Community discussions

MikroTik App
 
mikrofrank
just joined
Topic Author
Posts: 14
Joined: Thu Jan 21, 2021 9:02 pm

Accessing clients / servers across different VLANs (printer, USB server, NAS, ...)

Thu Apr 08, 2021 9:25 pm

Hi there,
when starting with my MT, I thought I'd strictly separate my VLANs with no access between two clients in different VLANs. In the meantime, I think it would be a good idea to access at least one or two devices from other VLANs, for example the printer from the guest or home-office VLAN.

I made it to access the printer web interface from one VLAN to the printer VLAN, but not more yet. I seem to miss a point as I thought I just look up the ports that are used for printing and create a forward rule in the firewall from VLAN to VLAN? For me it's still difficutl to grasp the basic concept based on research in the MT resources and how-tos.

Can maybe someone clear up the necessary rules for access across VLANs? I guess also other users would benefit from that. The following is my current setup. Thanks a lot:)
# apr/08/2021 19:32:19 by RouterOS 6.48.1
# software id = 8ZCU-N24W
#
# model = RBD52G-5HacD2HnD
# serial number = D7160DC46EB8
/interface bridge
add dhcp-snooping=yes igmp-snooping=yes name=bridge_VLAN100 vlan-filtering=\
    yes
/interface pppoe-client
add ac-name=FFMJ14 add-default-route=yes comment=\
    "PPPoE Telekom - AC Name: FFMJ14" disabled=no interface=ether1 max-mru=\
    1492 max-mtu=1492 name=PPPoE-Telekom user=[xzy]
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-XXXX country=germany disabled=no frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge name=FrannyMainW scan-list=5GHz ssid=\
    FrannyMainW station-roaming=enabled vlan-id=99 wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-onlyn country=germany \
    default-forwarding=no disabled=no frequency=auto hide-ssid=yes mode=\
    ap-bridge name=FrannyW24 ssid=FrannyMainW24 station-roaming=enabled \
    vlan-id=66 wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add disabled=yes interface=bridge_VLAN100 name=VLAN1 vlan-id=1
add interface=ether1 name=VLAN7-PPPoE vlan-id=7
add interface=bridge_VLAN100 name=VLAN66 vlan-id=66
add interface=bridge_VLAN100 name=VLAN77 vlan-id=77
add interface=bridge_VLAN100 name=VLAN88 vlan-id=88
add interface=bridge_VLAN100 name=VLAN99 vlan-id=99
/interface ethernet switch port
set 1 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=LANfullWAN
add name=LANlimWAN
/interface wireless channels
add band=5ghz-onlyac comment="ch56 - 40MHz: eC Ce - 80MHz: eCee" disabled=yes \
    extension-channel=eCee frequency=5280 list=5GHz name=ch56 width=20
add band=5ghz-onlyac comment="ch136 - 40MHz: Ce - 80MHz: \?" \
    extension-channel=eC frequency=5680 list=5GHz name=ch136 width=20
add band=5ghz-onlyac comment="ch104 - 80MHz: eCee" extension-channel=eCee \
    frequency=5520 list=5GHz name=ch104 width=20
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    business supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=home \
    supplicant-identity=""
/interface wireless
add default-forwarding=no disabled=no hide-ssid=yes keepalive-frames=disabled \
    mac-address=0A:55:31:3B:07:7F master-interface=FrannyMainW \
    multicast-buffering=disabled name=FrannyHOW security-profile=business \
    ssid=FrannyHOW station-roaming=enabled vlan-id=88 wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    0A:55:31:3B:07:7E master-interface=FrannyMainW multicast-buffering=\
    disabled name=FrannyGastW security-profile=guest ssid=FrannyGastW \
    station-roaming=enabled vlan-id=77 wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    0A:55:31:3B:07:7D master-interface=FrannyW24 multicast-buffering=disabled \
