Hello forum, and Happy New Year

For a while I've been playing with a MT RB750GR3, running 7.1. I've managed to get an IPSEC VPN going for my IP phone to connect to the office and I was able to get a Wireguard VPN going that still needs some work, but that is not my concern at the moment.

Since I only have access to one managed PoE (DLINK) switch, it is segmented (VLAN'd) off into five VLANS:

VLAN 10 - 192.168.10.0/24 - LAN
VLAN 20 - 192.168.20.0/24 - Wifi
VLAN 30 - 192.168.30.0/24 - Guest Wifi
VLAN 40 - 192.168.40.0/24 - Voice
VLAN 50 - 192.168.40.0/24 - Spouse's "work from home" network

The above VLANs use a total of 9 access ports on the switch. The 10th and last port is a trunk port on the switch that connects to the MT on ethernet 2. Essentially, I have created a ROS set up, however, I need to stop traffic between the VLANs, with the exception of VLAN 10 needing access to everything since I will use my PC on that subnet to manage Access Points on the other VLANs/subnets.

To complicate matters, I have setup Pi-hole on a raspberry Pi. All networks use its IP address, 192.168.10.11, for DNS. With tutorials and articles online, I was able to set it up that no matter what a (savvy) user would change on their system, they will always wind up using Pi-hole for DNS. I would like this to stay the same also, so that doesn't make things easier, I think.

The articles I've read so far are confusing to me in that I don't know if my model of MT should be able to separate the traffic between the VLANs in this ROS setup, or not? If it should automatically do so, something is definitely wrong in my configuration.
And I have not created a bridge. Articles I've read (RouterOS - RouterOS - MikroTik Documentation) shows a diagram of what looks like to be a ROS setup but then the configuration steps go on to say:

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2 pvid=20
add bridge=bridge1 interface=ether3 pvid=30

... which is confusing the heck out of me - why are now more than one interface involved, when only one interface is involved in a ROS setup?

I have tried to block traffic between ie. VLAN 10 and VLAN 20 by adding the following, without success in blocking the traffic from VLAN 20 to VLAN 10:
action=drop chain=forward connection-nat-state="" connection-state=new dst-address=192.168.10.0/24 src-address=192.168.20.0/24

I would like to know if I should be creating a bridge when only one interface is being used, or am I going about this the wrong way altogether? Clearly I am missing some important steps, but I can't wrap my head around what I am not doing, or doing correct.

Here is my complete current configuration (added comments and spaces in between sections for clarity)

#==========================================================

jan/03/2022 11:56:09 by RouterOS 7.1

software id = 72VR-1FM3

model = RB750Gr3

serial number = D5030E3E8970

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether5 ] comment="Management port" name=ether5-access

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1

#VLAN interfaces:
/interface vlan
add interface=ether2 name=GuestWifi vlan-id=30
add interface=ether2 name=LAN vlan-id=10
add interface=ether2 name=Phone vlan-id=40
add interface=ether2 name=Spouse-work vlan-id=50
add interface=ether2 name=Wifi vlan-id=20

/interface lte apn
set [ find default=yes ] ip-type=ipv4

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

IPSEC section;

/ip ipsec peer
add address=184.69.46.238/32 local-address=184.68.82.26 name=XXXXXXXXXX
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=10s enc-algorithm=3des hash-algorithm=md5 lifetime=8h name=XXXXXXXXXX nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=3des lifetime=8h name=XXXXXXXXXX

/ip pool
add comment=VLAN-10 name=LAN ranges=192.168.10.40-192.168.10.60
add comment=Management name=Ether5-access ranges=192.168.100.10-192.168.100.20
add comment=VLAN-20 name=Wifi ranges=192.168.20.2-192.168.20.254
add comment=VLAN-30 name=GuestWifi ranges=192.168.30.2-192.168.30.254
add comment=VLAN-40 name=Phone ranges=192.168.40.2-192.168.40.254
add comment=VLAN-50 name=Spouse-work ranges=192.168.50.2-192.168.50.254

