Test VLAN isolation using InterVLAN Routing by Bridge

RouterOS Beginner Basics
1

Hello, new to MikroTik and networking! What a discovery <3

So, I’m setting up some VLANs in my network and followed the example on docs for VLAN Example - InterVLAN Routing by Bridge. Instead of ethernet I’m using wireless.

So I have:

  • VLAN1 (the default with my LAN devices)


  • VLAN10 (guest devices)


  • VLAN20 (IoT devices)

Is there a way to check if the VLANs are fully isolated? I have no firewall rules at the moment for VLANs.
Have tested to ping devices between VLANs but they don’t respond to each other. I need to be sure that the VLANs are fully isolated from each other, I don’t want my IoT or guest devices to see the ones on the LAN (for security reasons).

I know I can set some firewall rules but wanted to be sure if my actual config is enough without rules.

Thank you.

/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=LAN-bridge \
    vlan-filtering=yes
    
/interface ethernet
set [ find default-name=ether1 ] name="ether1[internet]"

/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=M6L2 \
    disabled=no name=wifi2_lan security.authentication-types=\
    wpa2-psk,wpa3-psk
add channel.band=2ghz-ax .width=20/40mhz comment="Guest WiFi" \
    configuration.mode=ap .ssid=M6G2 disabled=no mac-address=\
    xxx master-interface=wifi2_lan name=wifi3_guest \
    security.authentication-types=wpa2-psk,wpa3-psk
add channel.band=2ghz-ax .width=20/40mhz comment="IoT devices WiFi" \
    configuration.mode=ap .ssid=M6D2 mac-address=xxx \
    master-interface=wifi2_lan name=wifi4_devices \
    security.authentication-types=wpa2-psk,wpa3-psk
    
/interface vlan
add interface=LAN-bridge name=VLAN_Devices_20 vlan-id=20
add interface=LAN-bridge name=VLAN_Guest_10 vlan-id=10

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp_lan_pool ranges=192.168.88.10-192.168.88.254
add name=dhcp_vlan_10 ranges=10.0.0.10-10.0.0.254
add name=dhcp_vlan_20 ranges=20.0.0.10-20.0.0.254

/ip dhcp-server
add address-pool=dhcp_lan_pool interface=LAN-bridge lease-time=8h name=dhcp1
add address-pool=dhcp_vlan_10 interface=VLAN_Guest_10 lease-time=8h name=\
    dhcp2
add address-pool=dhcp_vlan_20 interface=VLAN_Devices_20 lease-time=8h name=\
    dhcp3
    
/interface bridge port
add bridge=LAN-bridge comment=defconf interface=ether2
add bridge=LAN-bridge comment=defconf interface=ether3
add bridge=LAN-bridge comment=defconf interface=ether4
add bridge=LAN-bridge comment=defconf interface=ether5
add bridge=LAN-bridge comment=defconf interface=wifi2_lan
add bridge=LAN-bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=wifi3_guest pvid=10
add bridge=LAN-bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=wifi4_devices pvid=20
    
/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=LAN-bridge tagged=LAN-bridge vlan-ids=10
add bridge=LAN-bridge tagged=LAN-bridge vlan-ids=20

/interface list member
add comment=defconf interface=LAN-bridge list=LAN
add comment=defconf interface="ether1[internet]" list=WAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=LAN-bridge network=\
    192.168.88.0
add address=10.0.0.1/24 interface=VLAN_Guest_10 network=10.0.0.0
add address=20.0.0.1/24 interface=VLAN_Devices_20 network=20.0.0.0

/ip dhcp-client
add comment=defconf interface="ether1[internet]"

/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=20.0.0.0/24 gateway=20.0.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
    
/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
2

Firstly a better and original source for that documentation is found here… http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Where you will find its best not to use vlan1 for data vlans.
Also that when you change to using vlans on the bridge its wiser to go all vlans and have the bridge just do bridging and NO DHCP.
Note: your wireless LANs didnt line up with what you named them in wireless settings so other adjustments made.
Hence.

interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=LAN-bridge \
    vlan-filtering=yes
    
/interface ethernet
set [ find default-name=ether1 ] name="ether1[internet]"

