Hello,
I have my router RB750gr3 and AP RB941-2nd
RB750gr3
My networks is 192.168.100.0/24 my local network
port1 --> Wan
port2 --> Lan
Port3 --> Vlan10 with IP 192.168.101.0/24 for share internet to guest wifi
RB941-2nd
Port 1,2,3 and wlan1 is bridge (bridge1) and connected to Lan
Port4 --> Vlan10 and bridge (bridge2) with virtual AP wlan2
How to block access to my local network from guest IP range 192.168.101.0/24.
Thanks
YP
Re: How to block access vlan from my local network?
Post both configs
/export hide-sensitive file=myconfigs10jun
/export hide-sensitive file=myconfigs10jun
Re: How to block access vlan from my local network?
Hi glaukos
You could isolate vlan network to specific routing table, which would only know of internet:
* create route table for vlan, with default route to your gateway (internet)
* configure routing rule to route all traffic from vlan through that table
You could isolate vlan network to specific routing table, which would only know of internet:
* create route table for vlan, with default route to your gateway (internet)
* configure routing rule to route all traffic from vlan through that table
Code: Select all
# route table
/ip route add gateway=<gateway> routing-mark=vlan10
# route rule
/ip route rule add action=lookup-only-in-table interface=<vlan interface> table=vlan10
Re: How to block access vlan from my local network?
Below is config from my two devices
Code: Select all
# jun/11/2019 14:38:58 by RouterOS 6.44.3
# software id =
#
# model = RouterBOARD 750G r3
# serial number =
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
/interface vlan
add comment="Vlan10 WiFi Guest" interface=ether3 name=vlan10 vlan-id=10
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.vodafone.gr default-route-distance=1 \
name=Vodafone
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_server_pool ranges=192.168.100.230-192.168.100.250
add name=ovpn ranges=10.10.100.2-10.10.100.20
add name=Guest_Wifi ranges=192.168.101.20-192.168.101.30
/ip dhcp-server
add address-pool=dhcp_server_pool disabled=no interface=ether2_LAN name=\
dhcp_server
add address-pool=Guest_Wifi disabled=no interface=ether3 name=dhcp_guest
/ppp profile
add dns-server=192.168.100.13 local-address=10.10.100.1 name=open_vpn \
remote-address=ovpn use-compression=no use-encryption=required
/system logging action
set 1 disk-file-name=/disk1/log/syslog disk-lines-per-file=5000
/ip firewall connection tracking
set enabled=yes
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface list member
add interface=ether1_WAN list=WAN
add interface=ether2_LAN list=LAN
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes192,aes256 \
default-profile=open_vpn enabled=yes
/ip address
add address=192.168.2.2/24 interface=ether1_WAN network=192.168.2.0
add address=192.168.100.13/24 interface=ether2_LAN network=192.168.100.0
add address=192.168.101.1/24 interface=ether3 network=192.168.101.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server config
set store-leases-disk=15m
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.13 domain=homenet.int \
gateway=192.168.100.13 netmask=24 ntp-server=192.168.100.13
add address=192.168.101.0/24 dns-server=8.8.8.8 gateway=192.168.101.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=drop chain=input comment="Drop Invalid Connections" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment="Drop Invalid Connections" \
connection-state=invalid disabled=yes
add action=accept chain=input comment="Accept Exempt IP Addresses" \
src-address-list="Exempt Addresses"
add action=accept chain=forward comment="Accept Exempt IP Addresses" \
src-address-list="Exempt Addresses"
add action=drop chain=input comment="Drop all Bogons" src-address-list=Bogons
add action=drop chain=forward comment="Drop all Bogons" src-address-list=\
Bogons
add action=accept chain=input comment=\
"Accept Related or Established Connections" connection-state=\
established,related
add action=accept chain=forward comment="Accept New Connections" \
connection-state=new
add action=accept chain=forward comment=\
"Accept Related or Established Connections" connection-state=\
established,related
add action=drop chain=forward comment="Drop all other LAN Traffic"
add action=drop chain=input comment="Drop all other WAN Traffic" disabled=yes
/ip firewall mangle
add action=accept chain=prerouting comment=SQUID disabled=yes dst-port=80 \
in-interface=ether2_LAN protocol=tcp src-address=192.168.100.14
add action=accept chain=prerouting disabled=yes dst-port=443 in-interface=\
