Page 1 of 1

Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Wed Jul 18, 2018 6:19 am
by networknoob88
Every other tutorial I read about VLANs emphasize on how computers in different VLANs are not supposed to be able to communicate with each other by design and that's what makes them more secure.

But it seems in MT (I'm new, starting out fresh on 6.42 with a CCR1009-7G), everything, including VLANs, can freely connect to each other, unless explicit firewall rules are set up to block them?

Are there any special default routes in RouterOS/MT that does this? I do not see them under any routing table.

How exactly does MT/RouterOS make everything connected, even if they're completely different interfaces, no bridges, across all subnets and VLANs?

Or is it because other manufacturers have default firewall rules to block different VLANs and subnets etc, and MT/RouterOS doesn't?

Or did I do something wrong?

Some clarification would be greatly appreciated!

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Wed Jul 18, 2018 8:07 am
by k6ccc
Yes, the basic firewall configuration is that all is allowed unless specifically blocked by firewall. It's a router - it routes. The normal way to set it up is to explicitly allow what you want and then at the end of each chain, drop everything. That way only the traffic that you allow will get through.

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Wed Jul 18, 2018 10:37 am
by Steveocee
To answer your thread title directly.

You are buying a router. Why would you expect it not to route as its default action?
When you add VLANs and additional subnets you are attaching them all to a router, therefore it will route between the networks.

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?  [SOLVED]

Posted: Wed Jul 18, 2018 4:23 pm
by Sob
It depends how people understand VLANs, they often take it as synonym for isolation. It works that way with switches, devices in VLAN X can't talk to devices in VLAN Y. But for router, VLAN is interface like any other. If it knows how to route between them, it will do it. Another part of confusion is that some products may have high-level configuration interface for VLANs, where it's assumed that they will be used for user isolation by default. But like with other high-level configuration interfaces, that's not what RouterOS does, it gives the full freedom to user, but also full responsibility.

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Wed Jul 18, 2018 5:22 pm
by pe1chl
Or did I do something wrong?
It is impossible to know what you did and what is wrong because you did not include a /export of your config.
Do a /export and include at least the sections about bridge, interface, address and firewall to see what you have and why it does not work as you want.
Remember that all firewall rules in RouterOS have a default "accept". What you do not match and drop/reject in the firewall goes through.
You can add an explicit "accept" rule at the end of each firewall chain to see this in operation, and when you trust that you won't lock yourself out
you can change that rule to "drop".

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Wed Jul 18, 2018 5:57 pm
by smittie2000
Good day

Bridge horizon is a good way to help with this and proper subnetting.

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Thu Jul 19, 2018 6:10 am
by networknoob88
Thanks for all your replies. I understand now the difference is basically VLAN on router vs VLAN on switch.

Question: is it true to say that if my CCR1009 will be the only "smart" device on the network, with everything else being dumb clients and dumb switches, then there is no point in creating VLANs on the CCR, instead subnetting + firewall would do the same, since any VLANs created will be routed by default anyway?

Thanks again.

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Thu Jul 19, 2018 7:41 am
by k6ccc
Depends on what you are trying to accomplish. I fully admit that this is not normal, but I have 15 VLANs at my house. With the exception of a few select situations, none of them talk to each other. I also have two active routers, and four switches (all smart devices) - then a microwave path 4.2 miles and another smart switch. My WiFi devices are also VLAN aware. For MOST home users, VLANs are not needed or used.

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Thu Jul 19, 2018 10:46 am
by mkx
Question: is it true to say that if my CCR1009 will be the only "smart" device on the network, with everything else being dumb clients and dumb switches, then there is no point in creating VLANs on the CCR, instead subnetting + firewall would do the same, since any VLANs created will be routed by default anyway?
That's indeed so. One gets all benefits of using VLANs only if there are other VLAN-aware devices in the network.

However: things are not black&white: if you want to "slice" a "normal" router/switch to a few distinct subnets, you need to create a few bridges, one per sub-network, and add needed ethernet ports to each bridge. With "normal" mikrotik routers you loose HW offload for most of those bridges meaning quite some traffic which would otherwise be dealt with in the switch part of router/switch then hits CPU. To deal with it, one can create one VLAN per subnet and use that VLAN internally in the reouter to recover HW performance for switching traffic between different ethernet ports of same subnet in this case.
The above is true for many mikrotik routers that have switch chip built-in. CCR are different beasts without switch chips, hence the above reasoning doesn't apply.