/ip dhcp-server
add address-pool=LAN interface=LAN name=LAN
add address-pool=Ether5-access interface=ether5-access name=dhcp1
add address-pool=Wifi interface=Wifi name=Wifi
add address-pool=GuestWifi interface=GuestWifi name=GuestWifi
add address-pool=Phone interface=Phone name=Phone
add address-pool=Spouse-work interface=Spouse-work name=dhcp2

/port
set 0 name=serial0
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface wireguard peers
add allowed-address=192.168.60.2/24,192.168.60.3/24 interface=wireguard1 public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="

/ip address
add address=172.16.16.1/24 disabled=yes interface=ether5-access network=172.16.16.0
add address=192.168.10.1/24 interface=LAN network=192.168.10.0
add address=192.168.20.1/24 interface=Wifi network=192.168.20.0
add address=192.168.30.1/24 interface=GuestWifi network=192.168.30.0
add address=192.168.40.1/24 interface=Phone network=192.168.40.0
add address=192.168.50.1/24 interface=Spouse-work network=192.168.50.0
add address=192.168.60.1/24 interface=wireguard1 network=192.168.60.0
add address=184.68.82.26/29 interface=ether1-WAN network=184.68.82.24
add address=192.168.100.1/24 interface=ether5-access network=192.168.100.0

/ip dhcp-server lease
add address=192.168.10.4 client-id=1:18:c0:4d:26:b8:1d comment="Marcel's PC" mac-address=18:C0:4D:26:B8:1D server=LAN
add address=192.168.10.2 client-id=ff:5e:4f:ac:2d:0:1:0:1:29:60:9d:fc:e0:d5:5e:4f:ac:2d comment="File server" mac-address=E0:D5:5E:4F:AC:2D server=LAN

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.11 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.11 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.11 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.10.11 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.10.11 gateway=192.168.50.1
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1

/ip dns
set servers=192.168.10.11

/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=forward
add action=drop chain=forward connection-nat-state="" connection-state=new dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=drop chain=forward connection-nat-state="" connection-state=new dst-address=192.168.10.0/24 src-address=192.168.30.0/24
add action=drop chain=forward connection-state=established dst-address=192.168.10.0/24 src-address=192.168.40.0/24
add action=drop chain=forward connection-state=established dst-address=192.168.10.0/24 src-address=192.168.50.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.10.0/24 src-address=192.168.60.0/24

/ip firewall nat
add action=accept chain=srcnat comment="IP phone NAT rule" dst-address=10.1.2.0/24 src-address=192.168.40.0/24
add action=masquerade chain=srcnat comment="LAN to Internet MASQuerading"
add action=dst-nat chain=dstnat comment=Pihole dst-address=!192.168.10.11 dst-port=53 in-interface=!ether1-WAN protocol=udp src-address=!192.168.10.11 to-addresses=192.168.10.11
add action=dst-nat chain=dstnat comment=Pihole dst-address=!192.168.10.11 dst-port=53 in-interface=!ether1-WAN protocol=tcp src-address= !192.168.10.11 to-addresses=192.168.10.11
add action=masquerade chain=srcnat comment=Pihole dst-address=192.168.10.11 dst-port=53 protocol=udp src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment=Pihole dst-address=192.168.10.11 dst-port=53 protocol=tcp src-address=192.168.10.0/24

#This is added for the IP phone to have two-way voice traffic:
/ip firewall raw
add action=notrack chain=prerouting dst-address=10.1.2.0/24 src-address=192.168.40.0/24
add action=notrack chain=prerouting dst-address=192.168.40.0/24 src-address=10.1.2.0/24

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add peer=XXXXXXXXXX

/ip ipsec policy
add dst-address=10.1.2.0/24 peer=XXXXXXXXXX proposal=XXXXXXXXXX src-address=192.168.40.0/24 tunnel=yes
set 1 disabled=yes

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=184.68.82.25 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/system clock
set time-zone-name=America/Winnipeg

/tool sniffer
set file-name=Wireshark filter-interface=ether1-WAN memory-limit=1000KiB

#==========================================================

Thank you in advance for taking the time to point me in the right direction.

VLAN setup is fine. You only have to use bridge if you want to use RB750Gr3 in a switch-like fashion.

