Prevent inter-VLAN routing / isolating VLANs not working

RouterOS General
1

I have the following config:

[user@rt2] > /export hide-sensitive
# aug/20/2020 21:08:01 by RouterOS 6.47.2
# software id = A1GI-TFVF
#
# model = 960PGS
# serial number = 89F90861A06A
/interface bridge
add admin-mac=CC:2D:E0:81:0A:BE auto-mac=no dhcp-snooping=yes ingress-filtering=yes name=br0 protocol-mode=mstp pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=forced-on
set [ find default-name=ether3 ] poe-out=forced-on
set [ find default-name=ether4 ] poe-out=forced-on
set [ find default-name=ether5 ] poe-out=forced-on
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=br0 name=management vlan-id=11
/interface ethernet switch
set 0 name=sw1
/interface list
add name=external
add name=internal
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/snmp community
set [ find default=yes ] disabled=yes
/interface bridge port
add bpdu-guard=yes bridge=br0 comment=rp1 edge=yes-discover hw=no ingress-filtering=yes interface=ether2 pvid=10
add bpdu-guard=yes bridge=br0 comment=rp2 edge=yes-discover hw=no ingress-filtering=yes interface=ether3 pvid=10
add bpdu-guard=yes bridge=br0 comment=rp3 edge=yes-discover hw=no ingress-filtering=yes interface=ether4 pvid=10
add bridge=br0 comment=rt1 frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether1 pvid=10 trusted=yes
add bpdu-guard=yes bridge=br0 comment=rp4 edge=yes-discover hw=no ingress-filtering=yes interface=ether5 pvid=10
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=br0 comment=native untagged=ether1,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=br0 comment=management tagged=ether2,ether3,ether4,ether5 vlan-ids=11
add bridge=br0 comment=replication tagged=ether2,ether3,ether4,ether5 vlan-ids=12
add bridge=br0 comment=public tagged=ether2,ether3,ether4,ether5 vlan-ids=13
/interface list member
add interface=ether1 list=external
add interface=ether2 list=internal
add interface=ether3 list=internal
add interface=ether4 list=internal
add interface=ether5 list=internal
/ip address
add address=172.27.11.1/24 interface=management network=172.27.11.0
/ip dhcp-client
add disabled=no interface=br0
/ip firewall address-list
add address=0.0.0.0/8 comment="self-identification [rfc 3330]" list=bogon
add address=10.0.0.0/8 comment="private class a [rfc 1918]" list=bogon
add address=127.0.0.0/8 comment="loopback [rfc 3330]" list=bogon
add address=172.16.0.0/12 comment="private class b [rfc 1918]" disabled=yes list=bogon
add address=169.254.0.0/16 comment="link-local [rfc 3330]" disabled=yes list=bogon
add address=192.168.0.0/16 comment="private class c [rfc 1918]" list=bogon
add address=192.0.2.0/24 comment="test-net 1 [rfc 5737]" list=bogon
add address=192.88.99.0/24 comment="6to4 relay anycast [rfc 3068]" list=bogon
add address=198.18.0.0/15 comment="bmwg testing [rfc 6815]" list=bogon
add address=198.51.100.0/24 comment="test-net 2 [rfc 5737]" list=bogon
add address=203.0.113.0/24 comment="test-net 3 [rfc 5737]" list=bogon
add address=224.0.0.0/4 comment="private class d (multicast) [rfc 1112]" list=bogon
add address=172.27.10.0/24 list=native
add address=172.27.11.0/24 list=management
add address=172.27.12.0/24 list=replication
add address=172.27.13.0/24 list=public
/ip firewall filter
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="accept established, related, untracked (external --> internal)" connection-state=established,related,untracked
add action=accept chain=forward comment="accept new (internal --> external)" connection-state=new dst-address-list=!bogon in-bridge-port-list=internal out-bridge-port-list=external
add action=accept chain=input comment="accept http (native) (remove later)" connection-state=new disabled=yes dst-address-list=native dst-port=80 in-interface=br0 protocol=tcp
add action=accept chain=forward connection-state=new disabled=yes dst-address-list=native dst-port=22,4443 protocol=tcp
add action=accept chain=input comment="accept ssh (native) (remove later)" connection-state=new dst-address-list=native dst-port=22,900,4443 in-interface=br0 protocol=tcp
add action=accept chain=input comment="accept ssh (management) (remove later)" connection-state=new dst-address-list=management dst-port=22,900,4443 in-interface=management protocol=tcp
add action=jump chain=forward comment="allow from external (remove later)" connection-state=new dst-address-list=native dst-port=22,900,4443 in-bridge-port-list=external jump-target=native out-bridge-port-list=internal protocol=tcp src-address-list=native
