vlan access to winbox

DitchRat95 · October 8, 2022, 12:21am

So I have two vlans setup on a bridge, I would like Vlan 10 to have management access and client to client with the ethernet ports on the bridge, I would like vlan 20 to only have internet access. I can’t access the mt gui from the management witeless vlan 10. Could someone review this and see what they think?

Any other security concerns or tightening of ship recommendations would be welcome as well…
MTBSCR.rsc (13.1 KB)

erlinden · October 8, 2022, 6:34am

This rule defines who has access to the router:

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

Together with this rule anything has access to your router:

/interface list member
add comment=defconf interface=CapDataPath list=LAN

I would sort the firewall rules, start with input and then forward.
I prefer both chains to end with “drop everything else” (this way, you only have to write allow rules)
You might want to enable VLAN filtering on your bridge

There might be more posible improvements, still early here.

DitchRat95 · October 9, 2022, 12:00am

If anything has access then why can’t I gain access to winbox from vlan 10 or 20, am I missing something snit how to access it from a vlan?

sid5632 · October 9, 2022, 12:23am

You need to add the bridge to the list of interfaces that are tagged under /interface bridge vlan
and get rid of all those untagged entries and let them be determined dynamically by the pvid setting.

Did you actually turn on the bridge vlan filtering?

DitchRat95 · October 21, 2022, 3:00am

This rule defines who has access to the router:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
Together with this rule anything has access to your router:
/interface list member
add comment=defconf interface=CapDataPath list=LAN
I would sort the firewall rules, start with input and then forward.
I prefer both chains to end with “drop everything else” (this way, you only have to write allow rules)
You might want to enable VLAN filtering on your bridge

There might be more posible improvements, still early here.

Do you have a example I could see?

DitchRat95 · October 24, 2022, 2:07am

So when I enable vlan filtering it kills vlan 20, won’t connect or issue ip addresses. And I sorted the rules but had to add drop rules to stop management access from vlan 20 but it can still ping the other subnets. I can access webfig from vlan 10 but when I login it times out.

DitchRat95 · April 21, 2023, 8:48am

Got rid of the vlan’s and tried to clean it up, seams to work well. left a copy of the script if anyone wants to look. still want to set up my guest radios to turn off and on w a scheduler if someone could help? Also would like to make sure i am using dns caching that both subnets are utilizing and just want google as secondary’s… Thanks everyone!
MTBSCR.rsc (13 KB)