The firewall section could use some improvements. The problem with “allow unless blocked” approach (the way your firewall is done now) is that it’s extremely hard to remember all the things that should be blocked. It is much easier to do it the other way around: make a general “drop all” rule (keep it the last on the rule list) and add more specific “allow” rule before it. In your case, however, your blocking rules are all made irrelevant by the second rule (action=accept chain=forward).

E.g. you current firewall allows all traffic between arbitrary pair of VLANs, only VLAN 10 is protected from others. So if you went with the “drop the rest” concept, you would have to allow traffic from VLAN10 everywhere, allow traffic leaving router through WAN interface(s) (i.e. ether1-wan and possibly wireguard1) … and block all traffic (as the last rule).

Thank you for the quick response.

“only VLAN 10 is protected from others” - I understand. This rule does nothing to prevent traffic between VLANs 20 - 50.

The “drop all” rule concept at the end, and add allowed traffic above it is logic and seems practical, however, I do also have to consider that all VLANs need to be able to get to DNS, which is currently on VLAN10. Could I make it easier on myself if the Pi-hole DNS server was connected to ie ethernet 3, on another subnet? Or would that not matter?

Could you give me an example config line(s) of how I would accomplish a “drop all” as you suggested and allow necessary WAN access for everything?

Example of a drop all rule on the input chain while allowing just what we need before that…
https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall#BuildingYourFirstFirewall-Protecttherouteritself

Thanks, I’ll take a good look at that, maybe later today or evening.

This is the standard for setting up vlans
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

One bridge,
Define vlans and their interface is the bridge.
Each vlan gets an IP address, ip pool, dhcp server, dhcp server network./

Interface bridge ports.

1. Where you assign ports to the bridge (typically 1 is WAN, eth2 in your case to the switch.
2. Where you detail which ones are trunk, access or hybrid ports (trunk carry one or more vlans tagged, access untag packets to the dumb device and tag packets coming from the dumb device).
3. each port should have ingress filtering assigned, trunk ports frames allowed - only tagged, access ports frames allowed - only priority and untagged.
4. In addition the interface access ports also require pvid setting = vlan number.

Interface bridge vlans.

1. where each line refers to a vlan-id(vlan).
2. All trunk ports should be tagged for a vlan they are carrying
3. Bridge should be tagged on every line
4. All access ports are dynamically tagged by the router (if they have a pvid ID assigned on the bridge port) and do not require to show as being untagged **
5. The exception is if the vlan has no tagged ports, the vlan-ids still requires a line with at least the bridge tagged.

****** I personally prefer to show all the untagged ports in the config (manually inserted) and that way I can more easily cross check my config.

• getting interface lists right is important
• getting firewall rules right is important.

Firewall rules are weak …
In addition as noted, its best to have drop all rules at the end of the input and forward chains and thus
besides most of the default rules, the admin only needs to worry about what is allowed flow. Much simpler.

This is the basic safe firewall ruleset one should start with:
/ip firewall filter
add action=accept chain=input comment=“default configuration”
connection-state=established,related,untracked
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add action=accept chain=input dst-port=13231 protocol=udp in-interface=ether1-WAN
add action=accept chain=input comment=“default configuration” protocol=icmp
add action=accept chain=input in-interface-list=LAN ***************
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“default configuration”
connection-state=established,related
add chain=forward comment=“default configuration” connection-state=
established,related,untracked
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=vlan10 out-interface-list=LAN
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment=“drop all else”

Where the +++++++ indicates where to put additional allow rules for traffic.

**************** This is noted because you should see that we allow all the LAN access to the router and then after that allow all the LAN access to DNS services.
THe idea is to change the LAN interface list, to a MANAGMENT interface list, typically interfaces that the admin will use (trusted) to config the router and where he/she normally resides.

So for example BEFORE making firewall rule changes FIRST make the interface list MANAGMENT
add interface=vpn interface list=MANAGEMENT {assuming using vpn to remotely access and configure the router}
add interface=wireguard interface list=MANAGEMENT { {assuming using wg to remotely access and configure the router}
add interface=trusted vlan (20?) list=MANAGEMENT {assuming this is where the admin resides normally to access the router for config}
add interface=ether5-access list=MANAGMENT { this will allow OFF BRIDGE access to the router).

