VLans on Firewall Filtering

Facuferrari · February 20, 2016, 8:00pm

Hi, I’m really new to this Mikrotik Routing World so I need some advice on this subject. I’ve recently bought a RB2011 to use as my main router in a building network. I’ve created some VLANS with a DHCP server for each subnet inside the vlans to serve IPs to the clients and it works as expected, the only problem that I have is that every client can ping each other besides they are on different subnets, even different VLans. I’ve read that by default Router Os route every packet, but I’ve created a Drop all rule on the first VLan and nothing happend. Then I’ve read that by default Router Os doesn’t proccess VLans packets on the IP Firewall. So How should I configure the router so that no VLan can see each other but the all have acces to the internet gateway?

NAME MTU ARP VLAN-ID INTERFACE

0 R 1A 1500 enabled 2 ether2
1 R 1B 1500 enabled 3 ether2
2 R 1C 1500 enabled 4 ether2
3 R 1D 1500 enabled 5 ether2

kiaunel · February 20, 2016, 8:29pm

Make your firewall rules with interfaces blocking… Like that…
IP firewall filter
add chain=forward in-interface vlanx out-interface=vlany action=drop
I wrote the rule from mind as i’m on phone now so hope I have not make any sintax error. Adapt that rule to your config and you should be fine.

Sent from my Lenovo K50-t5 using Tapatalk

gotsprings · February 20, 2016, 8:53pm

/Ip firewall filter add src-address=“scope of one vlan: i.e. 192.168.1.0/24” dst-address=“scope of another vlan: i.e. 192.168.2.0/24” action=drop

Do that for each vlan and put them at the the top of your forwarding chains.

Facuferrari · February 20, 2016, 10:10pm

I’ve found that my router is making a dynamic rule that accepts everything in the forward chain. How could I remove that rule?

0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 chain=forward action=drop connection-state=established,new protocol=icmp
src-address=192.168.88.0/24 dst-address=10.10.21.0/24 log=no
log-prefix=“”

2 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=“”

3 ;;; default configuration
chain=input action=accept connection-state=established,related log=no
log-prefix=“”

4 ;;; default configuration
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=“”

5 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no
log-prefix=“”

gotsprings · February 20, 2016, 11:05pm

disable #4

Facuferrari · February 20, 2016, 11:58pm

I’ve disabled it but it doesnt work yet. I’ve seen that there is a dynamic rule filtering everything in the forward chain and it prevents my rule to get applied. How can I disable it?

gotsprings · February 21, 2016, 12:10am

in winbox.

Open a New Terminal
enter in: /ip firewall filter export
Copy and paste the result here.

Facuferrari · February 21, 2016, 1:58am

0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 chain=forward action=drop connection-state=established,new protocol=icmp
src-address=192.168.88.0/24 dst-address=10.10.21.0/24 log=no
log-prefix=“”

2 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=“”

3 ;;; default configuration
chain=input action=accept connection-state=established,related log=no
log-prefix=“”

4 X ;;; default configuration
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=“”

5 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no
log-prefix=“”

jarda · February 21, 2016, 6:36am

http://forum.mikrotik.com/t/feature-request-remove-fasttrack-dummy-rule/89511/1

Facuferrari · February 21, 2016, 3:04pm

But there is a way to avoid using this dummy rules? I need the VLans not to see each other

ZeroByte · February 21, 2016, 3:14pm

The dummy rule doesn’t actually forward traffic. Ignore it.

Your problem is there’s no drop rule anywhere in your filter chain at all.
Add this to the end of your forward chain:
chain=forward out-interface=WAN action=accept
chain=forward action=drop

Facuferrari · February 21, 2016, 3:38pm

That works fine, if I set a drop all rule in the forward chain I can’t reach the gateway, and if I accept the out interface of the wan I’m able to do it. But the thing is that I still cant ping the other subnets inside other VLans. I’ve read that no VLans are proccess by the firewall (http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge bridge settings). Should I place my VLans inside a bridge and then bridge them with the physical port?

ZeroByte · February 21, 2016, 3:52pm

But that’s what you said you wanted…

As for bridge filtering, no you don’t need it - because vlans can only use IP to talk to each other, so the IP firewall is already going to work.

Facuferrari · February 21, 2016, 3:55pm

Sorry I’ve misspelled, I stil CAN ping other subnet inside other VLans

ZeroByte · February 21, 2016, 4:38pm

Do you mean you can ping the Mikrotik’s vlan 3 interface from vlan 2 (for example)?

That is different because pings to the router itself don’t go through the forward chain but through the input chain. Lan to lan is still being blocked. You COULD create a bunch of input rules to block what you’re seeing but there’s no point in that.

Find a host in a vlan which will respond to pings from other hosts in the same LAN. You’ll find that this same host cannot be pinged from the other VLANs.