    name=FrannyHomeW24 security-profile=home ssid=FrannyHomeW24 \
    station-roaming=enabled vlan-id=66 wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip pool
add comment="Default VLAN (ID 1):" name=dhcp_pool5 ranges=\
    192.168.100.10-192.168.100.50
add comment="Smart Home Network:" name=dhcp_pool6 ranges=\
    192.168.66.10-192.168.66.30
add comment="Guest Wifi:" name=dhcp_pool7 ranges=\
    192.168.77.10-192.168.77.30
add comment="Internal Network:" name=dhcp_pool9 ranges=\
    192.168.99.10-192.168.99.50
add comment="Business Network:" name=dhcp_pool10 ranges=\
    192.168.88.10-192.168.88.50
/ip dhcp-server
add address-pool=dhcp_pool5 interface=VLAN1 lease-time=10h name=dhcp1
add address-pool=dhcp_pool6 disabled=no interface=VLAN66 lease-time=1w name=\
    "dhcp2 (66)"
add address-pool=dhcp_pool7 disabled=no interface=VLAN77 lease-time=10h name=\
    "dhcp3 (77)"
add address-pool=dhcp_pool9 disabled=no interface=VLAN99 lease-time=10h name=\
    "dhcp5 (99)"
add address-pool=dhcp_pool10 disabled=no interface=VLAN88 lease-time=10h \
    name="dhcp2 (88)"
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge_VLAN100 frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=FrannyGastW pvid=77
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=FrannyHOW pvid=88
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=FrannyMainW pvid=99
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=FrannyHomeW24 pvid=66
add bridge=bridge_VLAN100 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=1
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=66
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether3 vlan-ids=77
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether5 vlan-ids=88
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether5,ether3 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=bridge_VLAN100 list=LAN
add interface=VLAN88 list=LANfullWAN
add interface=VLAN99 list=LANfullWAN
add interface=VLAN66 list=LANlimWAN
add interface=VLAN77 list=LANlimWAN
add interface=VLAN66 list=LAN
add interface=VLAN77 list=LAN
add interface=VLAN88 list=LAN
add interface=VLAN99 list=LAN
add interface=PPPoE-Telekom list=WAN
add interface=VLAN1 list=LANfullWAN
add interface=VLAN1 list=LAN
/ip address
add address=192.168.99.1/24 interface=VLAN99 network=192.168.99.0
add address=192.168.66.1/24 interface=VLAN66 network=192.168.66.0
add address=192.168.88.1/24 interface=VLAN88 network=192.168.88.0
add address=192.168.77.1/24 interface=VLAN77 network=192.168.77.0
add address=192.168.100.1/24 disabled=yes interface=VLAN1 network=\
    192.168.100.0
add address=192.168.99.100 interface=bridge_VLAN100 network=192.168.99.100
/ip dhcp-client
add !dhcp-options interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.100.1
add address=192.168.66.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.66.1 \
    netmask=24
add address=192.168.77.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.77.1 \
    netmask=24
add address=192.168.88.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.88.1 \
    netmask=24
add address=192.168.99.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.99.1 \
    netmask=24
/ip dns
set servers=9.9.9.9
/ip firewall address-list
add address=192.168.77.0/24 list="VLAN77 Guest Wifi"
add address=192.168.88.0/24 list="VLAN88 Business"
add address=192.168.99.0/24 list="VLAN99 Intern"
add address=192.168.66.0/24 list="VLAN66 Home"
add address=192.168.100.0/24 list="VLAN1 (addr. list)"
add address=192.168.7.0/24 list="Ether1 Routermodem IPs"
add address=192.168.100.1-192.168.77.255 disabled=yes list=limWAN
add address=192.168.88.1-192.168.99.255 disabled=yes list=fullWAN
/ip firewall filter
add action=accept chain=input comment="Management Port ether2 (input)" \
