Inter-VLAN routing (unable to reach clients from VLAN)

RouterOS Beginner Basics
1

Hello guys,

I was playing with some VLANs on my router as I intend to transfer everything to a new router and remove one of the switches. For this I’d need few seperate VLANs - main vlan, survaliance, IoT, etc.

I followed the main topic for VLAN setups and also dig a lot into the documentation. Currently I’m testing a simple configuration (no trunk ports) on one of my side devices used for testing and I was able to setup 3 VLANs with DHCP servers and everything else. Blocking of internet for separate VLANs works in the forward chain and everything seems to be ok there. However I’d like to have full access from the base VLAN to all of the others and acess blocked from them to the base vlan and here I have a problem. I’ve tried a lot of different things and it seeps that I cannot ping from a machine in one VLNA to one on the other. I does not even work without any firewall rules.

Here is the current configuration - it is rly simple and i’m using dhcp client just for internet tests. I’ll expand this upon transfering to the main router but first I’d like to figure out how to properly separate the network. Would be great if someone could land a hand.

# model = RB760iGS

/interface bridge
add frame-types=admit-only-vlan-tagged name=Main_Bridge protocol-mode=none \
    vlan-filtering=yes
/interface vlan
add interface=Main_Bridge name=BaseVlan vlan-id=99
add interface=Main_Bridge name=Vlan10 vlan-id=10
add interface=Main_Bridge name=Vlan20 vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool_base ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool_vlan10 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool_vlan20 ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=dhcp_pool_base interface=BaseVlan name=dhcp_base
add address-pool=dhcp_pool_vlan10 interface=Vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 interface=Vlan20 name=dhcp_vlan20
/port
set 0 name=serial0
/interface bridge port
add bridge=Main_Bridge comment=Base_Vlan frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=99
add bridge=Main_Bridge comment=Vlan_10 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=Main_Bridge comment=Vlan_20 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
/interface bridge vlan
add bridge=Main_Bridge tagged=Main_Bridge vlan-ids=99
add bridge=Main_Bridge tagged=Main_Bridge vlan-ids=10
add bridge=Main_Bridge tagged=Main_Bridge vlan-ids=20
/interface list member
add comment=ISP_Interface_List interface=ether1 list=WAN
add comment=VLAN_List interface=Vlan10 list=VLAN
add interface=Vlan20 list=VLAN
add comment=MGMT_List interface=BaseVlan list=BASE
add interface=BaseVlan list=VLAN
add interface=ether5 list=LAN
/ip address
add address=192.168.0.200/24 disabled=yes interface=ether5 network=\
    192.168.0.0
add address=192.168.2.1/24 interface=BaseVlan network=192.168.2.0
add address=10.0.10.1/24 interface=Vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=Vlan20 network=10.0.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.2.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.2.1 gateway=10.0.20.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.2.0/24 list=Base
add address=10.0.20.0/24 list=vlan20
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment=" drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept ether5 for backup" \
    in-interface=ether5
add action=drop chain=input comment="drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
    connection-state=new in-interface-list=VLAN log=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment=" fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment=" drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Europe/
/system note
set show-at-login=no
2

THe easy way to do this is to modify the concept of the default firewall setup which is allow everything block a few things, to Block everything and allow only needed traffic.

Hence this ( and in the right order ) :

(default rules to keep in the right order)
add action=fasttrack-connection chain=forward comment=" fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=" drop invalid" connection-state=invalid
(user rules for allowed traffic)
add action=accept chain=forward comment=“internet” in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“Base Access” in-interface=BaseVlan out-interface-list=VLAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

What I found confusing is your comment on VLANS not getting internet?
Your config didnt block any LAN to WAN traffic it only blocked WAN to LAN not involved in port forwarding.
The config provided, allows all vlans to access the internet but not ether5 since its not on the interface list VLAN.
The config provided, blocks vlans from each other and so the rule allowing based to other vlans was added.

3

Hello anav,

Thanks for the support. Unfortunetly it seems that this is also not working. I can ping the gateway of the VLAN for example 10.0.10.1 is reachable, but the client at 10.0.10.253 lets say is giving request time out. I’ve tried also only with the rules provided by you but still the results is the same. With no FW rules it behaves the same which is a a bit strange.

