ROS7 VLAN problem

Hello,
I would like to configure VLANs on a Mikrotik ax3 router under ROS7, but I have a small problem that I would like your help with, because I am still new to ROS7.

I want to create three VLANs, one for local network traffic (BASE), one for the server’s public internet port (SRV) and one for the guest network (GUEST). I haven’t set up WiFi yet and I’ve connected the ether1 port of the ax3 to the local working network (fixed IP).

I created the VLANs, they work, they distribute DHCP for the PCs on each port, each VLAN has access to the internet. Overall it seems good, but the problem is that I can’t separate the VLANs with a firewall filter.

I’m trying to solve it with these firewall filters, but without success:

/ip firewall filter
add action=drop chain=forward in-interface=GUEST_VLAN out-interface=BASE_VLAN
add action=drop chain=forward in-interface=BASE_VLAN out-interface=GUEST_VLAN
add action=drop chain=forward in-interface=GUEST_VLAN out-interface=SRV_VLAN
add action=drop chain=forward in-interface=SRV_VLAN out-interface=GUEST_VLAN
add action=drop chain=forward in-interface=SRV_VLAN out-interface=BASE_VLAN
add action=drop chain=forward in-interface=BASE_VLAN out-interface=SRV_VLAN

These worked on ROS6, but now I’m messing something up and I can’t see what I’m doing wrong. If someone could take a fresh look at it and suggest a solution, it would be a great help.

The config is as follows:

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add arp=proxy-arp interface=bridge1 name=BASE_VLAN vlan-id=10
add interface=bridge1 name=SRV_VLAN vlan-id=20
add interface=bridge1 name=GUEST_VLAN vlan-id=99
/interface list
add name=LAN
add name=WAN
add name=VLAN
add name=BASE
add name=GUEST
/ip pool
add name=BASE_POOL ranges=192.168.2.201-192.168.2.240
add name=GUEST_POOL ranges=192.168.6.201-192.168.6.240
add name=SRV_POOL ranges=10.0.10.201-10.0.10.240
/ip dhcp-server
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
add address-pool=SRV_POOL interface=SRV_VLAN name=SRV_DHCP
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether2 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether5 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether4 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether5,ether4 vlan-ids=20
/interface list member
add interface=ether1 list=WAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=VLAN
add interface=SRV_VLAN list=VLAN
add interface=GUEST_VLAN list=GUEST
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.2.254/24 interface=BASE_VLAN network=192.168.2.0
add address=192.168.1.225 interface=ether1 network=192.168.1.0
add address=192.168.6.254/24 interface=GUEST_VLAN network=192.168.6.0
add address=10.0.10.254/24 interface=SRV_VLAN network=10.0.10.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.254, 8.8.8.8 gateway=
10.0.10.254
add address=192.168.2.0/24 dns-server=192.168.2.254,8.8.8.8 gateway=
192.168.2.254 netmask=24
add address=192.168.6.0/24 dns-server=192.168.6.254,8.8.8.8 gateway=
192.168.6.254
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=“Allow Estab & Related & Untracked”
connection-state=established,related,untracked
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=drop chain=input comment=Drop disabled=yes
add action=accept chain=forward connection-state=new in-interface=bridge1
out-interface=ether1
add action=accept chain=forward comment=“VLAN inter-VLAN routing”
connection-state=new in-interface-list=VLAN
add action=accept chain=forward comment=“Allow Estab & Related & Untracked”
connection-state=established,related
add action=accept chain=forward comment=“VLAN Internet Access only”
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
add action=drop chain=forward comment=“Drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=
192.168.2.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether1
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.1.0/24 gateway=192.168.1.254
routing-table=main suppress-hw-offload=no

Thank you for your help.

You have this rule near the top of the filter chain:

add action=accept chain=forward comment="VLAN inter-VLAN routing" \
    connection-state=new in-interface-list=VLAN

It nullifies any “drop between VLAN”-rule that you may put below it. In the same chain (forward in this case) rules are checked from top to bottom, processing stops when all the conditions of that accept rule above match, the packets will be accepted, and the drop rules down below will all be ignored.

Which means the first packet of a new connection between the VLANs will always be accepted. For the following packets of the same connection, the state will be established, which means they will match with the 3rd rule of the forward chain:

add action=accept chain=forward comment="Allow Estab & Related & Untracked" \
    connection-state=established,related

and will also be accepted, skipping all the other rules after it. If you want to block forwarding between the 3 VLANs, move that 2nd rule with the comment “VLAN inter-VLAN routing” down below the “Allow Estab & Related & Untracked” rule, change from action=accept to action=drop, and add out-interface-list=VLAN.

add action=drop chain=forward comment="drop VLAN inter-VLAN routing" \
    connection-state=new in-interface-list=VLAN out-interface-list=VLAN

Thank you for your reply. I changed the order of the rules, swapping the two rules.
I changed the VLAN inter-VLAN routing rule to drop and added the out-interface-list=VLAN parameter.

I did not add the direct drop rules that I tried earlier.

Unfortunately, nothing seems to have changed, I can still ping devices in the other VLANs.

Do you have any other ideas?

Is there still a connection active?

May I suggest to start with default firewall rules and continue from there?
I see some changes that shouldn’t be there (disabled drop rule on input chain, order rule, comment out of sync).

Also consider dropping everything on both chains and only accept what is allowed explicitly.
This will improve readability. But be aware that you don’t lock yourself out of the router…

You should start by correcting the firewall rules because the order of the rules is important and they are executed from top to bottom. There are no correct rules specified at the end of the input and forward chain and I would recommend using drop=All. This also affects security. You have a bit of a mix there.
Use address-list, as you will be able to specify the directions of subnet flows more clearly. If you want to prohibit ping from one Vlan to another, then one of the options can be to create rules in the ‘‘Routing-Rules’’ section and specify action-drop there (or choose your preferred one). There are also options to block icmp by creating a ‘‘forward chain’’ drop rule.

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip firewall address-list
add address=192.168.10.0/24 list=VLAN10
add address=192.168.20.0/24 list=VLAN20
add address=192.168.30.0/24 list=VLAN30
add address=192.168.10.0/24 list=AUTHORIZED

/interface list
add comment=defconf name=WAN
add name=LAN
add name=TRUSTED
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add interface=vlan10 list=TRUSTED
add interface=vlan30 list=TRUSTED

/ip firewall filter
add action=accept chain=input comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid
add action=accept chain=input comment="ICMP" 
add action=accept chain=input in-interface-list=LAN \
    src-address-list=AUTHORIZED
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment=Fatsttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
    connection-state=invalid
add action=accept chain=forward comment="Access Internet From LAN" \
    in-interface-list=LAN out-interface-list=WAN
	add action=accept chain=forward comment=LAN-Access dst-address-list=VLAN10 \
    src-address-list=VLAN20
add action=accept chain=forward comment=LAN-Access dst-address-list=VLAN10 \
    src-address-list=VLAN30
	add action=accept chain=forward comment=LAN-Access dst-address-list=VLAN30 \
    src-address-list=VLAN10
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop everything else"

/ip firewall nat
add action=masquerade chain=srcnat comment=VLAN10 out-interface-list=WAN \
    src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment=VLAN20 out-interface-list=WAN \
    src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment=VLAN30 out-interface-list=WAN src-address=\
    192.168.30.0/24