    in-interface=ether2
add action=accept chain=input comment=\
    "Management Port via VLAN99 (to Router / Gateway IP)" dst-address=\
    192.168.99.1 dst-port=8291 in-interface=VLAN99 protocol=tcp
add action=drop chain=input comment=\
    "drop WAN router config for non-VLAN99 (input)" dst-address-list=\
    "Ether1 Routermodem IPs" in-interface=!VLAN99
add action=drop chain=forward comment=\
    "drop WAN router config for non-VLAN99 (forward)" dst-address-list=\
    "Ether1 Routermodem IPs" in-interface=!VLAN99
add action=accept chain=input comment=\
    "defconf: accept established, related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=" allow VLAN66  to WAN traffic (UDP)" \
    dst-port=53,25050 in-interface=VLAN66 out-interface-list=WAN protocol=udp
add action=accept chain=forward comment=\
    "allow VLAN66 to WAN traffic (limited, TCP)" dst-port=80,123,443,53,25050 \
    in-interface=VLAN66 out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=\
    "allow VLAN88 to VLAN99 printer (TCP)" dst-address=192.168.99.193 \
    protocol=tcp src-address-list="VLAN88 Business"
add action=accept chain=forward comment=\
    "allow VLAN77 to VLAN99 printer (TCP)" disabled=yes dst-address=\
    192.168.99.193 protocol=tcp src-address-list="VLAN77 Guest Wifi"
add action=accept chain=forward comment=\
    "allow VLAN77 to VLAN99 printer (UDP)" disabled=yes dst-address=\
    192.168.99.193 protocol=udp src-address-list="VLAN77 Guest Wifi" \
    src-port=""
add action=accept chain=forward comment="Router NTP Service (TCP, test)" \
    disabled=yes dst-port=123 in-interface=VLAN77 protocol=tcp
add action=accept chain=forward comment="Router NTP Service (TCP, test)" \
    disabled=yes dst-address=192.168.99.1 dst-port=123 protocol=udp \
    src-port=123
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="Allow Admin Access" in-interface=\
    VLAN99
add action=accept chain=input comment="Router DNS Service (TCP)" disabled=yes \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Router DNS Service (TCP)" disabled=yes \
    dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else (input)"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked (LANfullWAN)" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow LAN to WAN traffic" \
    in-interface-list=LANfullWAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow VLAN77 to WAN traffic (test, full)" disabled=yes in-interface=\
    VLAN77 out-interface-list=WAN
add action=accept chain=forward comment=" allow VLAN77  to WAN traffic (UDP)" \
    dst-port=53,123,25050 in-interface=VLAN77 out-interface-list=WAN \
    protocol=udp
add action=accept chain=forward comment=\
    "allow VLAN77 to WAN traffic (limited, TCP)" dst-port=80,123,443,53,25050 \
    in-interface=VLAN77 out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="allow Admin to all limited vlans" \
    disabled=yes in-interface=VLAN99 out-interface-list=LANlimWAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else (forward)"
/ip firewall nat
add action=src-nat chain=srcnat comment=\
    NTP-test disabled=yes \
    protocol=udp src-port=123 to-addresses=192.168.99.1
add action=src-nat chain=srcnat disabled=yes protocol=udp src-port=123 \
    to-addresses=192.168.99.1
add action=src-nat chain=srcnat disabled=yes protocol=udp src-address=\
    192.168.88.1 src-port=123 to-addresses=192.168.99.1
add action=src-nat chain=srcnat disabled=yes protocol=udp src-address=\
    192.168.66.1 src-port=123 to-addresses=192.168.99.1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=FrannyHap
/system ntp client
set enabled=yes primary-ntp=141.2.22.74 secondary-ntp=134.176.2.5
/system ntp server
set enabled=yes
/system routerboard settings
set auto-upgrade=yes
 
