Community discussions

 
networknoob88
newbie
Topic Author
Posts: 43
Joined: Sun Jul 15, 2018 6:00 pm

Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Wed Jul 18, 2018 6:19 am

Every other tutorial I read about VLANs emphasize on how computers in different VLANs are not supposed to be able to communicate with each other by design and that's what makes them more secure.

But it seems in MT (I'm new, starting out fresh on 6.42 with a CCR1009-7G), everything, including VLANs, can freely connect to each other, unless explicit firewall rules are set up to block them?

Are there any special default routes in RouterOS/MT that does this? I do not see them under any routing table.

How exactly does MT/RouterOS make everything connected, even if they're completely different interfaces, no bridges, across all subnets and VLANs?

Or is it because other manufacturers have default firewall rules to block different VLANs and subnets etc, and MT/RouterOS doesn't?

Or did I do something wrong?

Some clarification would be greatly appreciated!
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Wed Jul 18, 2018 8:07 am

Yes, the basic firewall configuration is that all is allowed unless specifically blocked by firewall. It's a router - it routes. The normal way to set it up is to explicitly allow what you want and then at the end of each chain, drop everything. That way only the traffic that you allow will get through.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Wed Jul 18, 2018 10:37 am

To answer your thread title directly.

You are buying a router. Why would you expect it not to route as its default action?
When you add VLANs and additional subnets you are attaching them all to a router, therefore it will route between the networks.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
Sob
Forum Guru
Forum Guru
Posts: 4673
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?  [SOLVED]

Wed Jul 18, 2018 4:23 pm

It depends how people understand VLANs, they often take it as synonym for isolation. It works that way with switches, devices in VLAN X can't talk to devices in VLAN Y. But for router, VLAN is interface like any other. If it knows how to route between them, it will do it. Another part of confusion is that some products may have high-level configuration interface for VLANs, where it's assumed that they will be used for user isolation by default. But like with other high-level configuration interfaces, that's not what RouterOS does, it gives the full freedom to user, but also full responsibility.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Wed Jul 18, 2018 5:22 pm

Or did I do something wrong?
It is impossible to know what you did and what is wrong because you did not include a /export of your config.
Do a /export and include at least the sections about bridge, interface, address and firewall to see what you have and why it does not work as you want.
Remember that all firewall rules in RouterOS have a default "accept". What you do not match and drop/reject in the firewall goes through.
You can add an explicit "accept" rule at the end of each firewall chain to see this in operation, and when you trust that you won't lock yourself out
you can change that rule to "drop".
 
smittie2000
just joined
Posts: 9
Joined: Sun May 21, 2017 10:47 pm

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Wed Jul 18, 2018 5:57 pm

Good day

Bridge horizon is a good way to help with this and proper subnetting.
 
networknoob88
newbie
Topic Author
Posts: 43
Joined: Sun Jul 15, 2018 6:00 pm

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Thu Jul 19, 2018 6:10 am

Thanks for all your replies. I understand now the difference is basically VLAN on router vs VLAN on switch.

Question: is it true to say that if my CCR1009 will be the only "smart" device on the network, with everything else being dumb clients and dumb switches, then there is no point in creating VLANs on the CCR, instead subnetting + firewall would do the same, since any VLANs created will be routed by default anyway?

Thanks again.
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Thu Jul 19, 2018 7:41 am

Depends on what you are trying to accomplish. I fully admit that this is not normal, but I have 15 VLANs at my house. With the exception of a few select situations, none of them talk to each other. I also have two active routers, and four switches (all smart devices) - then a microwave path 4.2 miles and another smart switch. My WiFi devices are also VLAN aware. For MOST home users, VLANs are not needed or used.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
mkx
Forum Guru
Forum Guru
Posts: 2952
Joined: Thu Mar 03, 2016 10:23 pm

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Thu Jul 19, 2018 10:46 am

Question: is it true to say that if my CCR1009 will be the only "smart" device on the network, with everything else being dumb clients and dumb switches, then there is no point in creating VLANs on the CCR, instead subnetting + firewall would do the same, since any VLANs created will be routed by default anyway?
That's indeed so. One gets all benefits of using VLANs only if there are other VLAN-aware devices in the network.

However: things are not black&white: if you want to "slice" a "normal" router/switch to a few distinct subnets, you need to create a few bridges, one per sub-network, and add needed ethernet ports to each bridge. With "normal" mikrotik routers you loose HW offload for most of those bridges meaning quite some traffic which would otherwise be dealt with in the switch part of router/switch then hits CPU. To deal with it, one can create one VLAN per subnet and use that VLAN internally in the reouter to recover HW performance for switching traffic between different ethernet ports of same subnet in this case.
The above is true for many mikrotik routers that have switch chip built-in. CCR are different beasts without switch chips, hence the above reasoning doesn't apply.
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Thu Jul 19, 2018 11:38 am

Question: is it true to say that if my CCR1009 will be the only "smart" device on the network, with everything else being dumb clients and dumb switches, then there is no point in creating VLANs on the CCR, instead subnetting + firewall would do the same, since any VLANs created will be routed by default anyway?
Indeed VLANs are not useful in that case, but you can still separate the network in different physical networks by connecting each dumb switch to a separate port on the CCR
and have a certain class of devices on that switch. You would not put those ports in a bridge, but have separate IP subnets on them which will be routed, but that routing can
be restricted by the firewall. You can allow each subnet to route to internet, but not one subnet to the others.
This can be useful when you want to setup some security.

