Community discussions

MUM Europe 2020
 
beginer0504
just joined
Topic Author
Posts: 18
Joined: Tue Jul 31, 2018 11:39 am

[SETUP FILTER RULES] VLAN

Wed Feb 12, 2020 10:03 am

Hi,

Diagram
111.PNG
I have 10 vlan, I want the vlan can not access together.
So I configured the firewall rules as follows:
"add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan"

But I have difficulty as follows:
IP 192.168.10.10 VLAN10 need access IP range VLAN 20
IP range VLAN 10 need access IP 192.168.30.10 VLAN 30



Please help me

Tks,
You do not have the required permissions to view the files attached to this post.
Last edited by beginer0504 on Wed Feb 12, 2020 5:27 pm, edited 1 time in total.
 
savage
Forum Guru
Forum Guru
Posts: 1220
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: [SETUP FILTER RULES] VLAN

Wed Feb 12, 2020 1:27 pm

Your rule allows for .30 to talk to .31. You don't have a rule to allow .31 to talk to .30
Regards,
Chris
 
mkx
Forum Guru
Forum Guru
Posts: 3745
Joined: Thu Mar 03, 2016 10:23 pm

Re: [SETUP FILTER RULES] VLAN

Wed Feb 12, 2020 2:57 pm

As always, when it comes to inventive router admins, I'm suggesting to start off with default firewall setup (available on SOHO drvices). One of rules, placed near the top of list, is this:
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

Which makes the rest of rules much simpler.
BR,
Metod
 
beginer0504
just joined
Topic Author
Posts: 18
Joined: Tue Jul 31, 2018 11:39 am

Re: [SETUP FILTER RULES] VLAN

Wed Feb 12, 2020 4:59 pm

As always, when it comes to inventive router admins, I'm suggesting to start off with default firewall setup (available on SOHO drvices). One of rules, placed near the top of list, is this:
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

Which makes the rest of rules much simpler.

Thank you for your help,

Can you give me more detailed instructions?

I have 10 vlan, I want the vlan can't communicate with each other.
but some IP ranges from one vlan may communicate with some IP ranges of another vlan.
 
beginer0504
just joined
Topic Author
Posts: 18
Joined: Tue Jul 31, 2018 11:39 am

Re: [SETUP FILTER RULES] VLAN

Wed Feb 12, 2020 5:29 pm

Please....help me
 
mkx
Forum Guru
Forum Guru
Posts: 3745
Joined: Thu Mar 03, 2016 10:23 pm

Re: [SETUP FILTER RULES] VLAN

Wed Feb 12, 2020 10:25 pm

I guess the project of yours includes 3 different aspects of networking: L2 subnetting (including VLANs), L3 interworking (IP routing) and firewalling. And I guess you're missing some knowledge in all three aspects. So you might want to either go back and try to learn (read some books or good online resources, but stay away from random youtube tutorials, most are crap) ... or hire a consultant.
BR,
Metod
 
beginer0504
just joined
Topic Author
Posts: 18
Joined: Tue Jul 31, 2018 11:39 am

Re: [SETUP FILTER RULES] VLAN

Thu Feb 13, 2020 3:15 am

I guess the project of yours includes 3 different aspects of networking: L2 subnetting (including VLANs), L3 interworking (IP routing) and firewalling. And I guess you're missing some knowledge in all three aspects. So you might want to either go back and try to learn (read some books or good online resources, but stay away from random youtube tutorials, most are crap) ... or hire a consultant.
Can you give me the name of the book? Tks 3000
 
anav
Forum Guru
Forum Guru
Posts: 3236
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: [SETUP FILTER RULES] VLAN

Wed Feb 19, 2020 5:26 pm

One book I have no issues recommending is ..........
http://stevedischer.com/learn-routeros/

As for vlan separation. by putting your subnets (lans) onto vlans they are naturallly separated at layer two.
However they can still be reached through layer 3 (aka routing by your router).
To stop this L3 connection you need to use firewall rules.

The most efficient way to do this is NOT to make a rule for everything you want to block - to tedious and messy.
MUCH BETTER is to
a. state explicitly traffic you wish to allow, followed by a one and simple rule
b. drop everything else.

So besides the normal default rules which are perfectly fine, thankyou MT, to get started on the internet safely - you should add the following.

(forward chain for example).

Standard default rules
=====
+++++
*******
NEW RULES FOR VLAN
LAST RULE

NEW RULES FOR VLANS may include
allow vlan 1 and vlan2 to internet (notice we do not specifically allow vlan3 to access internet)
allow admin access to vlans 1,2,3 (allow admin to access any device on any vlan)
allow vlan1 and vlan2 users access to a specific vlan IP address on vlan3 (shared printer)

LAST RULE
chain=forward action=drop comment="Drop all else"

Final Comments: From the above we have stated what we wish to allow and thus anything else is dropped. So there will no routing in general allowed between the VLANs, this traffic will be dropped. We did allow vlan1 and vlan2 access to the internet. When vlan3 users attempt to access the internet that traffic will be dropped by the last rule. We did state allow the admin access to the vlans and we did state allow vlan1 and vlan2 users to access a printer on vlan3. Since those are stated before the last rule these specific actions will be permitted. Clean, clear and simple.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: Bing [Bot] and 52 guests