Using RouterOS to VLAN your network

I’m using RouterOS 6.46.3 (added this info to the original post also).

I’m sorry if I wasn’t clear enough. The RouterOS configuration I’m using is same as in the post http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 like I stated in my original post http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 I’ve changed some interface names and IP ranges, but essentially it’s the same configuration.

“all-vlan” is a built-in interface in RouterOS. I didn’t create it.
If one goes to RouterOS command line and writes command below and hits “tab” to see available interfaces, one should see something like the output below.
/ip firewall filter add in-interface=

Output should be like this:

BASE_VLAN    GREEN_VLAN     ether4-trunk         
BLUE_VLAN    all-vlan       ether5-trunk 
BR1          ether1-gw      ! 
all-ethernet ether2
all-ppp      ether3

One can also check the existence of “all-vlan” interface by logging into RouterOS with WinBox or HTTPS, and then going IP → Firewall → Filter Rules → Add rule, check from In. Interface drop down menu the existence of “all-vlan”.

I’ll ask again, please clarify why it’s better to use self managed “my all VLANs” list than use built-in feature of RouterOS?


Mikrotik’s own wiki page of securing router doesn’t include “drop everything else” rule in forward chain. I think there would be a need for another topic for discussion if “drop everything else” vs “drop invalid” is better in forward chain. Another reason why I didn’t include “drop everything else” in forward chain was that I wasn’t sure is “untracked” needed or not. But as stated in the explanation below with untracked forward chain addition, “drop everything else” could be added to the rule set.

• https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

Based on the post below (by Mikrotik support) if one is using IPsec and “drop everything else” rule, one should add “untracked” to be accepted in input and forward chain.

• “New” default firewall config in ROS - why ipsec is default allowed?
  http://forum.mikrotik.com/t/new-default-firewall-config-in-ros-why-ipsec-is-default-allowed/114343/1

Why at least dropping invalid packets is required:

Drop invalid rule is necessary if you use NAT on your router. It is possible that for different reasons packet can leave router with wrong (LAN) IP address. This firewall rule will drop such packets.

From Mikrotik support post:

• Is missing connection-state=invalid hugely bad?
  http://forum.mikrotik.com/t/is-missing-connection-state-invalid-hugely-bad/111787/1