Switch rule to block wan traffic for a vlan

ahmet82 · October 30, 2022, 12:19am

Hello,

I want vlan 10 to access vlan 20, but not be able to access the internet (wan)?

I couldn’t find any negate filters on switch rules. So I am not sure how can I detect a device trying to access wan with switch rules to drop the package

I know I can do all of this in the firewall, but I am curious to do it with the hardware.

anav · October 30, 2022, 1:24am

Post config
/export file=anynameyouwish ( minus serial number and any public WANIP information)

ahmet82 · October 30, 2022, 8:17am

Hello

This is a hypothetical question. I dont have a setup that doesnt work. So there is not much to export.

I asking if there is a way to drop wan packages with switch rules.

mkx · October 30, 2022, 8:36am

Switch rules are switch-chip specific, so this question can not be answered entirely hypothetic

What you probably can do is a series of switch rules … first allow traffic you want to pass (e.g. vlan10 to vlan10, vlan10 to vlan20) and then block everything else. I’ve never played with switch rules (I only have the low end MT devices), so I don’t know if you can use VIDs in switch rules. If you can’t use VIDs, then use IP subnets. You can always use router’s MAC address as additional match criterion (all traffic between one IP subnet and everything else will target router’s MAC address regardless the target IP address).

ahmet82 · October 30, 2022, 9:08am

You are right . I have a rb5009

Buckeye · October 30, 2022, 9:41am

and

If you are asking about https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-RuleTable that is one of the least/poorest documented features that I have tried to find any info on.

There are no examples in either the ROS or SwOS manuals.

The only thing I see as a way to drop a packet is by matching a compound condition with the specified action new-dst-ports = Null. The docs say this will “drop the packet”.

If it is possible to have multiple conditions to match, and you want vlan 10 to only be able to be forwarded to vlan 20, and all packets will be ipv4, and there is a single ip subnet associated with vlan 20, then
matching on src-address == vlan 10 subnet && dst-address == vlan 20 address with no action specified is supposed to accept the packet and stop scanning rules. This would be followed by a rule that matches src-address == vlan 10 subnet && dst-address == 0.0.0.0/0 (any ip address) with action new-dst-ports = Null (drop packet).

Again this is only a guess… and your guess is as good as mine as to how to form the multiple condition rule.

Let us know what you discover when you try.

ahmet82 · October 30, 2022, 11:11am

This was my theory as well. I will give it a try

chechito · October 30, 2022, 10:14pm

https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-RuleTable

A rule without any action parameters is a rule to accept the packet.

new-dst-ports (name; Default: none)

Changes the destination port as specified, multiple ports allowed, including a switch CPU port. An empty setting will drop the packet. When the parameter is not used, the packet will be accepted