Intervlan SMB access. Configuration and security

RouterOS Beginner Basics
1

I cannot access my hAP’s SMB share from another vlan.

Router:
hAP ax3 with SSD connected to USB

Configuration:
main_pool – hAP, single desktop, and wifi
trusted_vlan20 – includes a Pi with SMB, desktop with SMB
IOT_vlan30

Setting:
home

I prefer to use the hAP instead of the Pi for file sharing, but not mandatory. My use is light.

Devices on the main_pool can access the haP SMB, so the file sharing is working in that regard. I assume it’s a firewall configuration.

Questions:

  1. Is it is a best security practice to not allow SMB access to my hAP from other vlans?
  2. How do I configure SMB access to the hAP from my trusted_vlan?
/interface vlan
add comment=IOT interface=bridge name=VLAN_IOT vlan-id=30
add comment=trusted20 interface=bridge name=VLAN_trusted20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=main_pool ranges=10.0.2.50-10.0.2.254
add name="IOT pool" ranges=10.0.30.2-10.0.30.100
add name=trusted20_pool ranges=10.0.20.50-10.0.20.254
/ip dhcp-server
add address-pool=main_pool interface=bridge lease-time=1d name=defconf
add address-pool="IOT pool" comment=IOT interface=VLAN_IOT lease-time=1d \
    name="IOT DHCP"
add address-pool=trusted20_pool interface=VLAN_trusted20 name=\
    "trusted20 DHCP"
/ip smb users
set [ find default=yes ] disabled=yes
add name=me
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_switch
add bridge=bridge comment=defconf interface=ether3_Mac
add bridge=bridge comment=defconf interface=ether4_asus pvid=20
add bridge=bridge comment=defconf interface=" wifi for IOT" pvid=30
add bridge=containers interface=veth1-nginx
add bridge=bridge interface=hap5
add bridge=bridge interface=ether5_pvid1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=IOT tagged=bridge untagged=\
    " wifi for IOT,ether2_switch" vlan-ids=30
add bridge=bridge comment=trusted20 tagged=bridge untagged=\
    ether4_asus,ether2_switch,ether3_Mac vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN

/ip address
add address=10.0.2.1/24 interface=bridge network=10.0.2.0
add address=10.0.5.1/24 comment=containers interface=containers network=\
    10.0.5.0
add address=10.0.30.1/24 comment=IOT interface=VLAN_IOT network=10.0.30.0
add address=10.0.20.1/24 comment=trusted interface=VLAN_trusted20 network=\
    10.0.20.0
/ip dhcp-client
add comment=defconf interface=ether1_WAN use-peer-dns=no

/ip dhcp-server network
add address=10.0.2.0/24 comment=main dns-server=10.0.2.1 gateway=10.0.2.1
add address=10.0.20.0/24 comment=vlan_trusted dns-server=10.0.2.1 gateway=\
    10.0.20.1
add address=10.0.30.0/24 comment=IOT_vlan dns-server=10.0.2.1 gateway=\
    10.0.30.1
/ip dns
set allow-remote-requests=yes cache-size=25600KiB servers=\
    9.9.9.9,149.112.112.112

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="me: Adlist - allow DNS queries" \
    dst-port=53 in-interface=all-vlan protocol=udp
add action=accept chain=input comment="me: Adlist - allow DNS queries" \
    dst-port=53 in-interface=all-vlan protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="me: #1a - bridge  to vlans" \
    in-interface=bridge out-interface=all-vlan
add action=accept chain=forward comment="SMB access to hAP" dst-address=\
    10.0.2.0/24 dst-port=445,139 protocol=tcp src-address=10.0.20.0/24
add action=accept chain=forward comment="SMB access to hAP" dst-address=\
    10.0.2.0/24 dst-port=137,138 protocol=udp src-address=10.0.20.0/24
add action=drop chain=forward comment="me: IOT - vlans to bridge" \
    in-interface=all-vlan out-interface=bridge
add action=drop chain=forward comment="me: IOT" dst-address=10.0.20.0/24 \
    src-address=10.0.30.0/24
add action=drop chain=forward comment="me: IOT - outbound drop" \
    out-interface=all-vlan src-address=10.0.30.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=containers src-address=10.0.5.0/24
add action=redirect chain=dstnat comment="Adlist - allow DNS queries" \
    dst-port=53 in-interface=all-vlan protocol=udp
add action=redirect chain=dstnat comment="Adlist - allow DNS queries" \
    dst-port=53 in-interface=all-vlan protocol=tcp
add action=dst-nat chain=dstnat comment="Forwards main2 to routeros" \
    disabled=yes dst-address=10.0.2.1 dst-port=80 protocol=tcp to-addresses=\
    10.0.1.1 to-ports=80
/ip firewall service-port
set ftp disabled=yes
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www-ssl disabled=no
/ip smb shares
add directory=usb1 name=usb1 valid-users=me
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
2

