VLAN isolation configuration issue

lasjak · March 29, 2020, 8:57pm

Hello, I have configured my router and AP to have VLAN tagged subnetworks, but I have issue with firewall configuration that isolates all devices on VLAN subnetwork (they should not see each other).
The VLAN I have issue with is VLAN 20 - subnetwork 192.168.20.0/24. I have tried dropping all packets on forward and input chain with source=192.168.20.0/24 and destination=192.168.0.0/16, but this didn’t help. Wifi scanner on my phone connected to VLAN 20 still could see all devices connected to VLAN 20 subnetwork, including my TV.

The most important structure of my network looks like this:

   Router
  |------|
  | eth1 | -----> Internet
  |------|
  |      |
  |------|
  | eth4 | -----> TV (VLAN 20)
  |------|           |-------------|
  | eth5 | -----> AP | eth1        |
  |------|           |-------------|
                     |geust_wlan_2g|
                     |   VLAN 20   |
                     |-------------|
                     |guest_wlan_5g|
                     |   VLAN 20   |
                     |-------------|

What rule should I add or remove to achieve desired result? The configurations I have attached are without the drop rules for 192.168.20.0/24 to 192.168.0.0/16.

Thanks!
router_v4.txt (5.17 KB)
ap_v4.txt (4.1 KB)

mkx · March 29, 2020, 9:20pm

This rule in router is wrong:

add action=drop chain=> input > comment=“Block isolated VLANs from main network” dst-address=192.168.0.0/24 in-interface-list=ISOLATED_VLAN

The red part should be “forward”.

There a few things in router config that seem slightly off to me:

no need to have these settings:

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

These are only needed if you want firewall filter rules to apply to traffic passing router but contained within same VLAN / IP subnet.

in firewall filter rules, where chain=input, it is not necessary to set dst-address … these rules are applied to any packets targeting any of router’s IP addresses and setting dst-address might even make filter too selective. I.e. if dst-address=192.168.20.1, then a guest_vlan client might get past the drop filter by connecting to any other of router’s addresses.
in general firewall filter rules are a bit of a mess … e.g. you have specific rules to drop connections to management services … while at the end you gave general drop rule which should do the trick anyway. I advise you to revert to default firewall filter rules (you can see what they are by executing /system default-configuration print (scroll down to the correct section) and very carefully add only what is really needed (could be you won’t need to change anything).

anav · March 29, 2020, 10:27pm

This discusses the ROUTER only!
/interface bridge port
add bridge=bridge_r comment=defconf interface=ether2
add bridge=bridge_r comment=defconf interface=ether3
add bridge=bridge_r comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20 (access port to tv)
add bridge=bridge_r comment=defconf interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged (trunk port to access point)
add bridge=bridge_r comment=defconf interface=sfp1

/interface bridge settings (remove this entirely)
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

Firewall rules are a mess…
(1) It is common to put input rules first and then forward rules and the order within a rule set matters greatly!!
(2) I will assume you simply want the vlans to access the internet only.
(3) Also if you want to be able to access the vlans from your PC for example then you would add a forward rule
add chain=forward action=accept in-interface-list=LAN src-address=youradminpcIP out-interface-list=ISOLATED_VLAN
(4) You could actually use in-interface=bridge-r for all the LAN rules but not sure which is better, the ones you have are safe/fine in that regard.

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“Accept all from LAN to router” in-interface-list=LAN
add action=accept chain=input comment=“Allow VLAN DNS TCP access” dst-port=53 in-interface-list=ISOLATED_VLAN protocol=tcp
add action=accept chain=input comment=“Allow VLAN DNS UDP access” dst-port=53 in-interface-list=ISOLATED_VLAN protocol=udp
add action=drop chain=input comment=“Drop all else!”

add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=accept chain=forward comment=“Allow LAN to Internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow from VLAN to the Internet” in-interface-list=ISOLATED_VLAN out-interface-list=WAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment=“Drop everything else by default”

Note the above reflects these changes….

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=ISOLATED_VLAN

/interface list member
add comment=defconf interface=bridge_r list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=guest_vlan list=ISOLATED_VLAN
add interface=iot_vlan list=ISOLATED_VLAN
add interface=ether4 list=ISOLATED_VLAN

anav · March 29, 2020, 10:55pm

For the AP So you didnt really describe what is going here but figured it out.
WLAN1- Regulare home WIFI on 2G
WLAN2 -Regulare home WIFI on 5G
Virtual WLAN 5g for guest devices (vlan20)
Virtual WLAN 2g for guest devices (vlan20)
Virtual WLAN 2g for IOT devices (vlan30)

