I have successfully made 3 VLANs on an HP Procurve Managed Switch and RB750GL.
HP Procurve Switch:
VLAN1 - Default Management
VLAN2
VLAN3
VLAN4
MikrotTik RB750GL:
WAN x.x.x.x
LAN 10.2.0.1/24
VLAN2 - 192.168.2.1/24
VLAN3 - 192.168.3.1/24
VLAN4 - 192.168.4.1/24
They all work and have DHCP Servers on each subnet that work.
In the firewall filter rules I have setup FORWARD rules that goes something like this
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=10.2.0.0/24
add action=drop chain=forward dst-address=192.168.3.0/24 src-address=10.2.0.0/24
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=10.2.0.0/24
This blocks any traffic from the VLANS trying to get to anything on the MikroTik LAN subnet but now I have to make DROP rules so that each subnet cant talk to each other for security.
Example:
192.168.2.0/24 not allowed access to 192.168.3.0/24 or 192.168.4.0/24
192.168.3.0/24 not allowed access to 192.168.2.0/24 or 192.168.4.0/24
192.168.4.0/24 not allowed access to 192.168.2.0/24 or 192.168.3.0/24
This could be very complicated if I had 500 VLANs.
Is there an easier way to make sure each VLAN can get to the internet via 10.2.0.1 but cannot see any other subnet???
Thank you in advance.
In theory you could do what you propose with n+1 rules (where n is the number of subnets) by doing
src=192.168.n.0/24 dst=192.168.n.0/24 action=accept
default drop
But my question is whether or not you could just use the default drop with no allows. Will traffic from 192.168.n.0/24 actually need to pass through the router? In theory it shouldn’t since it is all local traffic.
All the 192.168.x.0/24 does not need to see any other 192.168.x.0/24 traffic. It only needs to be able to get internet via the MikroTik WAN port 1 so I guess the answer is Yes??? it does need to in theory traverse / go through the router.
How do you block 192.168.n.0/24 from 192.168.n.0/24
Is there some kind of block all rule I could make?
Could you give a rule example of what you are proposing?
a script to make them would work.
:for i from=1 to=100 do={
/ip firewall filter add chain=forward action=accept blah blah..
}But really I think it is unnecessary. Really you should only need to allow 192.168.0.0/16 access to the internet… then just drop everything else. 192.168.0.0 shouldn’t send any traffic to the router that is destined for the local network because it is already connected.
What I would have is something like this
/ip firewall filter add action=drop chain=forward
/ip firewall nat add action=masquerade out-interface=wan chain=src-natThen figure out if you actually need to forward ANYTHING… Without really seeing your network diagram/routeros config thats the best advice I can give you. I think if you think about it as a default DROP instead and only allow what you need then it will be easier. Also since ALL of the 192.168 networks can access the internet you can treat them like 192.168.0.0./16 for rules and handle them all at once.
