Community discussions

 
scrarfussi
just joined
Topic Author
Posts: 7
Joined: Tue Sep 27, 2016 1:10 am

block inter VLAN traffic

Mon Jan 28, 2019 3:48 am

I have a small RB750Gr3 WAN eth1 is DHCP ,
eth5 Goes to a smart switch I have two Vlans on eth5 vlan100 and vlan200
I have a Dhcp Server for each Vlan
Bridge IP is 192.168.3.1/24
Vlan100 is 10.10.10.1/24
Vlan200 is 192.168.0.1/24

I would like the Vlans to have internet access only and not route between them , Is there a simple way of doing this?
Thanks
 
pegasus123
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jul 24, 2018 7:02 am

Re: block inter VLAN traffic

Mon Jan 28, 2019 4:24 am

Just drop it?

add action=drop chain=forward in-interface=vlan100 out-interface=vlan200
add action=drop chain=forward in-interface=vlan200 out-interface=vlan100
 
scrarfussi
just joined
Topic Author
Posts: 7
Joined: Tue Sep 27, 2016 1:10 am

Re: block inter VLAN traffic

Mon Jan 28, 2019 7:11 am

Just drop it?

add action=drop chain=forward in-interface=vlan100 out-interface=vlan200
add action=drop chain=forward in-interface=vlan200 out-interface=vlan100
Thanks would this keep the internet access .
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: block inter VLAN traffic

Mon Jan 28, 2019 9:27 am

Just drop it?

add action=drop chain=forward in-interface=vlan100 out-interface=vlan200
add action=drop chain=forward in-interface=vlan200 out-interface=vlan100
Thanks would this keep the internet access .
Yes. And I would strongly suggest that you spend a while reading the firewall sections of the Wiki. That was REALLY basic firewall setup. You need to understand this - not just follow instructions.
With that said, what those two rules did was to drop any traffic that came in on VLAN 100 headed to VLAN 200, and to drop any traffic that came in on VLAN 200 headed to VLAN 100.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
scrarfussi
just joined
Topic Author
Posts: 7
Joined: Tue Sep 27, 2016 1:10 am

Re: block inter VLAN traffic

Mon Jan 28, 2019 9:39 am

thanks for that have tried reading the firewall section of the wiki that just leaves me plenty confused
 
pegasus123
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jul 24, 2018 7:02 am

Re: block inter VLAN traffic

Mon Jan 28, 2019 12:43 pm

thanks for that have tried reading the firewall section of the wiki that just leaves me plenty confused
trust me, i'm no master in this area as well but tinkering with firewall when i bought mikrotik few months ago helped me a lot.

still a lot to learn
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: block inter VLAN traffic

Mon Jan 28, 2019 2:32 pm

If your forward filter rules basically consist of
accept established, related
allow LAN to WAN
++++++++++++++++++
Drop all else.

The all you need to do is add where the +++ are.
allow VLAN to WAN

THere is no layer 2 connectivity between vlans on a bridge and you do not explicitly allow vlan to vlan
or vlan to lan traffic and thus it will be dropped.
Ex...
/ip firewall filter
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, " connection-state=\
established,related
add action=drop chain=forward comment=\
"Drop invalid/malformed packets" connection-state=invalid \
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
Bridge out-interface-list=WAN src-address=192.168.3.1/24

add action=accept chain=forward comment="ENABLE VLAN100 to WAN" in-interface=\
'vlan100_interface out-interface-list=WAN src-address=10.10.10.1/24
add action=accept chain=forward comment="ENABLE VLAN20 to WAN" in-interface=\
'vlan200_interface' out-interface-list=WAN src-address=192.168.0.1/24

add action=drop chain=forward comment=\
"DROP ALL other FORWARD traffic"


Note: If you only have one WAN, then you can use out-interface=WAN instead
Note: You will need to substitute the actual vlan interface names, the ones I put are placeholders.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 204
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: block inter VLAN traffic

Mon Jan 28, 2019 8:57 pm

I use only one filter rule . First i add all vlans in interface list - VLANs and then put the one filter rule:
/ip fi fi add action=drop chain=forward in-interface-list=VLANs out-interface-list=VLANs
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: block inter VLAN traffic

Mon Jan 28, 2019 10:15 pm

That sounds silly JT.
What are you trying to accomplish??
VLAN to VLAN traffic is blocked by default at layer 2.
VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule.

