VLAN separation not working on HAP AC2

Hello,

I just bought a new HAP AC2 for a friend and am creating a config on it that is similar to my HAP AC2. Basically I have created bunch of VLANs that are isolated from each other and no network traffic is allowed across VLANs, except what I explicitly allow in the Firewall rules. This config works on my HAP AC2, but for some reason the new HAP AC2 is allowing VLANs to talk to each other without any explicit rules in the Firewall. I’ve done several reviews at this point and I can’t seem to find the needle in the haystack. I’d appreciate if you can take a look at my config below and let me know where I went wrong.

I’ve testing this with connecting two computers connected to different wifi SSIDs on separate VLANs and I’m able to ping IPs from 10.0.10.x segment into 10.0.70.x and vice versa.

Thanks in advance!!

# jul/11/2020 16:17:32 by RouterOS 6.47
# software id = YX1W-QFPB
#
# model = RBD52G-5HacD2HnD
# serial number = B4A00C818D2A
/interface bridge
add admin-mac=48:8F:5A:4E:D4:DD auto-mac=no comment=defconf name=BR1 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=ether2-OPEN
set [ find default-name=ether3 ] name=ether3-OPEN
set [ find default-name=ether4 ] name=ether4-OPEN
set [ find default-name=ether5 ] name=ether5-WRST
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-4ED4E2 \
    wireless-protocol=802.11
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=70
add interface=BR1 name=HOME_VLAN vlan-id=10
add interface=BR1 name=IOT_VLAN vlan-id=80
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=home-user supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=guest-user supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=iot-user supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge name=wlan-2-home security-profile=home-user ssid=RocketShip
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:4E:D4:E1 \
    master-interface=wlan-2-home multicast-buffering=disabled name=wlan-guest \
    ssid=RocketShipGuest wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:4E:D4:E2 \
    master-interface=wlan-2-home multicast-buffering=disabled name=wlan-iot \
    ssid=RocketShipIOT wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=HOME_POOL ranges=10.0.10.10-10.0.10.254
add name=GUEST_POOL ranges=10.0.70.10-10.0.70.254
add name=IOT_POOL ranges=10.0.80.10-10.0.80.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=BR1 name=defconf
add address-pool=HOME_POOL disabled=no interface=HOME_VLAN name=HOME_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_VLAN
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_VLAN
/interface bridge port
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether2-OPEN pvid=10
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3-OPEN pvid=10
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4-OPEN pvid=10
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5-WRST pvid=10
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan-2-home pvid=10
add bridge=BR1 comment=defconf interface=wlan2
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-guest pvid=70
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan-iot pvid=80
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=\
    wlan-2-home,ether5-WRST,ether2-OPEN,ether3-OPEN,ether4-OPEN vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=wlan-guest vlan-ids=70
add bridge=BR1 tagged=BR1 untagged=wlan-iot vlan-ids=80
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add comment=defconf interface=BR1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=HOME_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=BR1 network=\
    192.168.88.0
add address=10.0.10.1/24 interface=HOME_VLAN network=10.0.10.0
add address=10.0.70.1/24 interface=GUEST_VLAN network=10.0.70.0
add address=10.0.80.1/24 interface=IOT_VLAN network=10.0.80.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 comment="Home Network IPs" domain=home gateway=\
    10.0.10.1
add address=10.0.70.0/24 comment="Guest Network IPs" domain=guest gateway=\
    10.0.70.1
add address=10.0.80.0/24 comment="IOT Network IPs" domain=iot gateway=\
    10.0.80.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="Allow estab & related" \
    connection-state=established,related,untracked
add action=accept chain=input comment=\
    "Allow VLANs to access router services like DNS, Winbox" disabled=yes \
    in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="Drop DNS from WAN" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Drop DNS from WAN" dst-port=53 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="DropTelnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Drop Telnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Allow estab & related" \
    connection-state=established,related
add action=accept chain=forward in-interface-list=VLAN out-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Nothing in your firewall prevents hosts in one VLAN to communicate with hosts from other VLANs.