And, as k6ccc wrote, a more advanced WiFi device is also VLAN aware. You can configure different SSID/password combinations and put them in different VLANs, to combine
that with the above physical separation.

Useful case: you can separate your computer+NAS, a "guest" network, and an "IoT" network. So hacked IoT devices or rogue "guests" (e.g. with a virus on their computer) cannot
access your computer and files.
 
mkx
Forum Guru
Forum Guru
Posts: 2952
Joined: Thu Mar 03, 2016 10:23 pm

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Thu Jul 19, 2018 11:48 am

@pe1chl: all of cases you described can be done with per-port configuration. The only case you described that can not be done by per-port configuration is the VLAN-aware WiFi AP, but that one falls out of "only dumb devices" category mentioned by @networknoob88 .

I guess there are really only two cases to use VLANs in a typical SOHO environment:
  1. use of VLAN-enabled WiFi APs
  2. lack of physical network cables to be used for connecting devices in separate subnets. Which means there will appear another VLAN-capable switch (or two) in the network (to become access switch to VLAN-enabled network).
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Thu Jul 19, 2018 2:25 pm

I'll add a 3rd one:
3. use of a specific VLAN on the internet interface as required by the provider. Fiber or VDSL internet is usually carried on a VLAN, other VLANs being used for TV, Telephony etc.
so I need to create a VLAN 6 on my ether1 port to talk to my ISP (with PPPoE on top of that, but that could be DHCP as well)
 
User avatar
rosman
newbie
Posts: 25
Joined: Wed Jun 27, 2018 12:30 am
Location: Southlake, Texas, USA - Dallas-Forth Worth Metro

VLANs for home users (and IoT)

Thu Jul 19, 2018 4:37 pm

This is verging off-topic, but I tried to DM the op and couldn't see how. Or how to split a new thread and include the op.
For MOST home users, VLANs are not needed or used.
This is rapidly changing with the advent of IoT and the fact that the "S" is IoT stands for security. I'm working on VLANing dedicated SSIDs and internal network for my IoT stuff that routes straight to the WAN. Not a guarantee, but certainly an improvement.

Rich
Rich Osman
ars N1OZ
 
networknoob88
newbie
Topic Author
Posts: 43
Joined: Sun Jul 15, 2018 6:00 pm

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Thu Jul 19, 2018 5:28 pm

Indeed VLANs are not useful in that case, but you can still separate the network in different physical networks by connecting each dumb switch to a separate port on the CCR
and have a certain class of devices on that switch. You would not put those ports in a bridge, but have separate IP subnets on them which will be routed, but that routing can
be restricted by the firewall. You can allow each subnet to route to internet, but not one subnet to the others.
This can be useful when you want to setup some security.

This is exactly what I originally thought I'd do. But then all those articles saying how subnetting is no replacement for vlan and and has worse security kind of scares me.

I guess put it this way: in my setup (single CCR1009 plus dumb switches and clients), does it have any additional benefits to create vlans on top of each subnet on the CCR, then set up firewall filters that apply to these vlans instead of applying to etherX interface ports directly?

Also, even if I were to do the vlans, and later down the road I add some tagged vlan-aware clients, the problem is that these tagged smart clients won't be able to inter-communicate with the other dumb clients on the same vlan unless their traffic goes through the CCR, or the switches that directly connect them are also vlan aware, correct? For example, even if I set up hybrid access ports on the CCR via vlan filtering that handles both tagged and untagged clients on the same vlan, if these clients are connected downstream to some dumb switch, then they won't be able to talk to each other (though they can talk to the router and other interfaces on the router).

Thanks.
 
mkx
Forum Guru
Forum Guru
Posts: 2952
Joined: Thu Mar 03, 2016 10:23 pm

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Thu Jul 19, 2018 5:42 pm

Your thinking is correct.

As I already wrote: if you start to dive into VLANs, then it's worth going all the way ... e.g. replace any dumb switches there might be in network with VLAN-capable ones and make sure all packets get VLAN tagged at first ethernet port of network infrastructure (that's access switches).
And make sure there's no untagged packet flowing between network infrastructure elements ... even if there's majority of network attached devices that belong to single sub-network, still have it tagged. Using hybrid VLAN ports (the ones that carry tagged and untagged ports) seems to be source of quite some confusion, which is best to avoid. Hybrid ports should be only used on the access switches (e.g. there's a device that just needs some traffic tagged and some not).
BR,
Metod

Who is online

Users browsing this forum: No registered users and 37 guests