ether2_LAN protocol=tcp src-address=192.168.100.14
add action=mark-routing chain=prerouting disabled=yes dst-port=80 \
in-interface=ether2_LAN new-routing-mark=to_proxy passthrough=yes \
protocol=tcp src-address-list=proxy_users_list
add action=mark-routing chain=prerouting disabled=yes dst-port=443 \
in-interface=ether2_LAN new-routing-mark=to_proxy passthrough=yes \
protocol=tcp src-address-list=proxy_users_list
add action=accept chain=prerouting disabled=yes in-interface=ether2_LAN \
routing-mark=to_proxy
add action=mark-routing chain=prerouting comment=PPP disabled=yes dst-port=\
443 in-interface=all-ppp new-routing-mark=to_proxy passthrough=yes \
protocol=tcp src-address-list=proxy_users_list
add action=mark-routing chain=prerouting disabled=yes dst-port=80 \
in-interface=all-ppp new-routing-mark=to_proxy passthrough=yes protocol=\
tcp src-address-list=proxy_users_list
add action=accept chain=prerouting disabled=yes in-interface=all-ppp \
routing-mark=to_proxy
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT DxSpider" dst-port=7300 \
in-interface=ether1_WAN protocol=tcp to-addresses=192.168.100.17 \
to-ports=7300
add action=dst-nat chain=dstnat comment="NAT Transmission" dst-port=51413 \
in-interface=ether1_WAN protocol=tcp to-addresses=192.168.100.21 \
to-ports=51413
add action=masquerade chain=srcnat disabled=yes out-interface=*6
/ip firewall raw
add action=drop chain=prerouting comment="Attack from sbl spamhaus" \
src-address-list=spamhaus
add action=drop chain=prerouting comment="Attack from sbl dshield" log=yes \
log-prefix="BL dshield" src-address-list=dshield
add action=drop chain=prerouting comment="Attack from sbl blocklist.de" log=\
yes log-prefix="BL blocklist.de" src-address-list=blocklistde
add action=drop chain=prerouting comment="DROP intrusBL SRC" log-prefix=\
intrusBL src-address-list=intrusBL
add action=drop chain=prerouting comment="DROP intrusBL DST" \
dst-address-list=intrusBL log-prefix=intrusBL
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip route
add disabled=yes distance=1 gateway=192.168.100.14 routing-mark=to_proxy
add distance=1 gateway=192.168.2.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24,10.10.100.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=yiannis profile=open_vpn service=ovpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=FW
/system logging
set 0 action=disk
add action=disk disabled=yes topics=firewall
/system ntp client
set enabled=yes primary-ntp=194.116.168.41 secondary-ntp=64.99.80.121
/system ntp server
set enabled=yes multicast=yes
/system resource irq rps
set ether1_WAN disabled=no
set ether2_LAN disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
Code: Select all
# jun/11/2019 14:41:23 by RouterOS 6.44.3
# software id =
#
# model = RouterBOARD 941-2nD
# serial number =
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf fast-forward=no \
name=bridge
add name=bridge1 pvid=10 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n channel-width=\
20/40mhz-Ce country=greece default-authentication=no disabled=no \
distance=indoors frequency=2422 frequency-mode=regulatory-domain mode=\
ap-bridge ssid=xxxx wireless-protocol=802.11
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=guest supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx \
master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
security-profile=guest ssid=xxxx-guest vlan-id=10 wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
add bridge=bridge interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether4 list=mactel
add interface=wlan1 list=mactel
/interface wireless access-list
add comment=Laptop_xxxxxxx interface=wlan1 mac-address=xx:xx:xx:xx:xx:xx
add comment="iphone xxxxxxxx" disabled=yes interface=wlan2 mac-address=\
xx:xx:xx:xx:xx:xx vlan-mode=no-tag
/ip address
add address=192.168.100.10/24 comment=defconf interface=bridge network=\
192.168.100.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=192.168.100.13
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
out-interface=ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=192.168.100.13
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24,10.10.100.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=AP
/system logging
add disabled=yes topics=wireless,debug
/system ntp client
set enabled=yes primary-ntp=192.168.100.13 secondary-ntp=62.1.105.174 \
server-dns-names=""
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Re: How to block access vlan from my local network?
Quick question, it is not clear to me the purpose of the second routerboard?