What allows the VLANs to talk to each other in the first place?
I thought this config will not create a specific route between VLANs and I have to create Firewall rules to allow it. I can post config of my original router too, if you want to compare.

Thanks!

Here’s the config of my original HAP AC2 for comparison. This one has VLAN separation working and cross VLAN traffic is not allowed, except what I list in the Firewall.

Its clear you should not be setting up a router for anyone if you are indeed a friend, as you have a lack of knowledge on how to configure the MT or what rules actually do!!

Yours works because you actually have an incomplete/partial rule, as your last rule in the forward chain that stops any traffic not explicitly permitted and in fact you have it twice in your config as the input chain rule which partially configured blocks all further traffic and no allow rules work after that one. LOL.
(You should really clean up your rules they are hosed.)

add action=drop chain=forward comment=“Drop Invalid”

Its not the complete drop invalid rule which looks actually like this
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid

The device in question is a router, and if it has all the necessary routes, then it happily fulfils it’s own destiny - which is… surprise… to route
Unless it is told not to. By means of firewall, routing rules, etc…

Firewall forward chain in first config is configured as “normally open” (no “drop all” as a last rule, meaning: “what is not forbidden is allowed”), so you either need to add explicit rules for everything you want to drop, or you’d better rewrite it as a “normally closed” one (“what is not allowed - is forbidden”) - exactly like in your own config where the last rule is:

add action=drop chain=forward

And btw yes, @anav is right - comment “Drop invalid” doesn’t belong to this rule, because it drops not only invalid packets, but all of them.

To explain the difference between the default firewall rules, a SAFE starting point, and where the WIKI wants to end up, could be explained better, we will start with the default rules.
Before we begin, it should be noted that the overall firewall approach of the default setting of the MT is ALLOW all traffic unless the admin explicitly blocks it. Being non-IT trained, I have no clue of what traffic I need to block but I have a fairly good idea of what I need to allow. So the process is to change from the default allow everything to the more secure (IMHO) block everything.
…
The default rules you plan on passing to your friends device - a good and safe start!!!

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
@@@add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
###add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

Note1: See how the invalid rules are complete in both input and forward chains.
Note2: **@@@**See how any access to the Router (input chain) is blocked to the WAN by the rule that states only LAN access is allowed. This is done in a twisted way by saying block everything that is NOT coming from the LAN (use of ! symbol).
This rule provides access to anybody on the LAN to the router.
Note3: ### See how any access across the router (and to the LANS) from the WAN is blocked by the rule that only allows destination NAT (port forwarding to occur).

Changing Default to More Secure Setup Safely.
For the Input Chain, the idea is twofold, one to narrow down the INPUT CHAIN (access to router itself) to a. Only the ADMIN to configure the router and b. Only to the rest of LAN users for the specific services they actually need. In other words one needs to understand that the router provides some services that people or devices on the network may need depending upon config, such as DNS serving or NTP time.
For the forward chain, the idea is more straightforward, specifically ONLY allow authorized packet flows through the router (to and from from the LAN) and then block everything else.

The Key Change: In both cases we achieve better security by putting a DROP ALL ELSE RULE at the end of both the input chain and forward chain. The danger of this approach is mostly on the input chain side because if we have not ADDED a rule to ALLOW Admin access, the admin is then blocked from accessing the router and it will have to be reset to defaults and the config restarted. A real pain in da buttock! As long as the Admin has access most things can be fixed. In the forward chain the worst that can happen is that we block traffic we want to allow. Once discovered we simply add a new rule to allow that traffic. The advantages are that on both the input and forward chain, we don’t have to add any new rules to block traffic… everything is blocked we didn’t say we allowed, regardless if we knew about that traffic or not.