As for the Ether5, it is a port that I just left for emergency access if something goes wrong. In the shared config I was not blocking internet acess. I’d just drop in forward chain the trafic from a specific VLAN to WAN list and it works but I cannot reach any device from one VLAN to the other.

I’ve tried with different modifications, you didn’t mentioned anything for the input chain so at the moment it is the same and the forward was modified:

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment=" drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept ether5 for backup" \
    in-interface=ether5
add action=drop chain=input comment="drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=fasttrack-connection chain=forward comment=" fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=" drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment=internet in-interface-list=VLAN \
    out-interface-list=WAN
add action=accept chain=forward comment="Base Access" in-interface=BaseVlan \
    out-interface-list=VLAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"

I have a question also for the purpuse of this one rule:

add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat

I Guess this would just have the oposite effect of the drop not dstnat in the defconf. “Accept only dstnat” instead of “drop everything !dstnat” ?

4

Your firewall rules seem fine and yes, the rule does exactly that.
Remember we modify the default rule into three rules and thus change the concept of
allow everything except wan to lan traffic without dst nat rules
TO
block everything and only allow traffic we specifically state is permitted
aka lan to WAN
aka incoming dstnat traffic ( aka dst nat rules exist for the identified ports in the dstnat rules ).

The problems are elsewhere in your config then,
Please post FULL CONFIG
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc… )

5

Yes, this is what I thought about from yesterday as I was not able to reach no matter what I did. I even tried to check the windows firewall to see if this would not give some problems but it seems that it’s not the issue.

The configuration haven’t changed a lot from the first export (it was full export).I started this from reset with no config state and just trying to play some scenarios with the bare minimum before even considering moving the configuration to the main router as there I have VPN, WAN failover, some scripting, etc.

Here is the current config export that I’m testing with the modified firewall rules. it is using dhcp client to my main router at the moment so no public WAN IP:

# model = RB760iGS

/interface bridge
add frame-types=admit-only-vlan-tagged name=Main_Bridge protocol-mode=none \
    vlan-filtering=yes
/interface vlan
add interface=Main_Bridge name=BaseVlan vlan-id=99
add interface=Main_Bridge name=Vlan10 vlan-id=10
add interface=Main_Bridge name=Vlan20 vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=BackUp
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool_base ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool_vlan10 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool_vlan20 ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=dhcp_pool_base interface=BaseVlan name=dhcp_base
add address-pool=dhcp_pool_vlan10 interface=Vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 interface=Vlan20 name=dhcp_vlan20
/port
set 0 name=serial0
/interface bridge port
add bridge=Main_Bridge comment=Base_Vlan frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=99
add bridge=Main_Bridge comment=Vlan_10 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=Main_Bridge comment=Vlan_20 frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
/interface bridge vlan
add bridge=Main_Bridge tagged=Main_Bridge vlan-ids=99
add bridge=Main_Bridge tagged=Main_Bridge vlan-ids=10
add bridge=Main_Bridge tagged=Main_Bridge vlan-ids=20
/interface list member
add comment=ISP_Interface_List interface=ether1 list=WAN
add comment=VLAN_List interface=Vlan10 list=VLAN
add interface=Vlan20 list=VLAN
add comment=MGMT_List interface=BaseVlan list=BASE
add interface=BaseVlan list=VLAN
add interface=ether5 list=BackUp
/ip address
add address=192.168.0.200/24 disabled=yes interface=ether5 network=\
    192.168.0.0
add address=192.168.2.1/24 interface=BaseVlan network=192.168.2.0
add address=10.0.10.1/24 interface=Vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=Vlan20 network=10.0.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.2.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.2.1 gateway=10.0.20.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.2.0/24 list=Base
add address=10.0.20.0/24 list=vlan20
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment=" drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept ether5 for backup" \
    in-interface=ether5
add action=drop chain=input comment="drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=fasttrack-connection chain=forward comment=" fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=" drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment=internet in-interface-list=VLAN \
    out-interface-list=WAN
add action=accept chain=forward comment="Base Access" in-interface=BaseVlan \
    log=yes out-interface-list=VLAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Europe/XX
/system note
set show-at-login=no

The Address list is a leftover from some testing, it isn’t used anywehere at the moment.