add action=jump chain=forward comment="allow from external (remove later)" connection-state=new disabled=yes dst-address-list=native in-bridge-port-list=external jump-target=native out-bridge-port-list=internal src-address-list=native
add action=jump chain=forward comment="jump to native rules" connection-state=new dst-address-list=native in-bridge-port-list=internal jump-target=native out-bridge-port-list=internal src-address-list=native
add action=jump chain=forward comment="jump to management rules" connection-state=new dst-address-list=management in-bridge-port-list=internal jump-target=management out-bridge-port-list=internal src-address-list=management
add action=jump chain=forward comment="jump to replication rules" connection-state=new dst-address-list=replication in-bridge-port-list=internal jump-target=replication out-bridge-port-list=internal src-address-list=replication
add action=jump chain=forward comment="jump to public rules" connection-state=new dst-address-list=public in-bridge-port-list=external jump-target=public out-bridge-port-list=internal
add action=accept chain=forward comment="accept dns (external --> internal)" connection-state=new dst-port=1024-65535 in-bridge-port-list=external out-bridge-port-list=internal protocol=udp src-port=53
add action=accept chain=forward comment="accept dhcp (external --> internal)" connection-state=new dst-port=68 in-bridge-port-list=external out-bridge-port-list=internal protocol=udp src-port=67
add action=accept chain=native comment="accept ssh (remove later)" dst-port=22,900,4443 protocol=tcp
add action=accept chain=native comment="accept pacemaker (remove later)" dst-port=2224 protocol=tcp
add action=accept chain=native comment="accept mail relay, submission, imaps" dst-port=25,587,993 protocol=tcp
add action=accept chain=native comment="accept dns" dst-port=53 protocol=tcp
add action=accept chain=native comment="accept dns" dst-port=53 protocol=udp
add action=accept chain=native comment="accept http, https" dst-port=80,443 protocol=tcp
add action=accept chain=management comment="accept ssh" dst-port=22,900,4443 protocol=tcp
add action=accept chain=management comment="accept http, https" dst-port=80,443 protocol=tcp
add action=accept chain=management comment="accept snmp, snmp trap" dst-port=161,162 protocol=udp
add action=accept chain=management comment="accept pacemaker" dst-port=2224 protocol=tcp
add action=accept chain=replication comment="accept lmtp" dst-port=24 protocol=tcp
add action=accept chain=replication comment="accept sasl" dst-port=2222 protocol=tcp
add action=accept chain=replication comment="accept mysql" dst-port=3308 protocol=tcp
add action=accept chain=replication comment="accept gluster" dst-port=24007-24008,49152-49155 protocol=tcp
add action=accept chain=public comment="accept mail relay, submission, imaps" dst-port=25,587,993 protocol=tcp
add action=accept chain=public comment="accept dns" dst-port=53 protocol=tcp
add action=accept chain=public comment="accept dns" dst-port=53 protocol=udp
add action=accept chain=public comment="accept http, https" dst-port=80,443 protocol=tcp
add action=accept chain=public comment="accept vpn" dst-port=1194 protocol=tcp
add action=accept chain=public comment="accept vpn" dst-port=1194 protocol=udp
add action=accept chain=forward comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept broadcast" dst-address-type=broadcast
add action=accept chain=forward comment="accept multicast" dst-address-type=multicast
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept to local loopback (for capsman)" dst-address=127.0.0.1
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept broadcast" dst-address-type=broadcast
add action=accept chain=input comment="accept multicast" dst-address-type=multicast
add action=reject chain=input log=yes reject-with=icmp-admin-prohibited
add action=reject chain=forward log=yes reject-with=icmp-admin-prohibited
add action=drop chain=output connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=output
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=900
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=rt2
/system note
set note="UNAUTHORIZED ACCESS TO THIS NETWORK IS PROHIBITED"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

I have 4 Raspberry Pi’s connected to this 5 port Mikrotik hEX PoE (ether[2-5]), which is called rt2. On ether1 is a connection to my router which is the internet gateway (rt1).