I read that ports 137, 138, and 139 are not needed in the current implementation of SMB. Only port 445 is needed.

Removing 137-139 and adding a firewall rule for 445 allowed me to connect to a Mac on the main 10.0.2.0 subnet via Debian linux machine and another Mac. Still cannot connect from another vlan to the smb share on the hAP.

3

Add the VLAN 20 interface to the LAN interface list. If that doesn’t work either, check on which interfaces the SMB service runs and adjust accordingly if needed

4

Firewall rules always kick my butt. I was using forward instead of input.

This allows access from vlan20 to my router’s file share.

chain=input action=accept protocol=tcp in-interface=VLAN_trusted20 dst-port=445

What I don’t understand is without this rule I could still connect to an SMB share on another computer on the same subnet.

5

All your firewall problems can be traced back to the incorrect selection of interfaces. This is not only with regard to your smb config, but it is all over your config.

When ports are bridged, the interfaces that are incorporated into the bridge are said to be enslaved, that is, they will not be regarded as the ingress/egress interfaces by the IP networking part of your system (of which the firewall in one important element.) That’s why in the default configuration the bridge in incorporated into the LAN interface list, because from the POV of the firewall, that is where the packets will come from.

When you configure your bridge with vlans, you go another step further. Now, the vlan interfaces are the appropriate IP interfaces into those domains. (With the exception being if the bridge itself is specified in a vlan as an untagged member, only for that vlan the bridge will still be the appropriate interface. This is a configuration I do not encourage.)

So what you should do is

  • remove the “bridge” interface from the LAN interface list, add instead VLAN_trusted20 - this will immediately solve your smb problems without the additional rule
  • add a new interface list like LAN_UNTRUSTED, and add your guest vlan to it
  • remove your NAT redirect rules (DNS will work normally on your trusted network, because it is now part of the LAN list)
  • add appropriate “accept” rules in your firewall/filter for your new LAN_UNTRUSTED interface list and include DNS in them (and whatever else you will want to later on) - just remember that DNS needs both UDP and TCP port 53 to function correctly (for DNS, use the input chain)
  • remove (or disable) all configuration that references the “bridge” interface in an ingress/egress interface sense: it shouldn’t have an IP address, it shouldn’t have a DHCP server, etc.
6

I made some changes. Does this look better? Should I remove ‘bridge’ entirely from the Interface List?

Next is to allow connecting to router (10.0.2.1) from vlan_trusted20.

# 2025-07-24 00:46:49 by RouterOS 7.19.3
# model = C53UiG+5HPaxD2HPaxD

/container mounts
add dst=/usr/share/nginx/html name=website src=/usb1/website

/interface bridge
add admin-mac=78:9A:18:10:34:B0 auto-mac=no comment=defconf igmp-snooping=yes \
    multicast-querier=yes name=bridge vlan-filtering=yes
add name=containers

/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_switch
set [ find default-name=ether3 ] name=ether3_Mac
set [ find default-name=ether4 ] name=ether4_asus
set [ find default-name=ether5 ] name=ether5_pvid1

...
    
/interface veth
add address=10.0.5.2/24 gateway=10.0.5.1 gateway6="" name=veth1-nginx

/interface wireguard
...

