RB3011 // Multiple VLANS - Firewall not working...

mikron00b · June 5, 2020, 9:21am

Dear all, i had a small Mikrotik Router since two years, now i switched to RB 3011 due to fact that i need a stonger router (IPSEC).
I want to implement multiple VLANS, one TRUNK Port, one WAN (Another Wan will come when basics work).
I did my preparations (VLAN,DHCP,Bridging), all ok, i get the ips for each net on the ports.

BUT

When i put a firewall rule Forward accept (on top of rules) everything is ok.

/ip firewall filter
add action=accept chain=forward connection-state=established,related,new

But when i define incoming interface (e.g. VLAN 50 or outgoing (WAN) the firewall is blocking/not working.
I have heard 3011 is unique regarding this topic?

 RouterOS 6.47
# model = RB3011UiAS

/interface bridge
add admin-mac=C4:AD:34:E5:A3:DA auto-mac=no comment=BRIDGE_MAIN name=\
    BRIDGE_MAIN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=1_WAN
set [ find default-name=ether2 ] name=2_OFFICE
set [ find default-name=ether3 ] name=3_LAN3
set [ find default-name=ether4 ] name=4_LAN4
set [ find default-name=ether5 ] name=5_ADMIN
set [ find default-name=ether6 ] name=6_GUEST
/interface vlan
add comment=VLAN10 interface=BRIDGE_MAIN name=VLAN10 vlan-id=10
add comment=VLAN20 interface=4_LAN4 name=VLAN20 vlan-id=20
add comment=VLAN30 interface=3_LAN3 name=VLAN30 vlan-id=30
add comment=VLAN40 interface=9_UPLINK-SWITCH name=VLAN40 vlan-id=40
add comment=VLAN50 interface=BRIDGE_MAIN name=VLAN50 vlan-id=50
add comment=VLAN60 interface=6_GUEST name=VLAN60 vlan-id=60
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=DHCP_MAIN ranges=192.168.1.10-192.168.1.20
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.10
add name=dhcp_pool2 ranges=192.168.20.2
add name=dhcp_pool3 ranges=192.168.30.2
add name=dhcp_pool4 ranges=192.168.40.2
add name=dhcp_pool5 ranges=192.168.50.2-192.168.50.5
add name=dhcp_pool6 ranges=192.168.60.2-192.168.60.10
/ip dhcp-server
add address-pool=DHCP_MAIN disabled=no interface=BRIDGE_MAIN lease-time=23h \
    name=DHCP_MAIN
add address-pool=dhcp_pool1 disabled=no interface=VLAN10 lease-time=23h name=\
    DHCP_VLAN10
add address-pool=dhcp_pool2 disabled=no interface=VLAN20 lease-time=23h name=\
    DHCP_VLAN20
add address-pool=dhcp_pool3 disabled=no interface=VLAN30 lease-time=23h name=\
    DHCP_VLAN30
add address-pool=dhcp_pool4 disabled=no interface=VLAN40 lease-time=23h name=\
    DHCP_VLAN40
add address-pool=dhcp_pool5 disabled=no interface=VLAN50 lease-time=23h name=\
    DHCP_VLAN50
add address-pool=dhcp_pool6 disabled=no interface=VLAN60 lease-time=23h name=\
    DHCP_VLAN60
/interface bridge port
add bridge=BRIDGE_MAIN comment=2_OFFICE frame-types=\
    admit-only-untagged-and-priority-tagged interface=2_OFFICE pvid=10
add bridge=BRIDGE_MAIN comment=3_LAN3 frame-types=\
    admit-only-untagged-and-priority-tagged interface=3_LAN3 pvid=30
add bridge=BRIDGE_MAIN comment=4_LAN4 frame-types=\
    admit-only-untagged-and-priority-tagged interface=4_LAN4 pvid=20
add bridge=BRIDGE_MAIN comment=5_ADMIN frame-types=\
    admit-only-untagged-and-priority-tagged interface=5_ADMIN pvid=50
add bridge=BRIDGE_MAIN comment=6_GUEST frame-types=\
    admit-only-untagged-and-priority-tagged interface=6_GUEST pvid=60
    9_UPLINK-SWITCH
add bridge=BRIDGE_MAIN comment=defconf interface=10_ACCESS
add bridge=BRIDGE_MAIN comment=defconf disabled=yes interface=sfp1
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=BRIDGE_MAIN tagged=BRIDGE_MAIN untagged=2_OFFICE vlan-ids=10
add bridge=BRIDGE_MAIN tagged=BRIDGE_MAIN untagged=4_LAN4 vlan-ids=20
add bridge=BRIDGE_MAIN tagged=BRIDGE_MAIN untagged=3_LAN3 vlan-ids=30
add bridge=BRIDGE_MAIN tagged=9_UPLINK-SWITCH,BRIDGE_MAIN vlan-ids=40
add bridge=BRIDGE_MAIN tagged=9_UPLINK-SWITCH,BRIDGE_MAIN untagged=5_ADMIN \
    vlan-ids=50
add bridge=BRIDGE_MAIN tagged=9_UPLINK-SWITCH,BRIDGE_MAIN untagged=6_GUEST \
    vlan-ids=60
/interface ethernet switch vlan
add independent-learning=no ports=5_ADMIN switch=switch1 vlan-id=50
/interface list member
add comment=defconf interface=BRIDGE_MAIN list=LAN
add comment=defconf interface=1_WAN list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=BRIDGE_MAIN network=\
    192.168.1.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
add address=192.168.50.1/24 interface=VLAN50 network=192.168.50.0
add address=192.168.60.1/24 interface=VLAN60 network=192.168.60.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.60.0/24 gateway=192.168.60.1

Any idea..? thank you..

anav · June 5, 2020, 11:26am

Your config is confused such that you have conflicts…

What you need to do is read over this ref and then adjust your config accordingly.
Use one bridge, and put all your subnets on vlans and dont use the bridge for dhcp services…

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

mikron00b · June 14, 2020, 3:52pm

All worked out now. Thank you for the post of viewtopic.php?f=13&t=143620. this makes all clear now

regards mikron00b