VLAN intercommunication even without rules

Jacopx · December 17, 2025, 5:33pm

Hi dear,

I'm not a guru and I'm playing for fun.

I’ve setup my hES X with 2 VLANs, one TRUST and one DMZ, everything is working, they have separate networks IPs, DHCP servers, etc… After the configuration I’ve add two rules for dropping the traffic between them:

8    ;;; Drop TRUST -> DMZ
chain=forward action=drop in-interface=TRUST out-interface=DMZ log=no log-prefix=""

9    ;;; Drop DMZ -> TRUST
chain=forward action=drop in-interface=DMZ out-interface=TRUST log=no log-prefix=""

and everything is dropped.

Today I’ve tried to remove this two rules in order to allow the traffic between them but I’ve not been able to make two client, one for each side, to communicate and I wasn’t able to address this problem, can you help me?

/interface bridge
add admin-mac= auto-mac=no name=bridge vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment="WAN - LTE"
set [ find default-name=ether2 ] comment=MGMT
set [ find default-name=ether3 ] comment=trust
set [ find default-name=ether4 ] comment=dmz
set [ find default-name=ether5 ] comment="trust + dmz"

/interface vlan
add interface=bridge name=DMZ vlan-id=21
add interface=bridge name=TRUST vlan-id=20

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Home WireGuard tunnel" name=HWG
add name=MGMT

/ip pool
add comment=TRUST name=dhcp-trust ranges=172.16.20.10-172.16.20.30
add comment=DMZ name=dhcp-dmz ranges=172.16.21.2-172.16.21.14

/ip dhcp-server
add address-pool=dhcp-trust comment=TRUST interface=TRUST name=dhcp-trust
add address-pool=dhcp-dmz comment=DMZ interface=DMZ name=dhcp-dmz

/interface bridge port
add bridge=bridge interface=ether3 pvid=20
add bridge=bridge interface=ether4 pvid=21
add bridge=bridge interface=sfp1
add bridge=bridge interface=ether5

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge comment=VLAN20-TRUST tagged=ether5,bridge untagged=ether3 \
    vlan-ids=20
add bridge=bridge comment=VLAN21-DMZ tagged=ether5,bridge untagged=ether4 \
    vlan-ids=21

/interface detect-internet
set detect-interface-list=all

/interface list member
add interface=TRUST list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg-fireloop list=HWG
add interface=wg-fireloop list=MGMT
add interface=TRUST list=MGMT
add interface=ether2 list=MGMT
add interface=ether2 list=LAN

/ip address
add address=172.16.20.1/27 comment=TRUST interface=TRUST network=172.16.20.0
add address=172.16.21.1/28 comment=DMZ interface=DMZ network=172.16.21.0
add address=172.16.99.1/30 comment=MGMT interface=ether2 network=172.16.99.0

/ip dhcp-client
add comment=defconf interface=ether1

/ip dhcp-server network
add address=172.16.20.0/27 comment=TRUST dns-server=\
    172.16.20.2,172.16.10.2,172.16.0.2 domain=fortlan gateway=172.16.20.1 \
    netmask=27
add address=172.16.21.0/28 comment=DMZ dns-server=1.1.1.1,1.0.0.1 domain=\
    fortdmz gateway=172.16.21.1 netmask=27

/ip dns
set allow-remote-requests=yes cache-size=35000KiB servers=1.1.1.1,1.0.0.1

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow WG Fireloop + Door" disabled=yes \
    dst-port=51820,51821 protocol=udp
add action=accept chain=input comment="Allow WinBox + SSH over WG " dst-port=\
    8291,22 in-interface-list=HWG protocol=tcp
add action=accept chain=input comment="Allow DNS over WG" dst-port=53 \
    in-interface-list=HWG protocol=udp
add action=accept chain=forward comment="Allow intercomm WG" \
    in-interface-list=HWG out-interface-list=LAN

add action=accept chain=forward comment="Drop TRUST -> DMZ" in-interface=TRUST \
    out-interface=DMZ

add action=accept chain=forward comment="Drop DMZ -> TRUST" in-interface=DMZ \
    out-interface=TRUST

add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

I've removed something from the config that I think is not relevant like WireGuard, IPsec, etcc...

I've already tried to add the rules like the actual setting and even remove them without success.

jaclaz · December 17, 2025, 6:15pm

You probably need an accept rule for established, related.

Your situation seems to me pretty much similar to this one:

Jacopx · December 18, 2025, 12:36pm

Thanks I've understand the problem!

Jacopx · December 18, 2025, 12:37pm

Ok, I'll look for some improvement