/ip firewall address-list
add address=192.168.2.0/24 list=Base
add address=10.0.20.0/24 list=vlan20
6
  1. Who told you to put only vlan tagged on the bridge settings… mostly just need to enable vlan filtering only.???
    Remove it!!! This is your issue.

/interface bridge
add frame-types=admit-only-vlan-tagged name=Main_Bridge protocol-mode=none
vlan-filtering=yes


2. Personal preference I like to put in the untagged ports in my configs… and easy to cross check with bridge ports
/interface bridge vlan
add bridge=Main_Bridge tagged=Main_Bridge untagged=ether2 vlan-ids=99
add bridge=Main_Bridge tagged=Main_Bridge untagged=ether3 vlan-ids=10
add bridge=Main_Bridge tagged=Main_Bridge untagged=ether4 vlan-ids=20

(3) No need to create a firewall address list for subnets especially as you can identify them already in two different ways.
a. dst or source address to the subnet itself example dst or src -address=192.168.2.0/24
b. in-or out-interface=BaseVlan

7

Ok, this came from the Mikrotik documentation, and it was pointed as a way to deal with the dynamic VLAN1 created. So I guess I’ve left it during the initial testing yesterday. However, I’ve just reverted to Admit all and there seems to be no effect. Still getting Request timed out while trying to ping machine in vlan10 from base vlan.

Just checked in the log that indeed when a ping is initiated it logs in and out interface list correctly and points to the right IP addresses, but no response.

8

Yes admit all is the default.
Other than that missing the issue.
Did you try a reboot of the router after making those changes??

If after a reboot still no joy try adding this rule to the forward chain above the drop all rule.
add chain=forward action=accept src-address=192.168.2.0/24 dst-address=10.0.10.0/24

9

Just tried to reboot, unfortunately no luck there. Adding the rule didn’t help either. Only replay comes from the gateway at 10.0.10.1 and the base one at 192.168.2.1. Maybe it would be a good idea to try reset again and setup from scratch and see if I’d have any luck. Could it be that there is a change on how the bridge VLANs are handled in the recent versions of ros?

10

Yes, I am all out of ideas, there is no logical reason I see that its not working.
I would try two things myself personally first, grasping at silly straws…

a. change dns servers such that it looks like
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1

and then give it a whirl, and finally if no joy.
b. try changing the dns rule to
/ip dns
set allow-remote-requests=yes servers=1.1.1.1

QUESTION: Have you actually tried reaching a vlan10 device, instead of just pinging??

11

Keep in mind that certain OSes (most notably Windows, some Linux distros as well) include firewall with pretty restrictive settings. Those don’t allow any incoming connections (pinging included) from outside own IP subnet … and other VLANs are outside own subnet.

12

A little update from me. As mkx pointed out and I had some suspicions on this it turns out that indeed the windows firewall was the one to blame. It does block ICMP from a different subnet. By default, ICMP or all public/private networks is accepting only requests from its own subnet. Only needed to add the remote addresses for 10.0.0.0/8 and 192.168.0.0/16 and it worked.

For whoever may stumble upon this topic I’ll post the screenshot of the firewall rule modification. It would be relevant for private/public/domain depending on which one you’re currently using.

Thanks for the support, guys, I’ll continue with the customization and upon transferring the configuration to the main router I’ll post the config. It would be a bit more complicated there (failover, vpn, scripting) I hope everything would go smoothly but it will be great to have someone else also look at the final config.

Using the Bridge “Admit only tagged” seems relevant and does not block the connection in the given configuration. Just tried it.

13

Hence why I asked if you had actually tried to reach a device, not just pinging… ( in post #10 )

14

Yup when you asked I though about it but couldn’t test it yesterday. I tried SMB but I’m not sure if the case with the firewall isn’t the same there.

15

All good, now we both know we are not going insane :slight_smile: ( in my case more insane )

16

So today I tried to transfer the whole confing to the main router and had a mixed results. I think the majority of the setup is working corectly but still have some issues with properly restricting the seperate VLANs. I guess the problem is agian in the firewall - I tried a bit different approach (modifying the default one and drop everything else in VLAN). Currently there are 4 VLANs:

  1. Base - Full access to everything and all VLANs
  2. vlan10 - Restricted (no internet and no access to winbox, etc. allow dhcp)
  3. vlan 20 - Internet access only, no access to any of the other VLANs
  4. vlan 30 - Internet access only, no access to any of the other VLANs

Till now I had sucess with seperating the networks with the posted config. However when using /tool mac-server mac-winbox set allowed-interface-list=BaseVLAN does not seems to limit the access to the specified list. I can access from all VLANs. Also all gateways are reachable from all VLANs (guess this is normal?) i.e. I can reach 10.0.10.1 from 10.0.20.10 even when the access to 10.0.10.2 seems not being there.