Then the input chain, rule would change from
add action=accept chain=input in-interface-list=LAN
TO
add action=accept chain=input in-interface-list=MANAGEMENT

tools/macserver/winmacserver entry would be MANAGEMENT
ip neighbours discovery entry would be MANAGEMENT
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What I recommend is that you would assign ether4 on your router an access port for the trusted vlan, to allow access to the router FROM the BRIDGE
I recommend taking ether 5 off the bridge and creating access OFF the bridge to the router, in case the bridge config blows up on you…may be easier just to config from here normallly.
https://forum.mikrotik.com/viewtopic.php?t=181718 ( I see you already have an IP for this and everything so almost already there!!! )

+++++++++++++++++++++++++++++++++++++++++++++++

THE DNS rules in the forward chain in green may not be required if PI is doing the DNS…

I didnt quite get the purpose of these rules so left them out for now…
add action=drop chain=forward connection-nat-state=“” connection-state=new dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=drop chain=forward connection-nat-state=“” connection-state=new dst-address=192.168.10.0/24 src-address=192.168.30.0/24

Hello Anav and mkx,

Thank you both for your input. Lots to read and review in what you presented to me.

I’m right away struck by the seemingly different approaches. mkx writes “Y_ou only have to use bridge if you want to use RB750Gr3 in a switch-like fashion_” whereas Anav seems to recommend creating a bridge.

I understand that there is likely more than one way to get to my end result, however you can imagine my hesitancy when I start out bewildered with what I should be doing, and then get presented with two options. I certainly do not want to pit two opposing views against one another when I ask if one solution is for all intents and purposes the better approach.

In the meantime, while you consider if you even want to respond, I’ll go on reading more material - luckily most I’ve read before, but will try to re-read with an open and fresh mind.

Thank you.

@anav is known for his desire that everybody configure their gear as similar to his configs as possible so that he can then share his wisdom. Obviously he’s got VLAN-filtering on bridges everywhere.

Again, your ethernet / VLAN / IP setup is fine, but your firewall needs a revamp. Advices on firewall by @anav apply regardless how you configure ethernet ports because those rules work on IP level and if you get IP addresses right it doesn’t matter how packets arrive to firewall.

What I’d do regarding firewall is to have a good look at defaults, you can always get them by executing /system default-config print in a really wide terminal window (long lines get truncated). After you read through /ip firewall section and you understand it, go through it again. You’ll notice that technically default firewall doesn’t follow the “deny everything else” because the last rule has some conditions in it, but the way default setup is done, those conditions effectively work as “deny everything else” if there was another rule right before it. So if you rework default firewall (replace the last rule with two, more straight-forward ones) and add some rules specific to your use case with quite a few IP subnets, it should work fine. Just remember that firewall rules in each chain are checked top-to-bottom and first rule matching executes (skipping the rest) which means that more specific rules have to come higher on the list (if you use deny everything else concept, this means specific allow rules have to be higher than the ultimate deny rule).
When you get there, you can post then-actual config here for review.

Since you are using vlans, I opted to go for the method described by PCUNITE ( not by me - just in case MKX forgot )
Either way is fine and no offence taken if you opt for alternate methods.

@anav, you’re forgetting what’s guide by @pcunite about … it’s about configuring routerboard devices without switch chips to do VLAN-aware switching/bridging in the new/better way (as opposed to using bridge per VLAN and heaps of vlan interfaces). However, OP doesn’t need switching/bridging, he is after router on a stick … and for that bridge is out of picture (he’s using single interface as VLAN trunk towards LAN).