merlinpendragonx
just joined
Posts: 1
Joined: Thu Apr 08, 2021 9:38 pm

Re: Accessing clients / servers across different VLANs (printer, USB server, NAS, ...)

Thu Apr 08, 2021 9:47 pm

Disconnecting/reconnecting the mapped drives (net use X: \\SERVER\Share)
Resetting the winsock (netsh winsock reset)
System file check (sfc /scannow)
Clear DNS cache (ipconfig /flushdns)
Clear arp cache (arp -d)
Check Windows Firewall (it's disabled for the local network)
Verify SMB is enabled (we use SMBv1 for a network scanner/printer device for delivery of documents to each user's local computer)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7790
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Accessing clients / servers across different VLANs (printer, USB server, NAS, ...)

Fri Apr 09, 2021 3:22 am

Why start another thread as I dealt with your firewall rules here.......
viewtopic.php?f=13&t=174254

In my opinion you dont need to delineate ports or protocols of that access as I dont think the printer can do much harm.

Basically with a drop all rule at the end of the forward chain, all vlan to vlan traffic is thus blocked at layer 3.
Thus to allow a subnet to access a printer in another subnet, you need to create firewall rules.

There are two ways you can do this.
1. create interface list that includes all vlans requiring such access.
Then you add vlans to this list as members.
Then you create an accept forward chain firewall rule stating in-interface-list=allowedvlans2printer dest-address=IPofprinter.

2. Create a firewall address list containing all the individual IPs or subnets that require access to the printer
add address=subnetofvlanx list=vlans2printer
add address=subentofvlany list=vlans2printer
Then you create an accept forward chain firewall rule stating source-address-list=vlans2printer dest-address=IPofprinter.

Personally If there are a bunch of subnets I tend to use interface lists, if only one subnet I use the src-address=subnet
I only tend to use address lists when I have a mix of some individual IPs from a subnet, or a mix of IPs from different subnets along with whole subnets.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mikrofrank
just joined
Topic Author
Posts: 14
Joined: Thu Jan 21, 2021 9:02 pm

Re: Accessing clients / servers across different VLANs (printer, USB server, NAS, ...)

Mon Apr 12, 2021 10:59 pm

Why start another thread as I dealt with your firewall rules here.......
viewtopic.php?f=13&t=174254
Thanks, I thought it's a good idea to split the topics for better searchability for others. I saw you refer to the printer in the other topic as well. Thanks, will hopefully consider your reco's soon.
 
tdw
Forum Veteran
Forum Veteran
Posts: 892
Joined: Sat May 05, 2018 11:55 am

Re: Accessing clients / servers across different VLANs (printer, USB server, NAS, ...)

Tue Apr 13, 2021 2:05 am

In my opinion you dont need to delineate ports or protocols of that access as I dont think the printer can do much harm.
Printers make a great jumping-off point for network infiltration - printers and their network interface cards are often long-lived and are either no longer supported by the manufacturer or overlooked when it comes to security updates. For example, quite a few years ago HP had to quickly patch all of their supported models as you could replace the unsigned firmware by merely printing a file, and more recently you could remotely exploit colour multifunction devices by sending a specially crafted fax.

Probably of more concern in business/corporate environments, but the home network of an important employee may be a vector for a determined attacker.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7790
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Accessing clients / servers across different VLANs (printer, USB server, NAS, ...)

Wed Jun 16, 2021 12:24 am

In my opinion you dont need to delineate ports or protocols of that access as I dont think the printer can do much harm.
Printers make a great jumping-off point for network infiltration - printers and their network interface cards are often long-lived and are either no longer supported by the manufacturer or overlooked when it comes to security updates. For example, quite a few years ago HP had to quickly patch all of their supported models as you could replace the unsigned firmware by merely printing a file, and more recently you could remotely exploit colour multifunction devices by sending a specially crafted fax.

Probably of more concern in business/corporate environments, but the home network of an important employee may be a vector for a determined attacker.
yes but thats why its a one way connection, devices to shared printer, NOT shared printer to devices firewall rule.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: No registered users and 27 guests