/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=M6L2 \
    disabled=no name=wifi2_lan security.authentication-types=\
    wpa2-psk,wpa3-psk
add channel.band=2ghz-ax .width=20/40mhz comment="Guest WiFi" \
    configuration.mode=ap .ssid=M6G2 disabled=no mac-address=\
    xxx master-interface=wifi2_lan name=wifi3_guest \
    security.authentication-types=wpa2-psk,wpa3-psk
add channel.band=2ghz-ax .width=20/40mhz comment="IoT devices WiFi" \
    configuration.mode=ap .ssid=M6D2 mac-address=xxx \
    master-interface=wifi2_lan name=wifi4_devices \
    security.authentication-types=wpa2-psk,wpa3-psk
    
/interface vlan
add interface=LAN-bridge name=VLAN_Devices_20 vlan-id=20
add interface=LAN-bridge name=VLAN_Guest_10 vlan-id=10
add interface=LAN-bridge name=VLAN_Home_5  vlan-id=5

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=TRUSTED

/ip pool
add name=dhcp_lan_pool ranges=192.168.88.10-192.168.88.254
add name=dhcp_vlan_10 ranges=10.0.0.10-10.0.0.254
add name=dhcp_vlan_20 ranges=20.0.0.10-20.0.0.254

/ip dhcp-server
add address-pool=dhcp_lan_pool interface=VLAN_Home_5  lease-time=8h name=dhcp1
add address-pool=dhcp_vlan_10 interface=VLAN_Guest_10 lease-time=8h name=\
    dhcp2
add address-pool=dhcp_vlan_20 interface=VLAN_Devices_20 lease-time=8h name=\
    dhcp3
    
/interface bridge port
add bridge=LAN-bridge  ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=5
add bridge=LAN-bridge  ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=5
add bridge=LAN-bridge  ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=5
add bridge=LAN-bridge  ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=5
add bridge=LAN-bridge  ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi2_lan pvid=5
add bridge=LAN-bridge  ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi3_guest pvid=10
add bridge=LAN-bridge  ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi4_devices pvid=20

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

/interface bridge vlan
add bridge=LAN-bridge tagged=LAN-bridge  untagged=ether2,ether3,ether4,ether5,ether4,wifi2_lan vlan-ids=5
add bridge=LAN-bridge tagged=LAN-bridge  untagged=wifi3_guest  vlan-ids=10
add bridge=LAN-bridge tagged=LAN-bridge  untagged=wifi4_devices  vlan-ids=20

/interface list member
add comment=defconf interface="ether1[internet]" list=WAN
add interface=VLAN_Home_5  list=LAN
add interface=VLAN_Guest_10 list=LAN
add interface=VLAN_Devices_20 list=LAN
add interface=VLAN_Home_5 list=TRUSTED

/ip address
add address=192.168.88.1/24 interface=VLAN_Home_5 network=192.168.88.0
add address=10.0.0.1/24 interface=VLAN_Guest_10 network=10.0.0.0
add address=20.0.0.1/24 interface=VLAN_Devices_20 network=20.0.0.0

/ip dhcp-client
add comment=defconf interface="ether1[internet]"

/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=20.0.0.0/24 gateway=20.0.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
    
/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
3

The best way to test if VLAN isolation on L2 (ethernet layer) works is to send some packets from one VLAN towards the other and sniff on the other VLAN to see if there are any signs of packet leaking into the other VLAN. But it’s not easy to see the leaking if devices are properly configured for their own subnet (i.e. IP setup corresponds to VLAN) because properly behaving devices will try to use their gateways to reach devices in different IP subnet. So one has to know what to look for (and how to craft device IP setup to test more properly) when verifying VLAN isolation.

When doing it, you have to be aware that there are two layers where packets might cross the boundary:

  1. ethernet layer (switchest, bridges) where VLANs do the isolation. All of switches (and LAN aware devices) in your physical network have to be appropriately configured.
  2. IP layer. As soon as mikrotik device has IP address in certain IP network, it can interact with it. If MT device has IP address in multiple IP networks, it will pass packets between these networks. And your device does qualify. If you want to prevent certain traffic to pass in certain direction, you can use firewall to control it. Your device doesn’t have any (if config you posted is complete).

And then many devices (windows devices, possibly android to certain extent, some linux distros as well) run their own firewall which block certain connectivity. Based on config you posted I fear that devices’ firewalls blocked the inter-VLAN traffic, not your switch/router.