/interface bridge port
add bridge=bridge_ap ingress-filtering=yes interface=ether1 (trunk port)
add bridge=bridge_ap comment=defconf interface=ether2
add bridge=bridge_ap frame-types=admit-only-untagged-and-priority-tagged inteface=wlan_2g (assumed pvid=1)
add bridge=bridge_ap frame-types=admit-only-untagged-and-priority-tagged inteface=wlan_5g (assumed pvid=1)
add bridge=bridge_ap frame-types=admit-only-untagged-and-priority-tagged interface=guest_wlan_5g pvid=20
add bridge=bridge_ap frame-types=admit-only-untagged-and-priority-tagged interface=guest_wlan_2g pvid=20
add bridge=bridge_ap frame-types=admit-only-untagged-and-priority-tagged interface=iot_wlan_2g pvid=30

/interface bridge settings (get rid of this)
set use-ip-firewall-for-vlan=yes

lasjak · March 30, 2020, 10:08pm

Thank you for taking time to look at my config and fixing it. I have implemented your changes except for the:
/interface bridge port
add bridge=bridge_r comment=defconf interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged (trunk port to access point)

I have to accept all frame types, otherwise my home network laptop would not obtain any IP using wifi.

I have also tried adding dropping input/forwarded packets having destination 192.168.20.0/24, but my phone was always able to scan the subnetwork and see all devices. I do not understand why this rule does not work, even as the first in firewall. Do you have any ideas? Are there any “hacks” scanners use to scan devices? I am using WiFiman from Ubiquiti.
router_v5.txt (4.17 KB)
ap_v5.txt (4.12 KB)

anav · March 31, 2020, 12:45pm

I disagree, ether 5 if it is a trunk port, is correct the way I have stated it. Remember the home wifi is NOT coming from either 5, its coming from the WLAN interface, which we would have properly configured as frame-types=admit-only-untagged-and-priority-tagged. Thus your laptop should get an IP.

ALso, as for the blocking… please state the requirement more clearly as it appears to be a new one. I dont remember a firewall rule to block something specific…???

anav · March 31, 2020, 12:52pm

Router review… is incorrect. You should use one line per vlan id.
from
/interface bridge vlan
add bridge=bridge_r tagged=ether5,bridge_r vlan-ids=20,30
To
/interface bridge vlan
add bridge=bridge_r tagged=ether5,bridge_r untagged=eth4 vlan-ids=20
add bridge=bridge_r tagged=ether5,bridge_r vlan-ids=30

/ip firewall filter (okay just remove the part in red)
add action=accept chain=input comment=“Allow VLAN DNS TCP access” dst-address=192.168.0.1 dst-port=53 in-interface-list=ISOLATED_VLAN protocol=tcp
add action=accept chain=input comment=“Allow VLAN DNS UDP access” dst-address=192.168.0.1 dst-port=53 in-interface-list=ISOLATED_VLAN protocol=udp

anav · March 31, 2020, 1:02pm

Access Point review…
The main problem for your AP setup is the missing items…
/interface vlan
add interface=bridge_ap name=guest_vlan vlan-id=20
add interface=bridge_ap name=iot_vlan vlan-id=30

lasjak · March 31, 2020, 9:58pm

I have modified the config further, but it did not help. Do you think proper configuration is possible if the “home network” does not have its own vlan? I am aware there is PVID=1 across settings, but on AP ether1 is not marked as tagged in bridge vlan menu. When I add it manually, connection crashes. Probably because router has no settings with VLAN tag=1.

Do I need to add the third tag and vlan interfaces?

anav · April 1, 2020, 1:06am

Hi Lasik, yes in my own setup I have a separate vlan for my home lan, I dont use the bridge for any DHCP etc…

lasjak · April 1, 2020, 10:16pm

Hi Anav, Regarding isolation for each client of guest_vlan, what is in your opinion the best approach here?

After some more research and videos, I figured out if packets pass only through bridge, I can add on router the following:
/interface bridge filter
add action=drop chain=forward out-interface-list=ISOLATED_VLAN

On AP, similarly, I have added this:
/interface list member
add interface=guest_wlan_2g list=GUEST_VLAN
add interface=guest_wlan_5g list=GUEST_VLAN
/interface bridge filter
add action=drop chain=forward in-interface-list=GUEST_VLAN out-interface-list=GUEST_VLAN

This way I am not turning on bridge’s IP filtering, so performance shouldn’t be much lower.

anav · April 1, 2020, 10:27pm

It is not clear what you are asking. Forget about config changes until the requirements are clearly stated and clearly understood.

lasjak · April 2, 2020, 8:41am

Hello anav,
These are my specific requirements:
Home network (preferably no VLAN) - 192.168.0.0/24
Guest network (VLAN 20) - 192.168.20.0/24
IOT network (VLAN 30) - 192.168.30.0/24

Guest and IOT network should provide access to the Internet and have full client isolation i.e. any client connected to them should not be able to see any other client. Clients should not be able to connect to any of management services on router or AP

Home network shouldn’t be able to access any devices on IOT or guest networks, and should have access to the Internet. All clients should be able to find one another and able to access management services on router and AP.

