Make RouterOS unaccessible on vlan [Fixed]

ffries · January 2, 2023, 4:22pm

Dear all,

First I would like to wish you a happy new year 2023.

I am using several RouterOS switches with separate VLANs.

Each RouterOS switch obtains an IP address on each VLAN.
This makes all switches accessible on each VLAN, which might cause security issues.
I don’t understand why each switch has an IP on each VLAN as this is layer 2 VLAN.
Should I use /32 IPs for each VLANs?

How to make the switches accessible on a single VLAN only (the admin vlan)?

Also I would like to manage all ARPs on my main router with static entries.

Kind regards,
Ffries

pe1chl · January 2, 2023, 5:26pm

Each RouterOS switch obtains an IP address on each VLAN

Why??? When you do not want that, do not configure it that way!
You probably have DHCP clients configured on each VLAN. Remove that.

ffries · January 2, 2023, 5:31pm

Hello,

No these are static IPs on /24 netmask on each VLAN.
I modified setting with static /32 netmask which makes the switches inaccessible.
So this issue is fixed.

However a problem remains : from any VLAN I can ping the main router on each router IP.
I think this is because the router fetches the IPs from his ARP table.

Example :

if my router has two IPs : a.b.c.254 and d.e.f.254, I can ping both from any VLAN.
How can I restrict ping to the IP belonging to the working VLAN?
From a.b.c.0/24 network I would like to ping only a.b.c.254 and not d.e.f.254

Any idea I can do that ?

pe1chl · January 2, 2023, 5:48pm

No these are static IPs on /24 netmask on each VLAN.

Remove them! There is no need to have an IP on a level 2 VLAN. You added those, but you do not want them.

Amm0 · January 2, 2023, 5:50pm

Well, the switches will do the arp based on router being part of their /24. So while a /32, router responding to switch’s arp.

So with pe1chl, it doesn’t need an IP in the first place.

ffries · January 2, 2023, 6:40pm

OK, I will remove them. Thanks.