Port Isolation?

RouterOS General
1

Ok so I have a RB450G 3.21 This is my first Tik

eth1 is connected to the isp and the remaining ports are

eth2 10.0.10.0/26
eth3 12.0.12.0/24
eth4 20.0.20.0/24
eth5 192.168.10.0/24

ports 2 thru 5 are masqueraded.

My problem is that the network connected to eth 3 can reach the network connected to eth5. this applies to eth2 thru eth5, they all can see each other.

My goal: to have eth2 thru eth5 isolated from each other but still connect to the internet via eth1

What do I need to do to accomplish this?

Thanks,

2

Add firewall rules in the forward chain that block traffic between those networks.

One easy way to do that is to build an address-list of the local networks that contains 10.0.10.0/26, 12.0.12.0/24, 20.0.20.0/24, 192.168.10.0/24:

/ip firewall address-list add list=local_networks address=10.0.10.0/26
/ip firewall address-list add list=local_networks address=12.0.12.0/24
/ip firewall address-list add list=local_networks address=20.0.20.0/24
/ip firewall address-list add list=local_networks address=192.168.10.0/24

Then add a filter rule that drops all traffic sourced from those networks going out any interface that isn’t the WAN:

/ip firewall filter add chain=forward src-address-list=local_networks out-interface=!ether1 action=drop

Another way is a forward chain that accepts established and related traffic, accepts traffic going out the WAN interface and drops everything else.

By the way, why are you masquerading the two public IP blocks?

3

Isn’t VLAN is supposed to do that ?

Tagged different VLANs to all ports. They will be isolated if theres no routing. Layer 2 isolation.

Firewall rules which is similar to ACL in Cisco is the more complex but more complete way since it deals with traffic at layer 3.

4

VLANs don’t introduce anything different to the situation. The RouterOS device will by default route traffic between all connected networks, be they physical or virtual, unless you block that traffic via the firewall.

5

Thanks fewi. That firewall rule is exactly what I was looking for. And you are right about the VLAN as well.

Thank You,
Josh

6

Thanks I learn something new today. Mikrotik is not exactly full VLAN support if what fewi said is true

The RouterOS device will by default route traffic between all connected networks, be they physical or virtual, unless you block that traffic via the firewall.

RouterOS only support transparent VLAN since its a Router and will not bother to look deeper into VLAN tag. Am i right ?

7

RouterOS fully implements 802.1q.

The RouterOS device will by default route traffic between all connected networks, be they physical or virtual, unless you block that traffic via the firewall.

RouterOS only support transparent VLAN since its a Router and will not bother to look deeper into VLAN tag. Am i right ?

No. VLANs are only separated from each other if they’re layer 2. What you said is true for, say, a router that has 5 fast ethernet interfaces (or one interface with 5 dot1q sub-interfaces), but the router doesn’t have any IP addresses on the interfaces. In that case the networks are completely isolated from each other. The moment you take a Cisco 7200 and slap 5 interfaces on it (physical or VLAN) and put IP addresses on the router on each interface - making the networks layer 3 from the viewpoint of the router - it will by default route all traffic between all interfaces. To block the traffic, you’d implement an ACL.
The same is true for a Mikrotik RouterOS device.

8

Yes you are right. I think I misunderstand jspool question.
What he/she states are all network addresses on ether2 to ether5.
eth2 10.0.10.0/26
eth3 12.0.12.0/24
eth4 20.0.20.0/24
eth5 192.168.10.0/24
So i logically presume he/she has a router elsewhere and not assigning ip addresses to ether2 to ether5.
Thats why if VLAN tagged, the traffic will be logically segmented into different broadcast domains.

Anyway, its clearer now. Thanks.

9

Gotcha! I see how that could be confusing.

10

Fewi, so to separate VLANs you would create a couple of Routing Rules to drop the packets assuming the VLANs are now configured on the Router on a single ethernet port?

But if I wanted a single IP in VLAN2 to access another IP in VLAN3, I would have to create a ‘lookup’ rule for this and then a drop rule for the entire IP range?

11

exactly, you would add exception rule that will accept packets that come from one address and goes to other one in other network. And place that rule just before drop rule.

also note than 12.0.0.0/8 and 20.0.0.0/8 are public ip addresses, and if you use those and they are not assigned as your address range, your customers might not access these hosts with addresses in these ranges.

here is the list of addresses for private use:
http://en.wikipedia.org/wiki/Private_network#Reserved_private_IPv4_address_space
using these you wont risk to block some host coincidently.

12

Thank you, this worked like a charm. I ignored the interface option and just dropped from one IP range to another.

If I wanted to make sure that someone doesn’t bypass this rule by changing their IP, could I simply create a rule to drop everything from say vlan20 to vlan30? I don’t see how to do this in the routing rules but perhaps in the firewall filter?

A combination of the two? Drop entire vlans via the firewall filter and then allow specific IPs via the routing rule?

13

I wouldn’t do this with routing rules at all, but then again I’m a firewall guy. Routing rules would work, I suppose. Below the relevant configuration parts for two physical interfaces (inside and outside), and 4 VLAN interfaces stacked on the inside interface (Wired, Wireless, DMZ and Admin):

/interface ethernet
set 0 disabled=no name=outside
set 1 disabled=no name=inside 
set 2 disabled=yes name=ether3
set 3 disabled=yes name=ether4 

/interface vlan
add disabled=no interface=inside name=Wired vlan-id=2
add disabled=no interface=inside name=Wireless vlan-id=3
add disabled=no interface=inside name=DMZ vlan-id=4
add disabled=no interface=inside name=Admin vlan-id=5

/ip address
add address=1.1.1.144/26 interface=outside
add address=10.2.0.1/23 interface=Wired
add address=10.3.0.1/23 interface=Wireless
add address=10.4.0.1/24 interface=DMZ
add address=10.5.0.1/24 interface=Admin

By default all those networks could pass traffic to one another.

And the firewall section to prevent that. Only the relevant parts of forward chain are shown:

add action=accept chain=forward comment="forward established traffic" connection-state=established disabled=no
add action=accept chain=forward comment="forward related traffic" connection-state=related disabled=no
add action=accept chain=forward comment="forward traffic from local interfaces to WAN" disabled=no out-interface=outside
add action=accept chain=forward comment="allow Wired to initiate traffic to DMZ, reverse is not true" in-interface=Wired out-interface=DMZ
add action=accept chain=forward comment="allow bi-directional traffic initiation between Wired and Admin, Part I" in-interface=Wired out-interface=Admin
add action=accept chain=forward comment="allow bi-directional traffic initiation between Wired and Admin, Part II" in-interface=Admin out-interface=Wired
add action=drop chain=forward comment="drop everything else" disabled=no

Every network can now pass traffic to ‘outside’, ‘Wired’ can initiate connections to ‘DMZ’ (and since related/established is allowed, DMZ can pass back traffic for those connections. ‘Wired’ and ‘Admin’ can initiate connections bi-directionally.

Hope that helps.

14

Thanks very very much Fewi. Greatly appreciated.