama vlan-id=3
add interface=bridge name=vlan4-Gast vlan-id=4
add interface=bridge name=vlan5-SmartHome vlan-id=5
add interface=bridge name=vlan9-Transfer vlan-id=9

/interface vrrp
add interface=vlan1-Default name=vrrp101 priority=150
add interface=vlan2-Schild name=vrrp102 priority=150
add interface=vlan3-Mama name=vrrp103 priority=150
add interface=vlan4-Gast name=vrrp104 priority=150
add interface=vlan5-SmartHome name=vrrp105 priority=150
add interface=vlan9-Transfer name=vrrp109 priority=150

/interface list
add name=LAN
add name=WAN
add name=Schild
add name=Gast
add name=Mama

/ip pool
add name=dhcp_pool1 ranges=192.168.13.1-192.168.13.253
add name=dhcp_pool2 ranges=192.168.20.1-192.168.20.253
add name=dhcp_pool3 ranges=192.168.30.1-192.168.30.253
add name=dhcp_pool4 ranges=192.168.40.1-192.168.40.253
add name=dhcp_pool5 ranges=192.168.50.1-192.168.50.253

/ip dhcp-server
add address-pool=dhcp_pool1 interface=vrrp101 name=dhcp1
add address-pool=dhcp_pool2 interface=vrrp102 name=dhcp2
add address-pool=dhcp_pool3 interface=vrrp103 name=dhcp3
add address-pool=dhcp_pool4 interface=vrrp104 name=dhcp4
add address-pool=dhcp_pool5 interface=vrrp105 name=dhcp5

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=sfp1

/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=1
add bridge=bridge tagged=bridge,sfp1 vlan-ids=2
add bridge=bridge tagged=bridge,sfp1 vlan-ids=3
add bridge=bridge tagged=bridge,sfp1 vlan-ids=4
add bridge=bridge tagged=bridge,sfp1 vlan-ids=5
add bridge=bridge tagged=bridge,sfp1 vlan-ids=9

/interface list member
add interface=vlan1-Default list=LAN
add interface=vlan2-Schild list=LAN
add interface=vlan3-Mama list=LAN
add interface=vlan4-Gast list=LAN
add interface=vlan5-SmartHome list=LAN
add interface=vlan1-Default list=Schild
add interface=vlan2-Schild list=Schild
add interface=vlan3-Mama list=Mama
add interface=vlan4-Gast list=Gast
add interface=vlan9-Transfer list=WAN

/ip address
add address=192.168.13.61/24 interface=vlan1-Default network=192.168.13.0
add address=192.168.20.61/24 interface=vlan2-Schild network=192.168.20.0
add address=192.168.30.61/24 interface=vlan3-Mama network=192.168.30.0
add address=192.168.40.61/24 interface=vlan4-Gast network=192.168.40.0
add address=192.168.50.61/24 interface=vlan5-SmartHome network=192.168.50.0
add address=192.168.13.254 interface=vrrp101 network=192.168.13.0
add address=192.168.20.254 interface=vrrp102 network=192.168.20.0
add address=192.168.30.254 interface=vrrp103 network=192.168.30.0
add address=192.168.40.254 interface=vrrp104 network=192.168.40.0
add address=192.168.50.254 interface=vrrp105 network=192.168.50.0
add address=192.168.90.254 interface=vrrp109 network=192.168.90.0
add address=192.168.90.61/24 interface=vlan9-Transfer network=192.168.90.0

/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.13.254 gateway=192.168.13.254
add address=192.168.20.0/24 dns-server=192.168.20.254 gateway=192.168.20.254
add address=192.168.30.0/24 dns-server=192.168.30.254 gateway=192.168.30.254
add address=192.168.40.0/24 dns-server=192.168.40.254 gateway=192.168.40.254
add address=192.168.50.0/24 dns-server=192.168.50.254 gateway=192.168.50.254

/ip firewall filter
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="(DEBUG) Accept DHCP request on LAN interfaces" dst-port=67 in-interface-list=LAN protocol=udp src-port=68
add action=accept chain=input comment="(DEBUG) Accept DNS request (UDP) on LAN interfaces" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="(DEBUG) Accept DNS request (TCP) on LAN interfaces" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="(DEBUG) Accept NTP request (UDP) on LAN interfaces" dst-port=123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="(DEBUG) Accept NTP request (TCP) on LAN interfaces" dst-port=123 in-interface-list=LAN protocol=tcp
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=Schild log=yes out-interface-list=Mama
add action=drop chain=forward comment="Drop All Else" disabled=yes
add action=drop chain=input comment="drop all not coming from LAN" disabled=yes in-interface-list=!Schild protocol=tcp

The second HEX PoE is configured ideticaly, except filter rules, IPs, STP and vrrp priority.
As a Test I put some interfaces in different vLANs and tried to ping the second HEX on its vLAN-interfaces, so that the packets shoould go through the gateway.
I can ping from each vLAN to each vLAN, I don’t see any Filter to be used as the counters don’t increase but when I enable the forward block rule everything gets blocked.

