RouterOS Firewall configuration when using a bridge with multiple VLANs

ss23 · September 1, 2020, 7:25am

I’m attempting to migrate my existing router configuration from using multiple bridges (one per VLAN), to a single bridge, as described in https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table.
While this is working well for our switches, I am running into issues when attempting to do it on our router.
Should I be using this single bridge configuration option on our routers as well as our switches?

The core issue is related to our existing firewall rules, which currently look like:

/ip firewall filter
# [...]
add action=accept chain=forward comment="Allow staff to ssh into devices on guest wifi" dst-port=22 in-interface-list=STAFF out-interface-list=GUESTWIFI protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from STAFF" in-interface-list=!STAFF log-prefix="DROP NOT STAFF"
add action=drop chain=forward comment="Drop all from DMZ not destined for WAN" in-interface-list=DMZ out-interface-list=!WAN

/interface list member
# [...]
add interface=bridge-vlan20 list=DMZ
add interface=bridge-vlan30 list=STAFFWIFI

Those are just an excerpt of a few.

When moving to a single bridge instead, I’m not sure how I would rewrite those rules. If I rewrote them using IP addresses, someone could set an IP to another VLAN and access a service they shouldn’t, bypassing the firewall.
What is the recommended approach in this case?

mada3k · September 1, 2020, 7:41am

IP Firewall rules is always on L3 interface level. Using firewall rules on a VLAN-aware L2 bridge (without an IP) will have no effect.

To protect people from “jumping between VLANs” enable vlan-filtering and frame-types=admit-only-untagged-and-priority-tagged on all client-ports.

I’m using VLAN aware bridge with sub-interfaces.

/interface vlan
add interface=bridge1 name=bridge1.55 vlan-id=55
add interface=bridge1 name=bridge1.57 vlan-id=57
add interface=bridge1 name=bridge1.58 vlan-id=58

/interface list
add name=WAN
add name=LAN
add name=DMZ

/interface list member
add interface=bridge1.55 list=LAN
add interface=bridge1.57 list=DMZ
add interface=bridge1.58 list=WAN

mkx · September 1, 2020, 11:11am

As @mada3k already mentioned: populate your interface lists with appropriate vlan interface names and you’re all set, no need to rewrite firewall rules as long as they refer to interface lists …

E.g. if you previously had

/interface vlan
add interface=ether1 name=ether1_vlan20 vlan-id=20
add interface=ether1 name=ether1_vlan30 vlan-id=30
/interface bridge
add name=bridge-vlan20
add name=bridge-vlan30
/interface bridge port
add bridge=bridge-vlan20 interface=ether1_vlan20
add bridge=bridge-vlan30 interface=ether1_vlan30
/interface list member
add interface=bridge-vlan20 list=DMZ
add interface=bridge-vlan30 list=STAFFWIFI

then you would now have something like

/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1
/interface bridge vlan
# the following two lines could be merged into one, but let's keep them separate for better reflection of old config
add bridge=bridge tagged=bridge,ether1 vlan-ids=20
add bridge=bridge tagged=bridge,ether1 vlan-ids=30
/interface vlan
add name=bridge-vlan20 interface=bridge vlan-id=20
add name=bridge-vlan30 interface=bridge vlan-id=30
# note that previously same names were used for bridges, now they are used for VLAN interfaces
/interface list member
add interface=bridge-vlan20 list=DMZ
add interface=bridge-vlan30 list=STAFFWIFI

You could use different names for vlan interfaces and if you set interface list members accordingly, the firewall rules would still remain intact.