Community discussions

 
beginer0504
just joined
Topic Author
Posts: 14
Joined: Tue Jul 31, 2018 11:39 am

Block traffic between VLAN

Wed Mar 27, 2019 6:08 pm

Hi guys,

I have problems when configuring vlan on mikrotik router.
I have 10 VLAN: 10 -> 20
I want to block traffic between vlans
But, I write too many rules but it doesn't work

Please help me
Tks,


/ip firewall filter


add action=drop chain=forward comment="Cam truy cam giua VLAN 11 va VLAN khac" \
dst-address-list=VLAN12 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN13 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN14 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN14 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN17 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN11
add action=drop chain=forward comment="Cam truy cam giua VLAN 12 va VLAN khac" \
dst-address-list=VLAN13 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN14 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN15 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN16 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN17 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN12
add action=drop chain=forward comment="Cam truy cam giua VLAN 13 va VLAN khac" \
dst-address-list=VLAN14 src-address-list=VLAN13
add action=drop chain=forward dst-address-list=VLAN15 src-address-list=VLAN13
add action=drop chain=forward dst-address-list=VLAN16 src-address-list=VLAN13
add action=drop chain=forward dst-address-list=VLAN17 src-address-list=VLAN13
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN13
add action=drop chain=forward comment="Cam truy cam giua VLAN 14 va VLAN khac" \
dst-address-list=VLAN15 src-address-list=VLAN14
add action=drop chain=forward dst-address-list=VLAN16 src-address-list=VLAN14
add action=drop chain=forward dst-address-list=VLAN17 src-address-list=VLAN14
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN14
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN14
add action=drop chain=forward comment="Cam truy cam giua VLAN 15 va VLAN khac" \
dst-address-list=VLAN16 src-address-list=VLAN15
add action=drop chain=forward dst-address-list=VLAN17 src-address-list=VLAN15
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN15
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN15
add action=drop chain=forward comment="Cam truy cam giua VLAN 16 va VLAN khac" \
dst-address-list=VLAN17 src-address-list=VLAN16
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN16
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN16
add action=drop chain=forward comment="Cam truy cam giua VLAN 17 va VLAN khac" \
dst-address-list=VLAN18 src-address-list=VLAN17
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN17
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN18
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Block traffic between VLAN

Wed Mar 27, 2019 6:27 pm

Instead of explicitly blocking each VLAN, Block everything with a not interface command (note the explanation point before the interface name):
add action=drop chain=forward comment=\
    "Block all interfaces except internet from VLAN 10" out-interface=\
    !E1-p10_DSL_Internet in-interface=VLAN_10
You would obviously need whatever filtering in front of this, but this would prevent anything from VLAN 10 from getting to any other LAN except the internet. You still need a similar rule for each VLAN, but it's only one per VLAN rather than a dozen (or whatever) per VLAN.

Someone else may come up with something cleaner....
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
anav
Forum Guru
Forum Guru
Posts: 2971
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Block traffic between VLAN

Wed Mar 27, 2019 6:34 pm

Clean way.
/ip firewall filter
{input chain}
allow established related
block invalid
allow icmp
allow admin to router
allow lan requests for DNS tcp/udp
drop all else
{forward chain}
fastrack allow established related
allow established related
+++++++++++++++++++++++++
drop all else.

With this setup you have no traffic to the internet or between Lans at layer 3. Layer 2 is blocked by virtue of traffic being separated by vlans.
Where the +++++++++++++++++++++++++++ is located is where you want to put what is allowed as everything is blocked by the last rule.

examples
allow port forwarding
allow homelan to WAN
allow VLANS to WAN
(for a group rule easier to create an interface list for all the vlans) and then apply the rule using the interface list)
add action=accept chain=forward in-interface-list=vlan_list out-interface=eth1-wan

The drop rule looks like
add action=drop chain=forward (very simple)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
user8FJHFKFG8
newbie
Posts: 28
Joined: Mon Jun 18, 2018 8:51 am

Re: Block traffic between VLAN

Wed Apr 03, 2019 11:17 am

I am wondering a similar thing. I really like the clean way as things getting complicated has really been bugging me. I have noticed my VLAN wants to talk to itself a lot, where I have a rule accept forward VLAN18 in and VLAN18 out. No idea why.

as far as
allow homelan to WAN
allow VLANS to WAN
That would be as simple as allow forward WAN (interface group) I guess, with an in interface if I want to restrict it to specific VLANs..

to allow port forwards, I can just edit the last rule to add ! dstnat correct?

Thinking about how to communicate from my trusted VLAN to the untrusted VLAN, say if I had a printer on the untrusted VLAN. I guess the best way is just 2 separate /24 networks connected by the router, only thing is I wouldnt be able to broadcast to the untrusted domain (?)
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Block traffic between VLAN

Wed Apr 03, 2019 12:30 pm

I think this will block traffic between any IP that is assigned to a local interface, except within the same bridge
/ip firewall filter
add chain=forward src-address-type=local dst-address-type=local action=drop
MTCNA MTCTCE UEWA
 
Sob
Forum Guru
Forum Guru
Posts: 4677
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block traffic between VLAN

Wed Apr 03, 2019 6:03 pm

@solar77: The src-address-type=local means addresses assigned directly to router. So it will stop router talking to itself, but not traffic bettween vlans.

If "allow what I want and block the rest" (as presented by anav) is not good for someone for any reason, there's also in/out-interface=all-vlan, so you can have:
/ip firewall filter
add chain=forward in-interface=all-vlan out-interface=all-vlan action=drop
And all not previously allowed traffic between vlans will be blocked.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Block traffic between VLAN

Wed Apr 03, 2019 6:25 pm

@Sob, thanks for the correction.

if each subnet / vlan is masqueraded behind the IP of it's interface. would this rule block traffic between them?
MTCNA MTCTCE UEWA
 
Sob
Forum Guru
Forum Guru
Posts: 4677
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block traffic between VLAN

Wed Apr 03, 2019 9:11 pm

If you mean yours, then no, because forward chain is before srcnat. And there the destination is non-local address (either what client wanted, or where dstnat sent it) and source is non-local address too.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Block traffic between VLAN

Wed Apr 03, 2019 9:18 pm

thanks Sob for further explaination . Much appreciated!
MTCNA MTCTCE UEWA

Who is online

Users browsing this forum: No registered users and 38 guests