Let me show the difference (will only show with two VLANs):

Without bridge:

/interface vlan
add name=vlan10 interface=ether2 vlan-id=10
add name=vlan20 interface=ether2 vlan-id=20
/ip address
add interface=vlan10 address=192.168.10.1/24
add interface=vlan20 address=192.168.20.1/24

With bridge (with differences highlited):

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2 frame-types=allow-only-tagged
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=10,20
/interface vlan
add name=vlan10 interface=> bridge1 > vlan-id=10
add name=vlan20 interface=> bridge1 > vlan-id=20
/ip address
add interface=vlan10 address=192.168.10.1/24
add interface=vlan20 address=192.168.20.1/24

The rest of config (IP addresses, routes, firewall filters, …) is identical in both cases as long as vlan interface names (e.g. vlan10, vlan20) used are identical.

Now, I agree that the bridge way is future-proof … it’s extremely easy to add another port either as untagged access port to one of VLANs or a trunk port if bridge is used already initially (specially so if one sets bridge MAC manually) … a few extra switch ports can come handy some times.

But if we stick to OP’s requirements, use of bridge is unnecessary. So @anav, no need for you to sit behind the fence and pout … come back and help @HandyDutchGuy fix his firewall rules (I bow to your ability to make things work for newbies).

No worries, LOL,
I have no idea what router on a stick means.
However I have a spare hex and I used duct tape to attach to a branch from a nearby tree, but it doesnt work, since its not plugged into any outlet.

If you mean simplest config, yes no bridge does make things a bit easier, and its important to stick (pun intended) with what the OP wants.

As you guessed right, you did it wrong. Router on a stick means that you take your spare hex and stick a stick into one of ether ports (don’t try to stick the stick through two or more ports, you need a bridge for that). If you do it properly, then router works … as a scarecrow

OK, lets go back on topic and help OP to make his setup better.

Thank you both for your input, and sense of humour! I have less time than I would like to study everything as I should, but I’m plugging away at it when I have time. I also found this thread - http://forum.mikrotik.com/t/default-firewall-config/134431/1 - where you both imparted additional wisdom.

Rest assured I’m doing my homework. Just wanted to let you know I’m not taking your (free) advice and support for granted.

@anav,
Router on a stick, is simply a Router that has only one physical ( or logical ) connection with a Switch ( Trunk Port ) and does the Routing between the VLANs, InterVLAN Routing…

^ This is correct. Now, what I would like to accomplish is to disable the inter VLAN routing… and while I’m working on the security aspect of the router, I will also need to figure out how to achieve the rest of my requirements. See first post. Fun and games…

So let me get this straight the topology is ISP modem --------> Router1 -------> Switch --------->MT DEVICE/Router

Where Router 1, only handles IP DHCP client aspect of routing then carries traffic to switch and then to MT Device on a private subnet IP.

Switch (lets say 24 port)

• Gets internet on ether1 (access port) (vlan10)
• Rest of ports are detailed in its vlan settings
• Passes internet all VLAN traffic (for L3/DHCP/internet) to MT device on stick on port 24

MT on a stick (acting as a router).
ether 1 is a Trunk Port connecting to port 24 on the switch.
IP DHCP Client is vlan10 interface is ether1 (static IP address private)
All other vlans are assigned, IP address with interface ether 1, IP pool, Dhcp-server, dhcp-server network
Determine necessary firewall rules.

interface list
LAN ----- all vlans save10
WAN ------vlan10
CLOSE?

Router lives to route, it will route anything it knows how. If you want to spoil its fun, firewall is your friend:

# standard beginning:
/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
# configure what should be allowed:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
...
# block everything else:
add action=reject chain=forward reject-with=icmp-admin-prohibited

@sob, you prefer to reject than drop ?

Yes, it helps with debugging. If something doesn’t work because I forgot to allow it through firewall, it’s nice if router tells me about it. Better than scratching my head and wondering why packets mysteriously disappear.

It may not be ideal if there are some spoofed packets. But few small icmp responses are not good for any amplification attack, so it’s one reason why it’s not very likely to be abused. With typical client router, it’s very unlikely that any spoofed packets from internet would reach it at all. It’s forward chain, so the destination would have to be something else than router’s public address, ISP won’t normally send anything like that. And I mostly trust internal networks. I mean, it can be improved, do drops for traffic from internet, also for internal networks it can be checked is source is allowed local subnet and do reject only if it is. But even unconditional reject should be good enough for client router.