I have some firewall rules that conflict with each other, and I thought that whichever rule was higher in the list would take priority, but that does not seem to be the case. I am trying to allow traffic between two IP address lists on UDP port 666. The VLAN isolation rules prevent traffic between IP address lists, but they are lower in the chain. As I send the UDP payload across the network, I can see the count increasing on the firewall rule for VLAN isolation, and my packets are never being delivered. Does anyone know what I am doing wrong, or could this be a bug? Rule number 5 and 10 are the conflicting rules.

First question: do you also see the counts for rule 5 or 6 increasing, or just 10? If not, something is wrong with your specification in 5 and 6.

5 and 6 are basically configured the exact same except inversed. So the source and destination are backwards in each rule. The packets on 6 are counting up, and I can receive UDP packets from that network but the rule number 5 that should allow them in the opposite direction is failing. It doesn't count any packets. Instead, rule number 10 is counting those packets.

Ah, well, then, clearly something in rule 5 is deficient and is not matching the packets. It could be something that doesn't show in the Winbox window because it's in a column you aren't showing, like perhaps the TCP flags or whatever.

Use the CLI to do a /ip firewall filter print, and look for some detail that's different between 5 and 6.

Here is the output from the command you suggested:

5
chain=forward action=accept protocol=udp dst-address=192.168.9.225
src-address-list=God_Mode src-port=666 dst-port=666 log=no log-prefix=""

6 chain=forward action=accept protocol=udp src-address=192.168.9.225
dst-address-list=God_Mode src-port=666 dst-port=666 log=no log-prefix=""

I can't see any difference between them.

I would insert the following rule after 5:

chain=forward action=passthrough dst-address=192.168.9.225 src-address-list=God_Mode log=yes log-prefix="666?"

Then check the log for occurrences when you think you should be seeing a packet that 5 should have accepted, and see what the log says about the protocol, source, and destination ports. Hopefully, you don't have so many packets attempting to violate the VLAN boundary that the log will flood.

I have some firewall rules that conflict with each other, and I thought that whichever rule was higher in the list would take priority, but that does not seem to be the case. I am trying to allow traffic between two IP address lists on UDP port 666. The VLAN isolation rules prevent traffic between IP address lists, but they are lower in the chain. As I send the UDP payload across the network, I can see the count increasing on the firewall rule for VLAN isolation, and my packets are never being delivered. Does anyone know what I am doing wrong, or could this be a bug? Rule number 5 and 10 are the conflicting rules.

In general it should be straightforward and there should be no conflict between rules. If there is, then your rule structure needs work!
The best approach IMHO is to ensure the USER initiated rules ONLY ALLOW permitted traffic. Clean and simple.
The last rule in the Forward Chain (or Input Chain for that matter) should be DROP ALL ELSE.

So in general.....

Forward Chain
{Default Rules -
fastrack
allow established, related
drop invalid packets}

User Rules (examples):
allow vlan x to internet
allow vlan y to internet
allow admin user (IP address) access to all vlans
allow users in vlan x to a shared printer located in vlanY

Last Rule:
add=forward chain action=drop comment="Drop all else"
Should ensure all traffic at layer 3, that is not explicitly allowed in the user rules will be dropped.


IN summary all your vlan drop rules - get rid of them not required.
I would like a better explanation of the other entities - god, wifi remote and all the entries to the right......... event horizon etc.
And mixing ports and vlans in rules is also bizarre.

What is your subnet structure.........?
A complete posted config would be helpful.

Thank you, that is very helpful. The issue that was causing the packets to get dropped was because my android app was choosing a random port in the 50,000 range rather than the local port I was requesting. I used a different constructor in my code to bind the local port, and it started sending from the correct one.

As for the VLANs and such, they are all isolated VLANs on the WiFi and a couple of isolated LANs on the physical interfaces. I didn't realize I should just give them Internet access and drop all else. I think at one point when I had the default config everything was reachable from every VLAN and that was the only way I could get them all isolated. Maybe I missed something in the initial setup, and I should start from scratch. How do I grant Internet access to each VLAN individually? What is the best way to do that?

Ok, I put in a rule to allow all local IP address lists to access WAN destination interface list, and that gave them internet access. I added a rule at the end to drop all the unmatched packets. But if I disable the VLAN isolation rule, I can still ping across any of the VLANs.

Since you have changed things from your original screen capture, please post you current firewall rules.

Ok, here you go.

You are making your life a bit more complex than it needs to be. Your rules 16 - 20 are completely un-needed because rule 21 is going to drop all of that anyway. As a general rule of thumb, most of us specifically allow what they want to allow and then drop everything else at the end of the chain. Here are a couple code segments from my firewall rules:
The first is the usual allow established and related.
The next two allow my .101 and .102 LANs to reach my Internet.
The next two allow addresses on my Privileged list to access the other LAN.
The last deletes anything that makes it that far.
BTW, that is just a small part of my firewall rules, but should give the idea.

Those screenshots do nothing for me... I would prefer to see the entire config in proper config format.

@k6ccc I tried disabling those rules, and then I can ping from the switch to the VLANs. It's not dropping the traffic unless I explicitly tell it to. If one of my rules further up the chain was accepting the pings through, then those VLAN isolation rules wouldn't do anything because the packets would never make it that far. But for some reason the drop everything rule at the bottom doesn't stop the pings going across, and that makes me thing other traffic might get through.

You need to post your entire config
/export hide-sensitive file=whatevernameyouwish

or something like that.
Just make sure any other sensitive info (WANIP etc is removed first).

Ok, here it is.

Thanks, you are attaching vlans to etherports and not the bridge??
(change ether4 to bridge).


/interface vlan
add interface=ether4 name=Event_Horizon vlan-id=37
add interface=ether4 name=Megalodon vlan-id=17
add interface=ether4 name=Pterodactyl vlan-id=27


/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
If this is a LAN you want on the router change it to a vlan from default
and
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
Dont make the bridge part of the address definition...........

where did these come from..........
/ip address
add address=192.168.6.66/24 comment=defconf interface=ether2 network=\
192.168.6.0
add address=192.168.10.100/24 interface=ether5 network=192.168.10.0

Firewall rules....... Try to put all input rules first and then forward rules, much easier to read.....

/ip firewall filter
WAY TO MANY RULES................ for my taste...
I would drop all rules except default rules and then slowly add ones you really need back in.

I appreciate the advice, but do any of the suggestions you made specifically address the issue of the VLANs not being isolated? I have those rules in place because without them all of the VLANs can reach each other...

Well firewall rules are useless if the config is a mess for starters.
The vlan config may be causing some or all of the mess.
However I doubt that because you have a bloated mess of firewall rules on top adding to the woes.

Do yourself a favour and start from defaults for firewall rules.
Dont add anything extra except in the forward chain..

Default rules at start of Forward Chain:
fastrack
allow established, related
drop invalid

User added rules:
vlanx to internet
vlany to internet and so on.
Admin pc to all vlans

Default rules after the user rules:
( I think these apply
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
and
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec

FOR LAST RULE pu this:
add action=drop chain=forward comment="drop all else"

VLANS will not see each other at all, if your config is correct. Simple Clean........
After you reach this state you can add any other rules really required (very few of the ones you have really are..........)