Hello there! I am new to routerboard, but learning quickly. I’ve got a RB750, generally configured the way I want. In general it’s working but there’s an oddity I’d like to explore.
Ether1 is a WAN interface, getting an address via DHCP and appears to be working as expected.
Ether2 is a master, with three tagged VLANs going through it and is serving separate DHCP for each VLAN
Ether3 is a master with one VLAN
In general, this all works. I can connect a device configured for the appropriate VLAN, get a local address and get internet by way of NAT. What is odd though, is my ping results. From any VLAN, I can ping the gateway/dhcp server for any other VLAN. I can’t ping any devices on the other VLANs, but it’s just odd that I can get at the gateway. Considering I’ve done no firewall or other configuration, is this normal? Should I fix it?
In more detail, this is what I’m after:
ISP
Routerboard
Wireless AP1
Client1
Client2
Client3
Wireless AP2
Client4
I have each client on its own VLAN for traffic shaping and filtering purposes. In addition, I’ll be implementing a VOIP network on another VLAN in the future. I want the Routerboard handing out the DHCP for these networks for management purposes, and I am not concerned about someone plugging in a rogue DHCP server.
Anyone mind helping me figure out why I can ping gateways for foreign VLANs? Secondarily, would you care to suggest alternate configurations or things I might have overlooked based on the short description of my goals?
**edit
Perusing other posts, I’m learning as I go. Current config as follows:
interface print
NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1-gateway ether 1500 1600
1 R ether2-master-local ether 1500 1598 2030
2 R ether3-master-local ether 1500 1598 2030
3 ether4-slave-local ether 1500 1598 2030
4 ether5-slave-local ether 1500 1598 2030
5 R 23900VLAN vlan 1500 1594
6 R 213VLAN vlan 1500 1594
7 R 12878VLAN vlan 1500 1594
8 R 21757VLAN vlan 1500 1594
ip address print
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 ether2-master-local
1 192.168.10.1/24 192.168.10.0 23900VLAN
2 192.168.20.1/24 192.168.20.0 12878VLAN
3 192.168.30.1/24 192.168.30.0 213VLAN
4 192.168.40.1/24 192.168.40.0 21757VLAN
5 D 192.168.2.111/24 192.168.2.0 ether1-gateway
6 X 72.11.15.3/29 72.11.15.0 ether1-gateway
ip route print
0 ADS 0.0.0.0/0 192.168.2.1 1
1 ADC 192.168.2.0/24 192.168.2.111 ether1-gateway 0
2 ADC 192.168.10.0/24 192.168.10.1 23900VLAN 0
3 ADC 192.168.20.0/24 192.168.20.1 12878VLAN 0
4 ADC 192.168.30.0/24 192.168.30.1 213VLAN 0
5 ADC 192.168.40.0/24 192.168.40.1 21757VLAN 0
6 ADC 192.168.88.0/24 192.168.88.1 ether2-master-l… 0
ip firewall nat print
chain=srcnat action=masquerade out-interface=ether1-gateway
Based on other posts, it looks like it would be normal to have access to other VLANs through the RB. Sooo, in order to isolate them, I need some firewall rules. I’ve seen a few related examples intended to be copied and pasted in the CLI. First, can I do it through winbox? Second, is there a more straightforward or complete way than punching in the subnets for each VLAN over and over? I see in winbox at the firewall rule config screen there’s a checkbox in front of some of the options (eg. Dst. address) Clicking the box shows what looks like an exclamation point, sometimes known as NOT. Can I use this to say “drop all packets headed TO this interface NOT from the WAN” or some such?