L2, L3 Firewall with different VLANs - bridge two vlans (intern, extern)

BrainPain · January 31, 2021, 10:24am

Hello

My current setup looks like the following:
Interface 1 extern
Interface 2 intern

Bridge with Int1 and Int2

Both are without vlans and i use (L2) L3 Firewall to filter the traffic (stateful).
For example, traffic from intern to extern is allowed, extern to intern only related and established and a few ports.

Now i want to use VLANs for my purpose and only one 10G interface. Which should look like this:
Interface 1 (only tagged), vlan10 (extern) and vlan11 (intern).

How an i bridge those two vlans together and use the firewall for filtering the traffic?

Thank you for your help

anav · January 31, 2021, 1:48pm

Diagrams may help but why are you bridging the external interface?? Bridging is typically for behind the router (the lans or vlans)
Are you saying that your wan, internet connection comes in on a vlan from the provider?

BrainPain · January 31, 2021, 2:15pm

No, it does not come tagged in an VLAN. But, if i only have one cable to the firewall (eg RB4011iGS+RM with only one 10G interface), i do want to change it to the following configuration:

mkx · January 31, 2021, 7:00pm

Let’s say you’ll use ether1. You should use the interface in stand-alone mode (i.e. not enslaved to a bridge) and create appropriate vlan interfaces off it. Then bridge those interfaces and use bridge filters in similar manner as currently:

/interface vlan
add interface=ether1 name=extern vlan-id=10
add interface=ether1 name=intern vlan-id=11
/interface bridge
add name=transparent
/interface bridge port
add bridge=transparent interface=intern
add bridge=transparent interface=extern

anav · January 31, 2021, 8:39pm

mkx, is the basic idea that one wants to have an access trunk from switch to modem, lets say on switch port ether5.
All packets coming in on this port are tagged with vlan10, all packets leaving this port back to the modem have their tags stripped.

Then on ether4 on the switch one has a trunk port carrying vlan11 and vlan10, eth4 goes to ether 1 on ehter1 on the router.

I dont follow how to use this single port NOT on a bridge for the wan interface part but on a bridge for the internal LAN interface.
Are you saying you can put both on the bridge no issues??

mkx · January 31, 2021, 10:13pm

The basic idea of @BrainPain is to use RB4011 as router-on-a-stick[] … both WAN and LAN tagged with tagging of both being done by a switch (so don’t worry about it).
[]only that he doesn’t want RB4011 to do any routing, just transparrent firewalling. So he needs a bridge between WAN and LAN to make it transparrent and he needs bridge rules to enforce firewall rules. For the obvious reasons (forcing traffic to pass through firewall) he needs to use different VLANs, if he used same VLAN traffic might bypass RB4011 altogether.

anav · February 1, 2021, 2:01am

Sorry no capiche. You would need to give me a zoom lesson to understand unfortunately.
I will have another think about it tomorrow.

BrainPain · February 1, 2021, 9:45am

Let’s say you’ll use ether1. You should use the interface in stand-alone mode (i.e. not enslaved to a bridge) and create appropriate vlan interfaces off it. Then bridge those interfaces and use bridge filters in similar manner as currently:
/interface vlan
add interface=ether1 name=extern vlan-id=10
add interface=ether1 name=intern vlan-id=11
/interface bridge
add name=transparent
/interface bridge port
add bridge=transparent interface=intern
add bridge=transparent interface=extern

Looks easier than i expected. Just create 2 VLAN-Interfaces and bridge them together?

I was thinking about VLAN-translation and something else. But your solution looks as an easy fix for this problem. Thank you for your help!