It would seem you are using it simply or mostly as an access point switch which is vlan aware??
If so how are you connecting the two devices together for the vlans?
I am assuming LAN from the main router is coming out ether2 and going into ether1 of the routerboard, but what about vlan10?
Should I assume it coming out of ether3 and going into ether4 of the routerboard??
It would seem you are using it simply or mostly as an access point switch which is vlan aware??
If so how are you connecting the two devices together for the vlans?
I am assuming LAN from the main router is coming out ether2 and going into ether1 of the routerboard, but what about vlan10?
Should I assume it coming out of ether3 and going into ether4 of the routerboard??
Re: How to block access vlan from my local network?
Regardless of the current layout, it would appear as though the second RB is simply acting as a switch/bridge. Since all traffic is going to the RB750 for routing, you should be able to create a simple IP firewall filter in the forward chain blocking traffic between the subnets.
You can do this two ways:
1) Create an address list that contains your local subnets. Then create a filter drop rule that matches the source and destination address list to this rule.
2) Create two filter drop rules, the first with source 192.168.100.0/24 and destination of 192.168.101.0/24, the second rule using source 192.168.101.0/24 and destination 192.168.100.0/24.
In both cases, if you add additional VLANs/subnets down the road, you will need to adjust these filters to do what you are trying to accomplish. For example, if you add another LAN subnet and you want it to be able to talk to 192.168.100.0/24 but not talk to 192.168.101.0/24, you will need to make sure your rules accommodate that.
You can do this two ways:
1) Create an address list that contains your local subnets. Then create a filter drop rule that matches the source and destination address list to this rule.
2) Create two filter drop rules, the first with source 192.168.100.0/24 and destination of 192.168.101.0/24, the second rule using source 192.168.101.0/24 and destination 192.168.100.0/24.
In both cases, if you add additional VLANs/subnets down the road, you will need to adjust these filters to do what you are trying to accomplish. For example, if you add another LAN subnet and you want it to be able to talk to 192.168.100.0/24 but not talk to 192.168.101.0/24, you will need to make sure your rules accommodate that.
Re: How to block access vlan from my local network?
@anav
The second routerboard used as access point
From rb750 port 2 connect to my lan via unmanaged
switch. And from switch connected to rb941 port 2 is bridge with ports(1,2,3,wlan1).
From rb750 port3 assign vlan10 connected direct to rb941 bridge1 with (port4,wlan2) assigned vlan10.
Is correct that;
The second routerboard used as access point
From rb750 port 2 connect to my lan via unmanaged
switch. And from switch connected to rb941 port 2 is bridge with ports(1,2,3,wlan1).
From rb750 port3 assign vlan10 connected direct to rb941 bridge1 with (port4,wlan2) assigned vlan10.
Is correct that;
Re: How to block access vlan from my local network?
I think its a bit clearer@anav
The second routerboard used as access point
From rb750 port 2 connect to my lan via unmanaged
switch. And from switch connected to rb941 port 2 is bridge with ports(1,2,3,wlan1).
From rb750 port3 assign vlan10 connected direct to rb941 bridge1 with (port4,wlan2) assigned vlan10.
Is correct that;
bridge - lan
bridge1 - vlan
(in your original text you had bridge1 - lan and bridge2 - vlan) but I will go with your latest post which matches your config.
So in essence on the RB750 unit, port 3 is a trunk port for vlan10
on the routerboard/ap unit, port 4 is a trunk port for vlan10, however the only output is then to WLAN2 (no other physical ports).
One thing that confuses me on your config for
/ip dhcp-server network is the extra net mask entry???
Mine looks like this.........
/ip dhcp-server network
add address=192.168.0.0/24 comment=HomeDHCP dns-server=192.168.0.1 gateway=\
192.168.0.1
Your looks like this (how did you get the netmask entry in there, it doesnt show on my config????
/ip dhcp-server network
add address=192.168.101.0/24 dns-server=8.8.8.8 gateway=192.168.101.1 \
netmask=24 ??
Re: How to block access vlan from my local network?
Looking at your filter rules.....
For clarity you should separate INPUT CHAIN (first) and then FORWARD CHAIN. Far less confusing.