My network is supposed to look like this:

NO VLAN - network 192.168.0.0/24
VLAN 20 - network 192.168.20.0/24
VLAN 30 - network 192.168.30.0/24

   Router
  |------|
  | eth1 | -----> Internet
  |------|
  | eth2 | -----> private device1 (NO VLAN)
  |------|
  | eth3 | -----> private device2 (NO VLAN)
  |------|
  | eth4 | -----> TV (VLAN 20)
  |------|           |-------------|
  | eth5 | -----> AP | eth1        |
  |------|           |-------------|
                     |geust_wlan_2g|
                     |   VLAN 20   |
                     |-------------|
                     |guest_wlan_5g|
                     |   VLAN 20   |
                     |-------------|
                     | iot_wlan_2g |
                     |   VLAN 30   |
                     |-------------|
                     | home_wlan_5g|
                     |             |
                     |-------------|
                     | home_wlan_2g|
                     |             |
                     |-------------|

These are my current full requirements for the network. I hope I am specific enough with them. Is there anything that needs further clarification in your opinion?

anav · April 2, 2020, 10:30am

I think so… whats new is that on the guest and iot wifi you want client isolation which is not a router feature its a AP feature and I believe there is a setting for that but will have to find it.

anav · April 2, 2020, 10:43am

To stop wifi clients (guest network vlan20, and iot network vlan30) from seeing each other on the AP side, for each WLAN, ensure Forward is NOT checked
Forwarding (yes | no; Default: yes)
no - Client cannot send frames to other station that are connected to same access point.
yes - Client can send frames to other stations on the same access point.

That still leaves the TV on the LAN and the guest clients on vlan 20 that could possible communicate, will think about that one.

anav · April 2, 2020, 10:45am

give me your latest configs to work with.

lasjak · April 2, 2020, 11:49am

These are my current configs. I have achieved full client isolation by adding /interface bridge filter rules. Is this the best way to do it?

On AP, I have unchecked the Default Forward box, but had to add the bridge filter rule. I don’t have separate rules like the ones you wrote about: Forwarding (yes | no; Default: yes)
ap_v6.txt (4.39 KB)
router_v6.txt (5.22 KB)

anav · April 2, 2020, 12:30pm

(1) That is what I meant … uncheck the forward default box on the WLAN page for the AP for each WLAN, not any rules etc…
What did you mean by bridge filter rules?? Where is that setting for example? No I havent needed them, but they may be needed to block the TV from guests and vice versa IF you want that.

(2) As for the bridge filter rule
/interface bridge filter (no clue what this will do)
add action=drop chain=forward out-interface-list=ISOLATED_VLAN
As I said I have never used it… So does this stop all traffic to the WAN as well…?? Not knowing what a rule is doing scares me LOL

(3) Why did you add these rules… Oh Okay they are disabled… just get rid of them very confusing to see garbage in a clean car
add action=drop chain=input comment=“Drop all comming from guest_vlan to management ports on local vlan address” disabled=yes dst-address=192.168.20.1 dst-port=80,21,22,23,8291 in-interface=guest_vlan protocol=tcp
add action=drop chain=input comment=“Drop all comming from iot_vlan to management ports on local vlan address” disabled=yes dst-address=192.168.30.1 dst-port=80,21,22,23,8291 in-interface=iot_vlan protocol=tcp
add action=drop chain=input comment=“Block isolated VLANs from main network” disabled=yes dst-address=192.168.0.0/24 in-interface-list=ISOLATED_VLAN
add action=accept chain=forward comment=“Forward internal LAN” disabled=yes in-interface-list=LAN out-interface-list=LAN

On the AP not sure you need the last rule
/interface bridge vlan
add bridge=bridge_ap tagged=ether1 untagged=iot_wlan_2g vlan-ids=30
add bridge=bridge_ap tagged=ether1 untagged=guest_wlan_2g,guest_wlan_5g vlan-ids=20
add bridge=bridge_ap tagged=ether1 vlan-ids=1 ???

lasjak · April 2, 2020, 2:56pm

Thank you for pointing out things I still need to clean up.

Regarding the bridge rules, they may be applied when packet goes through a bridge. I have found out about them via this really nice presentation of packet flow https://www.youtube.com/watch?v=MF0lGclPa5E (he is using packetflow diagram from here https://wiki.mikrotik.com/wiki/Manual:Packet_Flow).
After watching the presentation I know more or less what I have been setting, so you should definitely understand how it works .

anav · April 3, 2020, 4:46pm

So everything works for you now??