On the input chain, typically the change is something like.
add action=accept chain=input comment=“Allow ADMIN to Router”
in-interface-list=LAN src-address-list=adminaccess

Where the firewall address list is something like
/ip firewall address-list
add address=ip_of_admin_desktop list=adminaccess (could be device static LANIP on home network)
add address=ip_of_admin_laptop list=adminaccess (could be a device static LANIP on a VLAN)
add address=ip_of_admin_tablet list=adminaccess (could be a device static LANIP on guest wifi)
(wherever you think you may want to be able to access the router)

Notes: One defines access to the router in many places.
A. input firewall rule (allow admin access and define which IPs), you will notice the in-interface-list=LAN to allow access from a wide range of locations.
B. IP Services - where you select the winbox port ( I change it to a non-standard port ), one can also state which subnets are allowed to access winbox here
C. Tools - MACSERVER - MACWINBOX Server - where you can state which interface-list can access winbox via mac address
D. System - Users, where you can narrow down the access to the router to specific users with passwords and also by address.
I don’t recommend monkeying around with these settings unless you have SAFE Mode invoked and you think you know what your are doing.

Other rules might include allow dns services for users…

add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow NTP server" connection-state=new \
    dst-port=123 in-interface-list=LAN protocol=udp src-address-list=devicesneedingaccess\

The last consideration on the input chain is to go to the rule we pointed out before**@@@**! We no longer need that rule to block WAN traffic (because we will have a drop all else rule) and we dont need to allow all LAN users because we have added admin access and any other services required by users.

Critical part: DO NOT ADD DROP RULE until the admin access rules and user service rules are in place. When done, add the last drop all else rule. Then go ahead and remove the *** rule, it is now redundant.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

On the forward chain, we only need to add the last rule - drop all else and to modify the identified rule above ###
The rule no longer has to be responsible for blocking WAN traffic and we can replace it with a simple straightforward allow dstnat rule.
For a beginner the use of the ! symbol (meaning everything but the following) can be confusing and/or tricky in that it may affect traffic you didn’t realize it would.
So best to avoid until later (and we get rid of the same usage on the input chain rule). The nice thing about this approach is maybe you don’t need or intend to do any port forwarding (from wan to lan) and thus don’t need any rule!
So either remove the rule or modify it like so:
add action=accept chain=forward comment=“Allow Port Forwarding” connection-nat-state=dstnat
connection-state=new in-interface-list=WAN (or for fixed wanip dst-address=wanip)

Critical Part: There is probably at least one rule you will need to add since we are changing the firewall strategy from allow everything unless I say block it, TO block everything unless I allow it, and that is to allow LAN to WAN access. It could be from a subnet, or vlans. ex for VLANs provided.
add action=accept chain=forward comment=“ENABLE HomeLAN to WAN”
in-interface=Home-LAN_VXX add action=accept chain=forward comment=“ENABLE HomeLAN to WAN”
out-interface-list=WAN src-address=192.168.88.0/24 (src address OR in-interface are required, putting both in is optional)

To expand upon this point further, lets say we had two vlans/subnets vlan10 and 20. We have two printers in vlan 20 (laser and color inkjet) that need to be shared between the two.
We know the drop all else rule at the end will block all vlan to vlan traffic at L3, so we need to create an allow rule for that traffic flow.
add action=accept chain=forward comment=“allow vlan10 to shared printers” dst-address-list=
House_Printers in-interface=vlan10 src-address=192.168.69.0/24 (one needs in-interface OR src address, both is optional)

(Firewall address list created to identify the two printers in question on vlan20)

Dude I’m following the same advice you gave me about a year ago —> http://forum.mikrotik.com/t/how-to-control-routing-between-subnets/127465/3

The firewall rules I’ve listed for the new router and my old router came directly from your list of sequence. The problem I’m having is that the firewall rules work just fine on my old HAP AC2 but they’re not working on the new one. I think I’m following your advice by flipping the firewall rules to be restrictive rather than allow.

Can you help me point out what I’m doing wrong in the new router config?

Thanks in advance!
ZeeKay

I went back and figured it out finally. The DROP ALL ELSE rule had “Invalid” checked. I had to uncheck it to make it work.
Thanks for explaining the logic again. I’ll document it somewhere.