/ip firewall filter
add action=accept chain=input comment="Accept Related or Established Connections" connection-state=\
established,related MISSING
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=drop chain=input comment="Drop Invalid Connections" \
connection-state=invalid disabled=yes (should be enabled).
add action=accept chain=input comment="Accept Exempt IP Addresses" \
src-address-list="Exempt Addresses" I assume this is for the ADMIN to access the router only from one or two devices? If you need to allow DNS from LAN and VLAN put this requirement in separate input chain rules limited to only DNS.
add action=drop chain=input comment="Drop all Bogons" src-address-list=Bogons (NOT REQUIRED as you have the below last rule next)
add action=drop chain=input comment="Drop all other WAN Traffic" disabled=yes (should be enabled)
+++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment= "Accept Related or Established Connections" connection-state=\
established,related
add action=drop chain=forward comment="Drop Invalid Connections" \
connection-state=invalid disabled=yes (should be enabled)
add action=accept chain=forward comment="Accept Exempt IP Addresses" \
src-address-list="Exempt Addresses" (Get rid of this one, its too vague/wide in scope and could cause issues)
add action=drop chain=forward comment="Drop all Bogons" src-address-list=\
Bogons
add action=drop chain=forward comment="Drop all other LAN Traffic"
This is what it could look like if cleaned up a bit and suggestions utilized............
I see no reason why any VLAN user would see any LAN user NOR why any LAN user would see a VLAN user.
Now since on the RB the LAN Traffic is on a bridge and the VLAN is not on the bridge you have layer 2 segmentation. Even if they were on the same bridge, the fact that one is a VLAN also provides L2 segmentation. So on the RB the only way for a cross pollination is perhaps a bad firewall rule. The only one that was suspect for me was the one I recommended to get rid of!
In the routerboard same scenario, the LAN and VLAN are on two different bridges so L2 cross talk is stopped cold (and by the virtue of using VLAN).
However, you now need two forward chain rules and perhaps a third to place just before the drop all rule.
a. allow LAN to WAN traffic
b. allow VLAN to WAN traffic
c. allow admin access too VLAN (optional).
For clarity you should separate INPUT CHAIN (first) and then FORWARD CHAIN. Far less confusing.
/ip firewall filter
add action=accept chain=input comment="Accept Related or Established Connections" connection-state=\
established,related MISSING
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=drop chain=input comment="Drop Invalid Connections" \
connection-state=invalid disabled=yes (should be enabled).
add action=accept chain=input comment="Accept Exempt IP Addresses" \
src-address-list="Exempt Addresses" I assume this is for the ADMIN to access the router only from one or two devices? If you need to allow DNS from LAN and VLAN put this requirement in separate input chain rules limited to only DNS.
add action=drop chain=input comment="Drop all Bogons" src-address-list=Bogons (NOT REQUIRED as you have the below last rule next)
add action=drop chain=input comment="Drop all other WAN Traffic" disabled=yes (should be enabled)
+++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment= "Accept Related or Established Connections" connection-state=\
established,related
add action=drop chain=forward comment="Drop Invalid Connections" \
connection-state=invalid disabled=yes (should be enabled)
add action=accept chain=forward comment="Accept Exempt IP Addresses" \
src-address-list="Exempt Addresses" (Get rid of this one, its too vague/wide in scope and could cause issues)
add action=drop chain=forward comment="Drop all Bogons" src-address-list=\
Bogons
add action=drop chain=forward comment="Drop all other LAN Traffic"
This is what it could look like if cleaned up a bit and suggestions utilized............
I see no reason why any VLAN user would see any LAN user NOR why any LAN user would see a VLAN user.
Now since on the RB the LAN Traffic is on a bridge and the VLAN is not on the bridge you have layer 2 segmentation. Even if they were on the same bridge, the fact that one is a VLAN also provides L2 segmentation. So on the RB the only way for a cross pollination is perhaps a bad firewall rule. The only one that was suspect for me was the one I recommended to get rid of!
In the routerboard same scenario, the LAN and VLAN are on two different bridges so L2 cross talk is stopped cold (and by the virtue of using VLAN).
However, you now need two forward chain rules and perhaps a third to place just before the drop all rule.
a. allow LAN to WAN traffic
b. allow VLAN to WAN traffic
c. allow admin access too VLAN (optional).
Re: How to block access vlan from my local network?
Hi,
I have tested the firewall rules and worked fine.
I would like to thanks you for your help.
Thanks
YP
I have tested the firewall rules and worked fine.
I would like to thanks you for your help.
Thanks
YP