/interface vlan
add comment=IOT interface=bridge name=VLAN_IOT vlan-id=30
add comment=trusted20 interface=bridge name=VLAN_trusted20 vlan-id=20

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=vlan_UNTRUSTED
add name=vlan_trusted

/ip pool
add name=main_pool ranges=10.0.2.50-10.0.2.254
add name="IOT pool" ranges=10.0.30.2-10.0.30.100
add name=trusted20_pool ranges=10.0.20.50-10.0.20.254

/ip dhcp-server
add address-pool=main_pool interface=bridge lease-time=1d name=defconf
add address-pool="IOT pool" comment=IOT interface=VLAN_IOT lease-time=1d \
    name="IOT DHCP"
add address-pool=trusted20_pool interface=VLAN_trusted20 name=\
    "trusted20 DHCP"
    
/ip smb users
set [ find default=yes ] disabled=yes
add name=xxx

...

/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes

/ip smb
set enabled=yes

/interface bridge port
add bridge=bridge comment=defconf interface=ether2_switch
add bridge=bridge comment=defconf interface=ether3_Mac
add bridge=bridge comment=defconf interface=ether4_asus pvid=20
add bridge=bridge comment=defconf interface=" wifi for IOT" pvid=30
add bridge=containers interface=veth1-nginx
add bridge=bridge interface=hap5
add bridge=bridge interface=ether5_pvid1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge comment=IOT tagged=bridge untagged=\
    " wifi for IOT,ether2_switch" vlan-ids=30
add bridge=bridge comment=trusted20 tagged=bridge untagged=\
    ether4_asus,ether2_switch,ether3_Mac vlan-ids=20
    
/interface detect-internet
set detect-interface-list=all

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add interface=VLAN_trusted20 list=vlan_trusted
add interface=VLAN_IOT list=vlan_UNTRUSTED

/interface wireguard peers
...

/ip address
add address=10.0.2.1/24 interface=bridge network=10.0.2.0
add address=10.0.17.1/24 comment=wireguard interface=wireguard1 network=\
    10.0.17.0
add address=10.0.5.1/24 comment=containers interface=containers network=\
    10.0.5.0
add address=10.0.30.1/24 comment=IOT interface=VLAN_IOT network=10.0.30.0
add address=10.0.20.1/24 comment=trusted interface=VLAN_trusted20 network=\
    10.0.20.0
    
/ip dhcp-client
add comment=defconf interface=ether1_WAN use-peer-dns=no

/ip dhcp-server lease
...

/ip dns
set allow-remote-requests=yes cache-size=25600KiB servers=\
    9.9.9.9,149.112.112.112
    
/ip dns adlist
add url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
add file="usb1/adlist mine/myblacklist.txt" ssl-verify=no


/ip firewall address-list
add address=10.0.20.0/24 list=LAN_1  # vlan_trusted20
add address=10.0.2.0/24 list=LAN_1    # bridge

/ip firewall filter
add action=accept chain=input comment="me: allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="me: WG" src-address=10.0.17.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="me: Adlist - allow DNS queries" \
    dst-port=53 in-interface=all-vlan protocol=udp
add action=accept chain=input comment="me: Adlist - allow DNS queries" \
    dst-port=53 in-interface=all-vlan protocol=tcp
add action=accept chain=input comment="me: SMB to hAP" dst-port=445 \
    in-interface=all-vlan protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="me: bridge and trusted to all vlans" \
    out-interface=all-vlan src-address-list=LAN_1
add action=drop chain=forward comment="me: IOT - outbound drop" \
    dst-address-list=LAN_1 in-interface=VLAN_IOT
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=containers src-address=10.0.5.0/24

/ip firewall service-port
set ftp disabled=yes

/ip service
set ftp disabled=yes
set telnet disabled=yes
set www-ssl disabled=no

/ip smb shares
add directory=usb1 name=usb1 valid-users=xxx

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
7

Partly.

I think you shouldn’t have a LAN and a vlan_trusted interface list. You can of course name it whatever you want, but essentially your trusted vlan takes over the place of LAN in the default configuration. I wouldn’t name the interface lists around “vlans” specifically - from a firewall and interface usage perspective it really doesn’t matter whether these connections are delivered directly in interfaces, over vlans, bridged, etc. - it’s their roles that matter.

Interface lists can be used for many things, but if you only use them for firewalling, then yes, there’s no reason for the “bridge” interface to be in any of them.