Hi,
is it normal behaviour of Mikrotik router that when I create VLANs traffic between them can move without any additional firewall rules?
Do I have to create explicit firewall rules when I don’t want that traffic between VLANs?
You do have to explicitely block inter VLAN traffic (which makes sense).
Better (in my opinion) is doing it the other way around: explicitely accept and block everything else.
Thanks for fast reply.
Router was configured by someone else, now it is my job to maintain it and do new configs.
I thought it was that way maybe because of that existing configuration. Now it’s clear.
Is there a way to block it by default? Or only by firewall, for eg. drop any → any?
Dont know your current setup but this is the basic default rule setup with the switch done. Block all, use accept rules to add traffic to be allowed ( just before the drop all rule ). Stops vlan to vlan traffic cold.
/ip firewall filter
{Input Chain}
( default rules to keep )
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
( admin added rules )
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else” { put this rule in last, without the LAN rule above you will be locked out }
{forward chain}
( default rules to keep )
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
( admin added rules )
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN[/b]
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat[/color] { disable or remove if not required }
add action=drop chain=forward comment=“drop all else”
I assume that it should be in that particular order.
Ideally I should clear all my config, add this and then extend it to my needs, right?
Something like that yes…
Why would you think order of rules is not important?
Also the organization of chains together is for easy reading/understanding and supportive of troubleshooting.