Required gateways isolation in bridge VLAN

bablur · February 2, 2025, 9:55am

Dear Support,
I have configured different gateways on different VLANs which are tagged through the bridge. When I untagged any of the VLANs all gateways are reachable from the endpoint PC.

I tried to isolate gateways from each other but not able to do, configuration in the below, please follow and provide the solution.

Configuration Details_________

/interface bridge
add name=Bridge-LAN protocol-mode=none vlan-filtering=yes

/interface ethernet
set [ find default-name=ether7 ] name=ether7-out_test_bablu
set [ find default-name=ether8 ] name=ether8-test_bablu

/interface vlan
add interface=Bridge-LAN name=1833-test vlan-id=1833
add interface=Bridge-LAN name=“3375 TEST” vlan-id=3375
add interface=Bridge-LAN name=“3376 TEST1” vlan-id=3376

/ip address
add address=192.168.148.1/24 interface=1833-test network=192.168.148.0
add address=10.12.158.1/24 interface=“3375 TEST” network=10.12.158.0
add address=10.12.159.1/24 interface=“3376 TEST1” network=10.12.159.0

/interface bridge port
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether7-out_test_bablu pvid=3375
add bridge=Bridge-LAN frame-types=admit-only-vlan-tagged interface=ether8-test_bablu

/interface bridge vlan
add bridge=Bridge-LAN tagged=Bridge-LAN,ether8-test_bablu untagged=ether7-out_test_bablu vlan-ids=1833,3375,3376

sindy · February 2, 2025, 10:21am

This forum is not a vendor support in the traditional sense. Some more (or even less) experienced users volunteer to help others by giving their advice.

The purpose of VLANs is to isolate the traffic at L2 (MAC address) level - two hosts connected to access ports to different VLANs are unable to talk directly to each other using their MAC addresses. But if a device (like your router) has access interfaces to both those VLANs and has an IP address attached to each of those interface, in the same subnet like other hosts in the respective VLAN, it will accept traffic whose destination is any of those IP addresses. And if such multi-subnet device is a router, it will also be able to forward traffic among all the subnets it has its own addresses in. To eventually prevent this, you have to use firewall rules to filter the traffic depending on some criteria.

The fact that the router itself responds to a given host from IP addresses outside the subnet of that host causes no issue; the fact that said host can reach other hosts is the actual issue you might want to resolve.

So what are the actual requirements regarding where the hosts in various subnets and VLANs should be able to get and where they shouldn’t?

anav · February 2, 2025, 1:28pm

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

The MT config is interrelated just showing one part is not going to cut it.
The requirements for user traffic requested by Sindy is also critical.
I would add
any external users?? either going to servers on LAN, or the admin to reach the router for config purposes.
How many WANs??
Which device?

anav · February 11, 2025, 3:50pm

You really need to read this → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

You cannot have more than one untagged pvid assigned to any port and thus this fails
/interface bridge vlan
add bridge=Bridge-LAN tagged=Bridge-LAN,ether8-test_bablu untagged=ether7-out_test_bablu vlan-ids=1833,3375,3376
should be for example:

/interface bridge vlan
add bridge=Bridge-LAN tagged=Bridge-LAN,ether8-test_bablu untagged=ether7-out_test_bablu vlan-ids=3375
add bridge=Bridge-LAN tagged=Bridge-LAN,ether8-test_bablu vlan-ids=1833,3376