# model = RB5009UG+S+

/interface bridge
add comment="Main Bridge Interface" name=MainBridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
/interface wireguard
add listen-port=xxxx mtu=1420 name=wireguard1
/interface vlan
add interface=MainBridge name=BaseVlan vlan-id=99
add interface=MainBridge name=vlan10 vlan-id=10
add interface=MainBridge name=vlan20 vlan-id=20
add interface=MainBridge name=vlan30 vlan-id=30
/interface list
add comment="WAN List" name=WAN
add comment="Full VLAN List" name=VLAN
add name=BaseVLAN
add comment="Fully Restricted List" name=VLAN-Restricted
add comment="Management Restricted" name="VLAN-Internet Only"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_base ranges=192.168.0.21-192.168.0.60
add name=dhcp_pool_vlan10 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool_vlan20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_pool_vlan30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_pool_base interface=BaseVlan lease-time=10m name=\
    base_dhcp
add address-pool=dhcp_pool_vlan10 interface=vlan10 lease-time=10m name=\
    vlan10_dhcp
add address-pool=dhcp_pool_vlan20 interface=vlan20 name=vlan20_dhcp
add address-pool=dhcp_pool_vlan30 interface=vlan30 name=vlan30_dhcp
/ppp profile
add change-tcp-mss=yes name=my-ppoe on-up=update-ppoe-route
/interface pppoe-client
add disabled=no interface=ether1-WAN1 name=pppoe-out1 profile=xxx user=\
    xxx
/interface bridge port
add bridge=MainBridge comment=BaseVLAN frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=99
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=99
add bridge=MainBridge comment=SurvVLAN frame-types=\
    admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=10
add bridge=MainBridge comment=WorkVLAN frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7 pvid=20
add bridge=MainBridge comment=FloorVLAN frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether8 pvid=30
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=MainBridge tagged=MainBridge vlan-ids=99
add bridge=MainBridge tagged=MainBridge vlan-ids=10
add bridge=MainBridge tagged=MainBridge vlan-ids=20
add bridge=MainBridge tagged=MainBridge vlan-ids=30
/interface list member
add interface=pppoe-out1 list=WAN
add interface=ether2-WAN2 list=WAN
add interface=wireguard1 list=VLAN
add comment="Full VLAN List" interface=BaseVlan list=VLAN
add comment="Full Access List" interface=BaseVlan list=BaseVLAN
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan30 list=VLAN
add comment="Fully Restricted List" interface=vlan10 list=VLAN-Restricted
add comment="WAN Interfaces" interface=ether1-WAN1 list=WAN
add interface=vlan30 list="VLAN-Internet Only"
add comment="Internet Only List" interface=vlan20 list="VLAN-Internet Only"
/interface wireguard peers
add allowed-address=x.x.x.x/32 interface=wireguard1 public-key=\
    "XXX"
/ip address
add address=192.168.0.1/24 interface=BaseVlan network=192.168.0.0
add address=192.168.1.2/24 interface=ether2-WAN2 network=192.168.1.0
add address=x.x.x.x/24 interface=wireguard1 network=x.x.x.0
add address=10.0.10.1/16 interface=vlan10 network=10.0.0.0
add address=10.0.20.1/24 interface=vlan20 network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30 network=10.0.30.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1-WAN1
/ip dhcp-server lease
Some predefined Leases
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=192.168.0.1 gateway=10.0.30.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=DNS1,DNS2
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
    yes log-prefix=Wireguard protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!VLAN
add action=drop chain=forward comment=NVR disabled=yes dst-address=\
    !192.168.100.2 log=yes log-prefix=NVR src-address=192.168.0.26
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Restrict Internet Access" \
    in-interface-list=VLAN-Restricted out-interface-list=WAN
add action=accept chain=forward comment="Allow Internet Access" \
    in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BaseVlan Full Access" \
    in-interface=BaseVlan out-interface-list=VLAN
add action=accept chain=forward comment="Allow WireGuard " in-interface=\
    wireguard1 out-interface-list=VLAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="Drop Everything else in VLAN" \
    in-interface-list=VLAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

I’m pretty sure the main problem is around the firewall rules and I’m trying to set it with minimum intervention to the default config, however maybe I’d need to jump back to drop all and allow some as you proposed anav. Access from base to the others seems to be working no porblems there at least from what I’ve tested.

