Good day, dear friends !
I have a CRS125-24G-1S
I build VLAN based network on it
I need some restrictions between VLANs
but IP → firewall doesn’t work with switched ports
if I try use switch → ACL , I’ve get message :
“Couldn’t add New Switch ACL Rule - policy rules are not supported on this switch chip”
what can I do ? ACL between VLANs very important for me
As the message says ACL policy rules are not supported in CRS125, they are supported only in CRS2xx series.
In CRS125 restrictions can be set in CRS VLAN membership table. http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Unknown.2FInvalid_VLAN_filtering
whether I understand you, that on my switch, I can not make the restrictions, access to specific protocols or TCP / UDP ports?
( such as "VLAN20 can not connect to the VLAN10 at TCP / 23, but can at TCP / 80 " )
Typically, it is not possible at OSI Layer2 level because there VLANs are intended for isolation. Switch ACL rules do not seem to be suitable in this case either.
For connection between VLANs you should configure interVLAN routing and then you will be able to use “/ip firewall filter” to set your mentioned restrictions between VLAN subnets.
can you give me example of interVLAN routing please ?
Here is the link to an example how to configure interVLAN routing within one device - CRS switch: http://wiki.mikrotik.com/wiki/Manual:CRS_examples#InterVLAN_Routing
It will allow using “/ip firewall filter” in the same CRS switch between specified IP subnets.
As per Qualcomm :
QCA8513L switch chipset which is inside CRS125 offers “rich managed Layer 2/Layer 3 (L2/L3) features” and “multi-stage ACL engine” . Indeed I could not find anywhere on net the datasheet of this chipset after 2 years of this announcement which is a little bit strange. Is like they want to hide something, but also is hard to believe that above statements are lies.
In the implementation of the switch functionality in RouterOS there is no L3 feature available. Is like this chipset is a pure L2 switch.
The questions is : This chipset does not support any L3 feature, and this Qualcomm marketing is not true, or these functionality is not yet implemented in Router OS for any reason (maybe very dificult to implement)