If I have 3 VLANs on a MikroTik and I want to prohibit traffic from one talking to another, what’s the best way to do that?
Obviously I can setup firewall rules, but before I do this I wanted to see if there was a simpler way, or a simple set of firewall rules that might do it?
Seriously? Not even a hint of a link somewhere?
Nope the firewall is the simplest way.
OK. I tried the firewall and it seemed to block more than it should have (e.g. no Internet access).
The network is setup as such:
Router:
10.200.91.1 - VLAN1
10.200.92.1 - VLAN2
10.200.93.1 - VLAN3
Is there an easier way than making a rule on each VLAN specifically blocking access to the other VLANs?
For example a rule like (if dst-address!=10.200.93.1 then block). Problem with this rule is it blocks Internet access as well. I guess I could create an ip-list and then include that but I feel like I’m duplicating things over and over.
You need something more like this assuming you are using /24.
/ip firewall filter add action=drop chain=forward disabled=no dst-address=10.200.92.0/23 src-address=10.200.91.0/24
/ip firewall filter add action=drop chain=forward disabled=no dst-address=10.200.91.0/23 src-address=10.200.93.0/24
/ip firewall filter add action=drop chain=forward disabled=no dst-address=10.200.91.0/24 src-address=10.200.92.0/24
/ip firewall filter add action=drop chain=forward disabled=no dst-address=10.200.93.0/24 src-address=10.200.92.0/24
Yeah I guess that’s where I’ll end up going. That just seemed like it was a lot of duplication. What exactly is putting the /23 in there going to do? That doesn’t seem like it would work out properly.
Why not?
A /24 is the entire 255.255.255.0 subnet.
Oh I guess it will sort of work. I was thinking a /23 was invalid since everything was /24, but I guess it does encompass two subnets in one rule.
Exactly. Good luck!