Community discussions

MikroTik App
 
Facuferrari
just joined
Topic Author
Posts: 11
Joined: Sat Feb 20, 2016 9:49 pm

VLans on Firewall Filtering

Sat Feb 20, 2016 10:00 pm

Hi, I'm really new to this Mikrotik Routing World so I need some advice on this subject. I've recently bought a RB2011 to use as my main router in a building network. I've created some VLANS with a DHCP server for each subnet inside the vlans to serve IPs to the clients and it works as expected, the only problem that I have is that every client can ping each other besides they are on different subnets, even different VLans. I've read that by default Router Os route every packet, but I've created a Drop all rule on the first VLan and nothing happend. Then I've read that by default Router Os doesn't proccess VLans packets on the IP Firewall. So How should I configure the router so that no VLan can see each other but the all have acces to the internet gateway?

# NAME MTU ARP VLAN-ID INTERFACE
0 R 1A 1500 enabled 2 ether2
1 R 1B 1500 enabled 3 ether2
2 R 1C 1500 enabled 4 ether2
3 R 1D 1500 enabled 5 ether2
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Sat Feb 20, 2016 10:29 pm

Make your firewall rules with interfaces blocking... Like that...
IP firewall filter
add chain=forward in-interface vlanx out-interface=vlany action=drop
I wrote the rule from mind as i'm on phone now so hope I have not make any sintax error. Adapt that rule to your config and you should be fine.

Sent from my Lenovo K50-t5 using Tapatalk
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 848
Joined: Mon May 14, 2012 9:30 pm

Re: VLans on Firewall Filtering

Sat Feb 20, 2016 10:53 pm

/Ip firewall filter add src-address="scope of one vlan: i.e. 192.168.1.0/24" dst-address="scope of another vlan: i.e. 192.168.2.0/24" action=drop

Do that for each vlan and put them at the the top of your forwarding chains.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
Facuferrari
just joined
Topic Author
Posts: 11
Joined: Sat Feb 20, 2016 9:49 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 12:10 am

I've found that my router is making a dynamic rule that accepts everything in the forward chain. How could I remove that rule?

0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 chain=forward action=drop connection-state=established,new protocol=icmp
src-address=192.168.88.0/24 dst-address=10.10.21.0/24 log=no
log-prefix=""

2 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=""

3 ;;; default configuration
chain=input action=accept connection-state=established,related log=no
log-prefix=""

4 ;;; default configuration
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""

5 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no
log-prefix=""
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 848
Joined: Mon May 14, 2012 9:30 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 1:05 am

disable #4
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
Facuferrari
just joined
Topic Author
Posts: 11
Joined: Sat Feb 20, 2016 9:49 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 1:58 am

I've disabled it but it doesnt work yet. I've seen that there is a dynamic rule filtering everything in the forward chain and it prevents my rule to get applied. How can I disable it?
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 848
Joined: Mon May 14, 2012 9:30 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 2:10 am

in winbox.

Open a New Terminal
enter in: /ip firewall filter export
Copy and paste the result here.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
Facuferrari
just joined
Topic Author
Posts: 11
Joined: Sat Feb 20, 2016 9:49 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 3:58 am

0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 chain=forward action=drop connection-state=established,new protocol=icmp
src-address=192.168.88.0/24 dst-address=10.10.21.0/24 log=no
log-prefix=""

2 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=""

3 ;;; default configuration
chain=input action=accept connection-state=established,related log=no
log-prefix=""

4 X ;;; default configuration
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""

5 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no
log-prefix=""
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Sun Feb 21, 2016 8:36 am

 
Facuferrari
just joined
Topic Author
Posts: 11
Joined: Sat Feb 20, 2016 9:49 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 5:04 pm

But there is a way to avoid using this dummy rules? I need the VLans not to see each other
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 5:14 pm

But there is a way to avoid using this dummy rules? I need the VLans not to see each other
The dummy rule doesn't actually forward traffic. Ignore it.

Your problem is there's no drop rule anywhere in your filter chain at all.
Add this to the end of your forward chain:
chain=forward out-interface=WAN action=accept
chain=forward action=drop
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Facuferrari
just joined
Topic Author
Posts: 11
Joined: Sat Feb 20, 2016 9:49 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 5:38 pm

That works fine, if I set a drop all rule in the forward chain I can't reach the gateway, and if I accept the out interface of the wan I'm able to do it. But the thing is that I still cant ping the other subnets inside other VLans. I've read that no VLans are proccess by the firewall (http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge bridge settings). Should I place my VLans inside a bridge and then bridge them with the physical port?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 5:52 pm

But that's what you said you wanted...

As for bridge filtering, no you don't need it - because vlans can only use IP to talk to each other, so the IP firewall is already going to work.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Facuferrari
just joined
Topic Author
Posts: 11
Joined: Sat Feb 20, 2016 9:49 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 5:55 pm

Sorry I've misspelled, I stil CAN ping other subnet inside other VLans
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: VLans on Firewall Filtering

Sun Feb 21, 2016 6:38 pm

Sorry I've misspelled, I stil CAN ping other subnet inside other VLans
Do you mean you can ping the Mikrotik's vlan 3 interface from vlan 2 (for example)?

That is different because pings to the router itself don't go through the forward chain but through the input chain. Lan to lan is still being blocked. You COULD create a bunch of input rules to block what you're seeing but there's no point in that.

Find a host in a vlan which will respond to pings from other hosts in the same LAN. You'll find that this same host cannot be pinged from the other VLANs.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: ballefjant, MSN [Bot], xins and 96 guests