17

Pinging gateway IPs, is reaching the router as they are local interfaces, does not mean you can actually reach users…
Lets look at the config…

(1) INPUT CHAIN, clearly you want reasonable security and thus I am assuming you want limited access to those that config the router.
Hence allowing ALL VLANS full access to the router itself should not be accceptable.
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!VLAN

Much better to have a list of admin IP addresses ( local and by setting dhcp leases to static, aka admin laptop, desktop, ipad/smartphone) and also remote wireguard IPs if any as a SOURCE ADDRESS LIST accepted on the input chain.
THEN for the users, what services do they require typically on DNS.
add action=accept chain=input src-address-list=Admin comment=“Config Access”
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment=“drop all else” { put this rule in last you will lock yourself out }

However thats up to you, otherwise input chain is fine.

(2) Forward chain… out of order and uknown rules…
The NVR rule should be removed if its not of any relevance and also if it was relevant it should be after the usual default rules.

add action=drop chain=forward comment=NVR disabled=yes dst-address=
!192.168.100.2 log=yes log-prefix=NVR src-address=192.168.0.26

Now, to handle what is and what is not allowed, put in a last rule that is DROP ALL ELSE>
What this does is allow you to focus and simplify to add ONLY WHAT TRAFFIC IS NEEDED!
Note your default invalid rule has to move up to right after the established,related rule, and the old default dst nat rule, your current last rule has to be removed and replaced with a clearer rule and the drop rule.
This leaves the following.

add action=accept chain=forward comment=“Allow Internet Access”
in-interface-list=“VLAN-Internet Only” out-interface-list=WAN
add action=accept chain=forward comment=“Allow BaseVlan Full Access”
in-interface=BaseVlan out-interface-list=VLAN
add action=accept chain=forward comment="Allow WireGuard " in-interface=
wireguard1 out-interface-list=VLAN
add action=drop chain=forward comment=“Drop Everything else in VLAN”
in-interface-list=VLAN
add action==accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { disable if not required }
add action=drop chain=forward comment=“DROP ALL ELSE”

Rule 1 - allows vlan20,30 to internet
Rule 2 - allows base vlan to all vlans
Rule 3 - allows Wireguard to all vlans
Rule 4 - allows port forwarding, if required
Rule 5 - drop all other traffic at L3

Thus automatically, no other vlans can access internet, no vlans can access each other.
Clean, simple, efficient

18

The NVR rule is not relevant. It is a leftover from an old config and it was disabled.

I’ve modified the firewall in the following manner:

Lists

/interface list
add comment=defconf name=WAN
add comment="Full VLAN List" name=VLAN
add name=BaseVLAN
add comment="Internet Restricted" name=VLAN-Restricted
add comment="Internet Only List" name="VLAN-Internet Only"
/interface list member
add interface=pppoe-out1 list=WAN
add comment="WAN List" interface=ether2-WAN2 list=WAN
add interface=wireguard1 list=VLAN
add comment="Full VLAN List" interface=BaseVlan list=VLAN
add comment="Full Access List" interface=BaseVlan list=BaseVLAN
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan30 list=VLAN
add comment="Internet Restricted List" interface=vlan10 list=VLAN-Restricted
add comment="Internet obly List" interface=vlan20 list="VLAN-Internet Only"
add interface=vlan30 list="VLAN-Internet Only"
add interface=wireguard1 list=BaseVLAN

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow Admin access" src-address-list=\
    Admin
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
    yes log-prefix=Wireguard protocol=udp
add action=accept chain=input comment="allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="allow LAN DNS queries - UDP" dst-port=\
    53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop Everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow Internet only" \
    connection-type="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow BaseVlan full access" \
    connection-type="" in-interface=BaseVlan out-interface-list=VLAN
add action=accept chain=forward comment="allow WireGuard VLAN access" \
    connection-type="" in-interface=wireguard1 out-interface-list=VLAN
add action=drop chain=forward comment="drop Everything else in VLAN" \
    connection-type="" in-interface-list=VLAN
add action=accept chain=forward comment="allow Port forwarding" \
    connection-nat-state=dstnat connection-state=new connection-type=""
add action=drop chain=forward comment="drop Everything else" \
    connection-state=new in-interface-list=WAN

The major problem that I saw was with the drop all rule. By applying it all vlans were cutout from internet. It seems to be working with in-interface=WAN added to the rule. In addition in the topic for the VLANs all rules allowing traffic to internet or to another VLAN are with connection-state=new should we use it or not?

