why is this config working?

ivarss · October 27, 2022, 6:58pm

Hi guys,
please help me understand why devices from VLAN 81 (IOTNET) are getting internet.
After reset of hAP ac device, I created another bridge (VLANbridge), added two VLANs (HOMENET with VLAN 18 and IOTNET with VLAN 81), then set interfaces and IP addresses.
Everything works, when connected to ether4 and wifi1, devices get DHCP addresses from 10.18.0.0 network and can connect to internet.
DNS resolution is also working.
But I don’t understand why devices are getting internet when connected to ether5 or wifi2 ports. I would expect that this firewall rule prevents devices in VLAN 81 from getting out

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

because IOTNET (VLAN 81) is not included in LAN interface list.
What am I missing?
Appreciate your input. Attached is full config export and a small diagram.
Br,
Ivars
Blank diagram.png
config.rsc (7.4 KB)

Sob · October 27, 2022, 7:04pm

Input chain is for traffic to router. Traffic to internet goes in forward chain.

mkx · October 27, 2022, 7:07pm

You should be adding furewall rules to chain=forward for traffic which is only passing router (e.g. from VLAN 81 towards internet) …

Chain input is only for traffic directly targeting router itself.

ivarss · October 27, 2022, 7:15pm

Guys,
many thanks for introducing me to firewalling basics!
Lost direction today, but now I understand this firewall a little better.
Br,
Ivars

anav · October 27, 2022, 8:21pm

https://forum.mikrotik.com/viewtopic.php?t=180838