I cannot find my mistake.

(1) DONT make vlan1 some sort of data vlan, it doesnt need defining as you have done, it sits in the background used by the Router.
VLAN1 seems to be your HOME LAN, so make it vlan11 all good!

(2) Your input and forward chain rules are intermingled making it more difficult then necessary to read…

(3) Bridge port settings are incorrect unless you are saying they are all trunk ports going to smart devices??
Suggest reading: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

(4) Not the complete config so not much more to say…

+++++++++++++++++++++++++++++++++++

In terms of firewall rules, see the below and stick in additional admin rules in where needed ( Answers the question what traffic flows are permitted, the rules block everything else ). Get rid of of most of the junk extra rules you created.

/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(admin rules)
add action=accept chain=input in-interface-list=Authorized
add action=accept chain=input comment=“Allow LAN DNS/NTP-UDP”
dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
***** Place any other needed flow rules here *****
add action=drop chain=input comment=“drop all else”
{forward chain}
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow dst-nat from both WAN and LAN (including port forwarding)” connection-nat-state=dstnat
add action=accept chain=forward in-interface-list=Schild log=yes out-interface-list=Mama
********* Place any other needed flow rules here *********
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

Where firewall address list Authorized consists of static leases or assigned ips:
add ip address=IP_address1 list=Authorized comment=“Admin Desktop”
add ip address=IP_address2 list=Authorized comment=“Admin Laptop”
add ip address=IP_address3 list=Authorized comment=“Admin Smartphone”
add ip address=IP_address4 list=Authorized comment=“Admin remote vpn connection, if any”

REALLY???

Maybe the OP is coming from the CrISco world…

Thank you for the detailed answer, I will just answer your comments.

(1) would be very hard for me to address, as I would have to reconfigure a lot things. I use vlan1 for my devices networking devices and the homelab servers.

(2) sorry that is was not sorted

(3) Could you be a bit more precise? In my opinion I’m adding all ports to the bridge and I only have one port (sfp1) which uses tagged vlans, because for testing it is the uplink to the second hex poe

(4) That is almost the complete config, some information are not there like DNS Server or routing, as this is for testing, and I donÄt have a physical uplink to anything else. I’m trying to get some vlans separted from each other.

I got this from a guide which told to configure like this, everything seems working so what's wrong here?

What guide?
VLAN id 1 is a bad choice.

It was a guide on a know german site, as I’m native german speaker.
https://administrator.de/tutorial/mikrotik-vlan-konfiguration-ab-routeros-version-6-41-367186.html

But why is vlan1 a bad choice? My IOT devices, Clients an so on are on a different vLANs. All Ports where none vlan1 device is connected are assigned a different pvid.

There is little to explain.
It’s like using 192.168.88.0/15 as your LAN network.
We say it’s wrong and that’s it without having to explain what Private IPs are…

OK I get it, but is that the reason why my firewall rules do not work? And what I was asking for.

It’s a concept problem, and not just mine, that if there’s an error I’ll stop there.
If the serious error is already evident from the beginning, for us who have this problem, everything else is completely useless to check,
also because we should still consider the error as it interacts with the rest and, for us, it doesn’t make sense.

OK I understand that in the point of mikrotik vlan1 is a bad choice, which I cannot understand from configuration point of view.
As a professional I have a lot vendors where I had to configure network equipment (mostly H3C, HP Procurve, Aruba CX) I never heard that the usage of vlan1 is “prohibited”.

Only as a theoretical question: If I setup my testing environment without the use of vlan1 you would provide help to me?

Using vlan1 (and other numbers, like 0, etc.) is to be avoided in general, not only on MikroTik products.

From the question you asked, let me clarify this:
This is the users forum, not an official support forum (it doesn’t exist).
Official support is only via mail support@mikrotik.com.
Before contacting support, which only responds to bugs, not help with setup, you need to contact your reseller/dealer, who is the one that must provide you support.

Specified this,
this is a user forum, so anyone, if they want to, if they have the time and means to help… help,
so you are free to change or not the vlan1, and if someone is able to provide free help, it do.

Meow, dont use vlan1, meow, sei kein Narr, meow!!

Cisco related post:
https://timigate.com/2017/12/native-vlan-why-you-should-not-use-vlan.html#:~:text=Since%20the%20Native%20Vlan%20is,that%20are%20sent%20between%20Vlans.

As said, it’s not only bad on Mikrotik.

The problem is not the user on the forum, but the one who publishes these guides, which now I won’t start translating which is in German,
who doesn’t know what he’s doing…
https://administrator.de/tutorial/mikrotik-vlan-konfiguration-ab-routeros-version-6-41-367186.html

Google Translate does an almost perfect job there.
I understand quite a bit of German but for IT- stuff, I prefer English a lot more.