The setup I have in mind is to block access to VLAN 11 and 12 from any other connection. I thought, by isolating them like I have, I would accomplish this. But as I’ll show in this post, this is not the case. VLAN 13 acts as the public VLAN, where services are offered via NAT to the internet or directly via IPv6 (will be setup later).

Because VLAN 13 needs to be accessible from hosts attached to my internet gateway router (rt1), and thus all locally connected devices connected to rt1, I created a static route. This static route is 172.27.13.0/24 → 172.27.10.254, where the first subnet is the network which is assigned on the Raspberry Pi’s and the address it points to is the IP of rt1 (internet gateway router).

This route was already sufficient to allow a ping from hosts (in this case host ws1) attached to rt1 to ping the Raspberry Pi’s attached to rt2 (the Mikrotik).

[user@ws1]$ ping 172.27.13.2 -c 3
PING 172.27.13.2 (172.27.13.2) 56(84) bytes of data.
From 172.27.10.254 icmp_seq=1 Redirect Host(New nexthop: 2.13.27.172)
64 bytes from 172.27.13.2: icmp_seq=1 ttl=64 time=1.00 ms
64 bytes from 172.27.13.2: icmp_seq=2 ttl=64 time=0.577 ms

--- 172.27.13.2 ping statistics ---
2 packets transmitted, 2 received, +1 errors, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.577/0.788/1.000/0.211 ms

IP route table of ws1 (host attached to rt1)

$ ip route
default via 172.27.10.254 dev enp59s0u1u4u3 proto dhcp metric 100 
default via 172.27.10.254 dev wlp2s0 proto dhcp metric 600 
172.27.10.0/24 dev enp59s0u1u4u3 proto kernel scope link src 172.27.10.178 metric 100 
172.27.10.0/24 dev wlp2s0 proto kernel scope link src 172.27.10.109 metric 600 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown

I thought I setup my VLANs correctly, but clearly I didn’t. Because I was expecting to do more, like e.g. adding ether1 as an untagged interface, or something like that. But ether1 (which attaches VLAN 13 to rt1) is not included yet.

My guess is that this is due to the PVID 10, which is set for all interfaces and VLAN 10 is used on all interfaces for the VLAN called “native”. And that the forwarding manages to interconnect the VLANs anyway. When I disable the following firewall rule:

action=accept chain=input comment="accept ICMP" protocol=icmp

The pings are filtered. So in other words, the VLANs are not separated as I planned. It might also be the way how I setup ether1, i.e.

add bridge=br0 comment=rt1 frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether1 pvid=10 trusted=yes

Is there a way to isolate VLAN 12 and 13 from VLAN 10 and 13 on a VLAN level? So without using L3 solutions like no static routes or firewalls. The Raspberry Pi’s don’t have multiple interfaces. I also don’t have extra ports free on the Mikrotik. My rt1 (internet gateway router) is not VLAN aware.

2

Adding VLANs segregates the networks at the ethernet / layer2 level, but by default the Mikrotik will route IP / layer3 traffic between all attached subnets. Either block specific VLAN-to-VLAN traffic in the forward chain, or accept the traffic you wish to allow followed by a forward drop rule to block everything else.

3

Okay, that confirms my hunch, because of the forwarding I have basically a router-on-a-stick. In any case, now that I’m showing my VLAN configuration. I’ll add some more specific forward rules. Is there any way to harden my configuration even further? I believe I tightened all the screws already, but there are always ways to improve the VLAN setup? I explained the purpose of the VLANs in my initial post. Any suggestions?