Trying to get communication between vLAN Interfaces

DPCGUY · December 8, 2023, 2:08pm

Good morning,

I am having a bit of a problem figuring out how to get started with the firewall. My setup is all VLANS are coming in on 1 physical interface, it is my understanding that since I am only using one physical interface, I don’t need a bridge? You can see in the config below that there is a bridge setup, I have tried to add the vLAN interfaces to the bridge but I am having the same issue.

My target setup is that the router will DHCP to all VLANS, all VLANS will be blocked/isolated from each other with the exception that certain ports from certain IPs can make it through, it’ll pretty much be 2 TCP ports at most need to make it through.

Through my reading on the forums, the router by default should let traffic through, and that seemed to be the case. When I nuked the config and setup again, my computer on 10.201.2.xxx could ping a computer on 10.201.131.xxx. As a test, I added a firewall rule to chain forward, action drop from all vLAN to all vLAN interfaces, with that the pings between vLANs stopped. When I disabled or deleted the rule the pings still didn’t start back up, even after a router reboot. I even tried to make the same rule but with an accept action.

Thank you for any help or insight! This is an isolated system as a test bench before we go live, so I can try any suggestions. I have my windows workstation and an iMac on vLANs 2 & 301 and I have a laptop on vLAN 1 for admin purposes. All 3 machines can access & ping the router’s address in their respected subnet. There isn’t and will never be internet to the router.

# jan/02/1970 17:08:17 by RouterOS 7.8
# software id = QL38-T7L7
#
# model = CCR2004-1G-12S+2XS
# serial number = dhrjene
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=ProductionNetwork
/interface vlan
add interface=bridge1 name=vlan2-TheMiddle vlan-id=2
add interface=bridge1 name=vlan301-AJPT_QLAN vlan-id=301
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=TheMiddle ranges=10.201.2.201-10.201.2.254
add name=AJPTQLAN ranges=10.201.101.254-10.201.131.201
/ip dhcp-server
add address-pool=TheMiddle interface=vlan2-TheMiddle name=TheMiddle_DHCP
add address-pool=AJPTQLAN interface=vlan301-AJPT_QLAN name=AJPTQLAN
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ProductionNetwork
/interface list member
add interface=ProductionNetwork list=WAN
add list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=10.201.1.1/24 interface=ProductionNetwork network=10.201.1.0
add address=10.201.2.1/24 interface=vlan2-TheMiddle network=10.201.2.0
add address=10.201.131.0/24 interface=vlan301-AJPT_QLAN network=10.201.131.0
/ip dhcp-server network
add address=10.201.2.0/24 dns-none=yes gateway=10.201.2.1 netmask=24
add address=10.201.131.0/24 dns-none=yes gateway=10.201.131.1
/system routerboard settings
set enter-setup-on=delete-key

anav · December 8, 2023, 4:27pm

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

DPCGUY · December 8, 2023, 5:26pm

Anav, I appreciate the input, I have read that thread a few times now over the last couple days and maybe I’m missing something, here is the updated config as it stands now after following the tutorial to the best of my abilities with my setup.

# jan/02/1970 20:40:02 by RouterOS 7.8
# software id = **ELIDED**
#
# model = CCR2004-1G-12S+2XS
# serial number = **ELIDED**
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=ProductionNetwork
/interface vlan
add interface=bridge1 name=vlan2-TheMiddle vlan-id=2
add interface=bridge1 name=vlan301-AJPT_QLAN vlan-id=301
/interface list
add name=WAN
add name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=TheMiddle ranges=10.201.2.201-10.201.2.254
add name=AJPTQLAN ranges=10.201.101.254-10.201.131.201
/ip dhcp-server
add address-pool=TheMiddle interface=vlan2-TheMiddle name=TheMiddle_DHCP
add address-pool=AJPTQLAN interface=vlan301-AJPT_QLAN name=AJPTQLAN
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ProductionNetwork
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ProductionNetwork vlan-ids=2
add bridge=bridge1 tagged=bridge1,ProductionNetwork vlan-ids=301
add bridge=bridge1 untagged=bridge1,ProductionNetwork vlan-ids=1
/interface list member
add interface=ProductionNetwork list=WAN
add list=LAN
add interface=vlan2-TheMiddle list=VLAN
add interface=vlan301-AJPT_QLAN list=VLAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=10.201.1.1/24 interface=ProductionNetwork network=10.201.1.0
add address=10.201.2.1/24 interface=vlan2-TheMiddle network=10.201.2.0
add address=10.201.131.0/24 interface=vlan301-AJPT_QLAN network=10.201.131.0
/ip dhcp-server network
add address=10.201.2.0/24 dns-none=yes gateway=10.201.2.1 netmask=24
add address=10.201.131.0/24 dns-none=yes gateway=10.201.131.1
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base full access" in-interface=bridge1
add action=drop chain=input comment=drop
add action=accept chain=forward comment="Allow Esablished& Related" connection-state=established,related
add action=drop chain=forward comment=Drop
/system routerboard settings
set enter-setup-on=delete-key

anav · December 8, 2023, 9:04pm

Please show me in any of the configs from the link this line, I think you made it up, eating magic mushrooms???

add bridge=bridge1 untagged=bridge1,ProductionNetwork vlan-ids=1

anav · December 8, 2023, 9:04pm

Thus it should look like this and can be shortened too.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ProductionNetwork vlan-ids=2,301

You have an empty list member entry and should remove it…
/interface list member
add interface=ProductionNetwork list=WAN
add list=LAN
add interface=vlan2-TheMiddle list=VLAN
add interface=vlan301-AJPT_QLAN list=VLAN

anav · December 8, 2023, 9:06pm

Do not understand??
You have two vlans, WTF is this…
add address=10.201.1.1/24 interface=ProductionNetwork network=10.201.1.0
add address=10.201.2.1/24 interface=vlan2-TheMiddle network=10.201.2.0
add address=10.201.131.0/24 interface=vlan301-AJPT_QLAN network=10.201.131.0

You have no DHCP server for this ghost production network, nor any pool identified!!!

Am I to assume you have a private IP and this router is behind another Router ( double NAT )?
I ask because the firewall is very minimal but covers the bases I suppose.
You should put most of the defaults back in though.
One comment, can you explain to me what the practical difference is between these two rules!!

add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=accept chain=input comment=“Allow Base full access” in-interface=bridge1

Would look like…

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
( admin rules )
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=drop chain=input comment=“drop all else”
{forward chain}
(default rules to keep)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(user rules)
**********************************
add action=drop chain=forward comment=“drop all else”

anav · December 8, 2023, 9:19pm

Note that if you want to allow any traffic from vlanX to vlanY it would go here on the above config **********************************

For example:
/ip firewall address-list ( using static DHCP leases!! )
add address=user1-IP-address=PERMITTED comment=“user1 to vlan301”
add address=user2-IP-address=PERMITTED comment=“user2 to vlan301”
add address=user3-IP-address=PERMITTED comment=“user3 to vlan301”
etc.
/ip forward chain entry
add action=accept chain=forward src-address=PERMITTED out-interface=vlan2 dst-port=X,Y protocol=udp
add action=accept chain=forward src-address=PERMITTED out-interface=vlan2 dst-port=A,B protocol=tcp