THe only thing the OP requires is an allow VLAN to WAN rule!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 2941
Joined: Thu Mar 03, 2016 10:23 pm

Re: block inter VLAN traffic

Mon Jan 28, 2019 10:35 pm

VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule.
Nope, by default IPv4 firewall explicitly drops all new connections coming in through WAN and are not dst-nated. So if one adds new interfaces with addresses, default firewall config will allow communication between those subnets.

IPv6 firewall is different, there's explicit drop anything in forward chain where input port is not in pot list LAN ... if one doesn't change config, new interfaces won't forward a single IPv6 packet.
BR,
Metod
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 204
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: block inter VLAN traffic

Mon Jan 28, 2019 10:54 pm

That sounds silly JT.
What are you trying to accomplish??
VLAN to VLAN traffic is blocked by default at layer 2.
VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule.

THe only thing the OP requires is an allow VLAN to WAN rule!
Тhis is my answer for pegasus123 - its first post but with one rule!
"VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule" - on same ethernet interface? I learned something, I had the impression that they were always routing each other
 
pegasus123
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jul 24, 2018 7:02 am

Re: block inter VLAN traffic

Tue Jan 29, 2019 4:35 am

That sounds silly JT.
What are you trying to accomplish??
VLAN to VLAN traffic is blocked by default at layer 2.
VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule.

THe only thing the OP requires is an allow VLAN to WAN rule!
Тhis is my answer for pegasus123 - its first post but with one rule!
"VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule" - on same ethernet interface? I learned something, I had the impression that they were always routing each other
nice tip. i will give it a try
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: block inter VLAN traffic

Tue Jan 29, 2019 5:18 am

VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule.
Nope, by default IPv4 firewall explicitly drops all new connections coming in through WAN and are not dst-nated. So if one adds new interfaces with addresses, default firewall config will allow communication between those subnets.

IPv6 firewall is different, there's explicit drop anything in forward chain where input port is not in pot list LAN ... if one doesn't change config, new interfaces won't forward a single IPv6 packet.
Nope!!!!!
Your missing the point, I caveat by saying that at the end of the forward chain one has a drop all else rule........... Unless your the matrix of course!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 2941
Joined: Thu Mar 03, 2016 10:23 pm

Re: block inter VLAN traffic

Tue Jan 29, 2019 1:36 pm

Your missing the point, I caveat by saying that at the end of the forward chain one has a drop all else rule........... Unless your the matrix of course!

@anav, you're (again) assuming every body uses exactly the same firewall philosophy and implementation as you do. What I described is how default firewall looks like (you like it or not, that's the way it is) which is most often where new administrators will pick up and adjust according to their needs. If firewall gets extensively reworked, then any assumption is void and we need to look at whatever the current status to give advice how to achieve something.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: block inter VLAN traffic

Tue Jan 29, 2019 3:10 pm

Concur, but I had provided a config above with that implemented. Just didnt want the OP to get confused with your statement and glad you clarified its relevance to the default setup only.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 2941
Joined: Thu Mar 03, 2016 10:23 pm

Re: block inter VLAN traffic

Tue Jan 29, 2019 3:51 pm

... glad you clarified its relevance to the default setup only.

Already in my original post I wrote that "... by default IPv4 firewall ..." ... At the same time you called @JohnTrivolta silly while you straight claimed that firewall doesn't allow inter-VLAN connectivity ... without any disclaimer about applicability or relevance.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: block inter VLAN traffic

Tue Jan 29, 2019 10:06 pm

Round and round we go..................... We can agree to agree as for silly, less rules is usually more elegant unless it handcuffs one from any sort of flexibility. If the op prefers an allow all mentality and then has to use drop rules to enforce traffic then I think thats silly. I have less kind words but I would prefer not to use them.
As usual, if you disagree, we can arrange either a mud or jello wrestling match and we can charge admission.............. You will lose!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 204
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: block inter VLAN traffic

Tue Jan 29, 2019 10:23 pm

Where is this export of configuration or at least that of the firewall? I did not see it anywhere, so I am confined to what is specifically asked! Everything else bordered on divination skills and I do not have ones!

Who is online

Users browsing this forum: No registered users and 9 guests