19

Seems okay, you keep screwing up the order of rules though…

(1) /ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked

----> move up, and put the invalid rule, the icmp rule and the loop back rule here!!

add action=accept chain=input comment=“allow Admin access” src-address-list=
Admin

(2) The internet thing is a misunderstanding on your part. The internet list should be used to identify all subnets allowed to internet, NOT which two subnets are internet only. Its a nuance but are two different requirements! :slight_smile:

This is clearly not what we want…
add action=accept chain=forward comment=“allow Internet only”
connection-type=“” in-interface-list=VLAN out-interface-list=WAN

The problem stems from your use and naming of the list.
It should be called simply VLAN-Internet and then it will be clear to you that the BASE VLAN is a member!!!
/interface list member
add interface=pppoe-out1 list=WAN
add comment=“WAN List” interface=ether2-WAN2 list=WAN
add interface=wireguard1 list=VLAN
add comment=“Full VLAN List” interface=BaseVlan list=VLAN
add comment=“Full Access List” interface=BaseVlan list=BaseVLAN
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan30 list=VLAN
add comment=“Internet Restricted List” interface=vlan10 list=VLAN-Restricted
add comment=“Internet only List” interface=vlan20 list=VLAN-Internet
add interface=vlan30 list=VLAN-Internet
add interface=BaseVlan list=VLAN-Internet
add interface=wireguard1 list=BaseVLAN

And thus the rule should be as I posted…
add action=accept chain=forward comment=“allow Internet only”
connection-type=“” in-interface-list=VLAN-Internet VLAN out-interface-list=WAN

or simply add the BASE VLAN to the existing list “VLAN-Internet Only” result will be the same.

20

Yeah I’ve messed the order. Moved the one in the forward chain but somehow missed the rules in input. Modified it as pointed but still no internet if the last rule is simply drop all. When drop all in interface= WAN. Guess it was missed in your first comment or am I missing something? And what about the connection-state=new?

/interface list
add name=WAN
add name=VLAN
add name=BaseVLAN
add name=VLAN-Restricted
add name=VLAN-InternetAccess
/interface list member
add interface=pppoe-out1 list=WAN
add interface=ether2-WAN2 list=WAN
add interface=wireguard1 list=VLAN
add interface=BaseVlan list=VLAN
add interface=BaseVlan list=BaseVLAN
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan30 list=VLAN
add interface=vlan10 list=VLAN-Restricted
add interface=vlan20 list=VLAN-InternetAccess
add interface=vlan30 list=VLAN-InternetAccess
add interface=wireguard1 list=BaseVLAN
add interface=BaseVlan list=VLAN-InternetAccess
add interface=wireguard1 list=VLAN-InternetAccess

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow Admin access" src-address-list=\
    Admin
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
    yes log-prefix=Wireguard protocol=udp
add action=accept chain=input comment="allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="allow LAN DNS queries - UDP" dst-port=\
    53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="drop Everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow Internet access" \
    connection-type="" in-interface-list="VLAN-Internet Access" \
    out-interface-list=WAN
add action=accept chain=forward comment="allow BaseVlan full access" \
    connection-type="" in-interface=BaseVlan out-interface-list=VLAN
add action=accept chain=forward comment="allow WireGuard VLAN access" \
    connection-type="" in-interface=wireguard1 out-interface-list=VLAN
add action=drop chain=forward comment="drop Everything else in VLAN" \
    connection-type="" in-interface-list=VLAN
add action=accept chain=forward comment="allow Port forwarding" \
    connection-nat-state=dstnat connection-state=new connection-type=""
add action=drop chain=forward comment="drop Everything else" \
    in-interface-list=WAN

Edit: Just tested and internet access is avaliable from vlan10 which is not in the allowed list which is strange.