Vlan blocking and communication between vlanes

fraksipon · November 4, 2021, 9:01am

When I run rule 11, vlans do not ping each other.

11 X  chain=forward action=drop in-interface=all-vlan log=no log-prefix=""

If i add rule

09 X chain=forward action=accept in-interface=vlan-200 out-interface=vlan-100 log=no log-prefix=""
10 X chain=forward action=accept in-interface=vlan-100 out-interface=vlan-200 log=no log-prefix=""

INTERFACE:
-----eth1->
----------vlan-100
-----eth2->
----------vlan-200
-----eth3->
---------- vlan-300
-----eth4->
---------- vlan-400

I am asking for support how to block communication between all vlan, but enable communication between vlan100 and vlan200

anav · November 4, 2021, 1:08pm

Please post your complete config to assess properly…

/export hide-sensitive file=anynameyouwish

k6ccc · November 4, 2021, 8:23pm

Without seeing your full config, you are essentially correct. Allow what you specifically want, then drop everything. You can even be more selective. For example, only certain devices on one VLAN can access another VLAN. I have a bunch of that on mine.
But the devil is in the details. As Anav requested, post a complete comfig:
To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.

fraksipon · November 5, 2021, 1:28pm

it’s only part of the code. I would like to allow ether2_trunk_110 to communicate with ether2_trunk_120

/interface bridge
add admin-mac=4C:5E:0C:3F:31:35 auto-mac=no name=BRIDGE_lokacja \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1_wan
set [ find default-name=ether2 ] name=ether2_TRUNK_110
set [ find default-name=ether3 ] name=ether3_TRUNK_120

/interface vlan
add interface=ether2_TRUNK_110 name=TEACH_LAN_110 vlan-id=110
add interface=ether3_TRUNK_120 name=TEACH_WIFI_120 vlan-id=120
add interface=ether1_wan name=BRIDGE_lokacja vlan-id=500

/ip dhcp-server
add add-arp=yes address-pool=TEACH_WIFI disabled=no interface=TEACH_WIFI_120 name=TEACH_WIFI
add add-arp=yes address-pool=TEACH_LAN disabled=no interface=BRIDGE_lokacja name=TEACH_LAN

/interface bridge port
add bridge=BRIDGE_lokacja interface=BRIDGE_lokacja
add bridge=BRIDGE_lokacja interface=TEACH_LAN_110

/ip address
add address=10.0.4.1/24 comment=TEACH_LAN interface=BRIDGE_lokacja network=10.0.4.0
add address=10.0.6.1/24 comment=TEACH_WIFI interface=TEACH_WIFI_120 network=10.0.6.0

/ip dhcp-server network
add address=10.0.4.0/24 comment=TEACH_LAN dns-server=10.0.4.4,10.0.4.1 gateway=10.0.4.1 netmask=24
add address=10.0.6.0/24 comment=TEACH_WIFI dns-server=10.0.6.1 gateway=10.0.6.1 netmask=24


/ip firewall filter
add action=accept chain=forward disabled=yes in-interface=ether3_TRUNK_120 out-interface=BRIDGE_lokacja
add action=accept chain=forward disabled=yes in-interface=BRIDGE_lokacja out-interface=ether3_TRUNK_120
add action=drop chain=forward disabled=yes in-interface=all-vlan

anav · November 5, 2021, 4:29pm

Your configuration is very confusing and probably all wrong.
Why not use one bridge.
Assign all ports to it (except for the wan port of course)
Assign vlans to the bridge
and follow this guide…

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1