VLAN To Internet Access

bigdogchris · January 24, 2012, 7:49pm

I am a RouterBOARD noob, so I hope I explain this OK. I’ve been thrown into a situation where I am trying to make changes to equipment I did not setup or configure.

I have a RB433AH that I am editing via WINBOX. I believe the version is 4.10.

What I am trying to do is to create a VLAN to give users on a specific AP access to the Internet, without access to the internal network. So far I have configured the RB to have a VLAN interface, VLAN network, DHCP Pool in said network, and assign IP’s via DHCP.

The VLAN id passes through my switch and through the AP. All clients are connecting to the AP and get the VLAN DHCP pool I have assigned. So that’s working great. The problem is they still can access the other network. The clients are receiving the proper IP, Gateway, and DNS from DHCP.

The default network is 192.168.1.0/24 and the VLAN network is 192.168.2.0/24.

What is the next step via WINBOX to get my 192.168.2.0 network blocked from seeing my 192.168.1.0 network? I understand the routers job is to let subnets see eachother but I was hoping that it would be easier than this

Thanks!

blake · January 24, 2012, 10:10pm

/ip firewall filter
add chain=forward action=drop in-interface=vlan_network out-interface=!internet

bigdogchris · January 24, 2012, 11:40pm

I’m not comfortable working with the CLI on this device yet. The options you listed I remember are available to set through Winbox though.

So I take it that this setting takes any data coming into the router from the vlan and forwards it outward to the Internet? What is the drop action for if this is a simple forward?

nissandata · January 25, 2012, 9:28am

/ip firewall filter
add chain=forward action=drop in-interface=vlan_network out-interface=!internet

this means you chould add a firewall rule that drops all traffic NOT going out on the wan-interface.

what i usualy do is setting rules that allow traffic that should be alloewd the drop the rest. But there is diffrent approaches for this

/ip firewall filter
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept established" connection-state=established
add action=accept chain=forward comment="accept related" connection-state=related

# your accept rules here
add action=accept chain=forward comment="accept all outgoing traffic" out-interface="<your gw interface here>"
# end of you accept rules

add action=drop chain=forward comment="drop everything else"

this meens that just traffic going out of the gateway interface will be accepted. Traffic between the interfaces will be dropped.

if you open your terminal and paste this command

/interface print
/ip firewall export
/ip address print

and then paste the output it here you can get the exact commands to type in the terminal to achieve your goal. Then you will be able to see the result in WinBox to get an understanding on how to do this there.

bigdogchris · January 25, 2012, 2:25pm

In this scenario, the rule works by setting an action, which is drop. Then this action is applied unless you match in VLAN out WAN. Everything else is dropped. If I wanted additional actions, it would come before this action, which would always be last. Right?

Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                                               TYPE             MTU   L2MTU
 0  R  ;;; From ISP
       WAN                                                                ether            1500  1526 
 1  R  ;;; Wired
       LAN                                                                ether            1500  1522 
 2     ether3                                                             ether            1500  1522 
 3  R  ;;; Open Wireless
       Open Wireless

# jan/02/1970 14:54:10 by RouterOS 4.10
# software id = VI6N-280L
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=\
    10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no out-interface=WAN
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                                     
 0   ;;; WAN
     ###.##.###.##/25   ###.##.###.#    ###.##.###.###  WAN                                           
 1   ;;; LAN
     192.168.1.254/24   192.168.1.0     192.168.1.255   LAN                                           
 2   ;;; Open Wireless VLAN
     192.168.2.1/24     192.168.2.0     192.168.2.255   Open Wireless

I have hashed out the public IP.

nissandata · January 25, 2012, 3:09pm

The rules goes down your chain. when it hits a match it stops and takes the action.

So this rule
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
will take the action “drop” on packages with the connection state invalid.
if the package dont have that state it will continiue through out the rules below

Hit this command in your terminal to add the rules

/ip firewall filter
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept established" connection-state=established
add action=accept chain=forward comment="accept related" connection-state=related
add action=accept chain=forward comment="accept all outgoing traffic" out-interface="wan"
add action=drop chain=forward comment="drop everything else"

This will check all packages going through your router.
First rule is from the example above, all packages that are invalid (damaged or maybe spoofed), if it is. It will drop the package. This is good practice, but has nothing to do with your particular goal to stop traffic between your networks.

The second and third rule will check if the package belongs to connections already accepted through firewall. These rules helps a lot with forwarding ftp and maybe open certain traffic between the subnets
these three rules above i configure on almost all my routerboards

The fourth rule will check if the package is going out from your WAN-port, if it does it will accept it

The last rule should always be the last in the chain. it drops ALL packages which haven’t get matched above.

so if a user from 192.168.2.10 tries to connect to 192.168.1.20, the package will not go out from your wan port. Because of this it will not get matched until the last rule, and then it will be dropped
if a user tries to connect to 8.8.8.8, it will be accepted since it will get a match on the fourth rule.

you can expand the rules, if all users should be able to use a printer on IP 192.168.1.220 you can tell the filter to allow this traffic before the last rule

add action=accept chain=forward comment="accept all outgoing traffic" src-address="192.168.2.0/24" dst-address="192.168.1.220"

you should read this wiki articles to get a god understanding of the concepts round the firewall on mikrotik devices.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

There is also a very good book called “Learn RouterOS” by Dennis Burgess