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Thu Jul 19, 2018 11:38 am
by pe1chl
Question: is it true to say that if my CCR1009 will be the only "smart" device on the network, with everything else being dumb clients and dumb switches, then there is no point in creating VLANs on the CCR, instead subnetting + firewall would do the same, since any VLANs created will be routed by default anyway?
Indeed VLANs are not useful in that case, but you can still separate the network in different physical networks by connecting each dumb switch to a separate port on the CCR
and have a certain class of devices on that switch. You would not put those ports in a bridge, but have separate IP subnets on them which will be routed, but that routing can
be restricted by the firewall. You can allow each subnet to route to internet, but not one subnet to the others.
This can be useful when you want to setup some security.

And, as k6ccc wrote, a more advanced WiFi device is also VLAN aware. You can configure different SSID/password combinations and put them in different VLANs, to combine
that with the above physical separation.

Useful case: you can separate your computer+NAS, a "guest" network, and an "IoT" network. So hacked IoT devices or rogue "guests" (e.g. with a virus on their computer) cannot
access your computer and files.

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Thu Jul 19, 2018 11:48 am
by mkx
@pe1chl: all of cases you described can be done with per-port configuration. The only case you described that can not be done by per-port configuration is the VLAN-aware WiFi AP, but that one falls out of "only dumb devices" category mentioned by @networknoob88 .

I guess there are really only two cases to use VLANs in a typical SOHO environment:
  1. use of VLAN-enabled WiFi APs
  2. lack of physical network cables to be used for connecting devices in separate subnets. Which means there will appear another VLAN-capable switch (or two) in the network (to become access switch to VLAN-enabled network).

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Thu Jul 19, 2018 2:25 pm
by pe1chl
I'll add a 3rd one:
3. use of a specific VLAN on the internet interface as required by the provider. Fiber or VDSL internet is usually carried on a VLAN, other VLANs being used for TV, Telephony etc.
so I need to create a VLAN 6 on my ether1 port to talk to my ISP (with PPPoE on top of that, but that could be DHCP as well)

VLANs for home users (and IoT)

Posted: Thu Jul 19, 2018 4:37 pm
by rosman
This is verging off-topic, but I tried to DM the op and couldn't see how. Or how to split a new thread and include the op.
For MOST home users, VLANs are not needed or used.
This is rapidly changing with the advent of IoT and the fact that the "S" is IoT stands for security. I'm working on VLANing dedicated SSIDs and internal network for my IoT stuff that routes straight to the WAN. Not a guarantee, but certainly an improvement.

Rich

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Thu Jul 19, 2018 5:28 pm
by networknoob88
Indeed VLANs are not useful in that case, but you can still separate the network in different physical networks by connecting each dumb switch to a separate port on the CCR
and have a certain class of devices on that switch. You would not put those ports in a bridge, but have separate IP subnets on them which will be routed, but that routing can
be restricted by the firewall. You can allow each subnet to route to internet, but not one subnet to the others.
This can be useful when you want to setup some security.

This is exactly what I originally thought I'd do. But then all those articles saying how subnetting is no replacement for vlan and and has worse security kind of scares me.

I guess put it this way: in my setup (single CCR1009 plus dumb switches and clients), does it have any additional benefits to create vlans on top of each subnet on the CCR, then set up firewall filters that apply to these vlans instead of applying to etherX interface ports directly?

Also, even if I were to do the vlans, and later down the road I add some tagged vlan-aware clients, the problem is that these tagged smart clients won't be able to inter-communicate with the other dumb clients on the same vlan unless their traffic goes through the CCR, or the switches that directly connect them are also vlan aware, correct? For example, even if I set up hybrid access ports on the CCR via vlan filtering that handles both tagged and untagged clients on the same vlan, if these clients are connected downstream to some dumb switch, then they won't be able to talk to each other (though they can talk to the router and other interfaces on the router).

Thanks.

Re: Why in MT everything, including VLANs can always access each other unless blocked by firewall?

Posted: Thu Jul 19, 2018 5:42 pm
by mkx
Your thinking is correct.

As I already wrote: if you start to dive into VLANs, then it's worth going all the way ... e.g. replace any dumb switches there might be in network with VLAN-capable ones and make sure all packets get VLAN tagged at first ethernet port of network infrastructure (that's access switches).
And make sure there's no untagged packet flowing between network infrastructure elements ... even if there's majority of network attached devices that belong to single sub-network, still have it tagged. Using hybrid VLAN ports (the ones that carry tagged and untagged ports) seems to be source of quite some confusion, which is best to avoid. Hybrid ports should be only used on the access switches (e.g. there's a device that just needs some traffic tagged and some not).