Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

What is the use of interface lists in VLAN firewall

Post Reply
 
Chiverel
newbie
Topic Author
Posts: 46
Joined: Fri Jan 12, 2018 7:28 pm

What is the use of interface lists in VLAN firewall

Mon May 04, 2020 9:53 pm

Hi,

I'm playing around with the "Use IP firewall for VLAN" and can't really understand how to give it a cleaner look. Here's the fairly easy test setup:

* single bridge with 2 access ports
* both vlan and bridge belong to the same interface list Test
Code: Select all
 # jan/01/2002 02:10:36 by RouterOS 6.45.8
/interface bridge
add fast-forward=no name=bridge1 pvid=7 vlan-filtering=yes

/interface vlan add interface=bridge1 name=vlan7 vlan-id=7

/interface list add name=Test

/ip pool add name=dhcp_pool1 ranges=7.7.7.10-7.7.7.25

/ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=vlan7 name=dhcp

/interface bridge port
add bridge=bridge1 hw=no interface=ether2 pvid=7
add bridge=bridge1 hw=no interface=ether10 pvid=7

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip firewall connection tracking set enabled=yes

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether10 vlan-ids=7

/interface list member
add interface=vlan7 list=Test
add interface=bridge1 list=Test

/ip address
add address=7.7.7.0/24 interface=vlan7 network=7.7.7.0

/ip dhcp-server network
add address=7.7.7.0/24 gateway=7.7.7.1

/ip firewall filter
add action=accept chain=forward in-interface-list=Test protocol=icmp
add action=accept chain=forward protocol=icmp src-address=7.7.7.0/24
add action=drop chain=forward log=yes log-prefix=P protocol=icmp
Then connect 2 devices to ports 2 and 10 and start ping between them. Everything works ok, 1st firewall rule with the interface list is counting packets.

Next test I remove the Bridge from the interface list, but leave vlan in the list. Now it's the 2nd rule with ip addresses counting packets.

Does this mean that interface lists don't work with vlans? Does it work based on IP addresses only? But why then such a difference in I remove Bridge from the list.

Image
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: What is the use of interface lists in VLAN firewall

Mon May 04, 2020 11:20 pm

There's a fundamental error in your setup: all of L2 setup is about bridge interface being tagged member of VLAN with VID=7, but you set bridge with pvid=7, which is wrong because it's setting bridge interface as untagged member of same VLAN. Set pvid on bridge (back to default) to value of pvid=1.

The other problem: when using firewall for bridge/vlan traffic, then in-interfaces are physical interfaces (in your case ether2 and ether10).
Top
 
Chiverel
newbie
Topic Author
Posts: 46
Joined: Fri Jan 12, 2018 7:28 pm

Re: What is the use of interface lists in VLAN firewall

Mon May 04, 2020 11:56 pm

Thank you for the valuable input. That's a reasonable bullet regarding untagged bridge.

But I'm not quite sure for the physical interface being a part of the list. Let's assume one of the ports is trunk or hybrid, carrying multiple VLANs that don't serve the same purpose, e.g. restricted and public. Adding the physical port to the list (e.g. Restricted) would eliminate a value of the trunk port. Up to this moment using vlan instead of the physical interface worked ok. I'd appreciate some example if possible for better understanding.
Top
 
Chiverel
newbie
Topic Author
Posts: 46
Joined: Fri Jan 12, 2018 7:28 pm

Re: What is the use of interface lists in VLAN firewall

Tue May 05, 2020 12:13 am

Btw, if you check the packet flow diagram, you'll see that traffic enters bridge as vlan and leaves bridge accordingly.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: What is the use of interface lists in VLAN firewall

Tue May 05, 2020 12:16 am

Vlan interface, created in /interface vlan, is overlaid over underlying interface ... in your case that's bridge interface ... and bridge interface is CPU's access to bridge - the switch-like entity.
When it comes to traffic in VLAN 7 between ether2 and ether10 ... one of those ports is in-interface, vlan7 definitely isn't. For bridge (switch-like) the only case when vlan7 (or bridge interface) is in-interface is when packets originate L3 part of router (either if another device is communicating with router itself or when traffic is being routed by routing entity of your device).

Well, yes, firewall in ROS is primarily L3 function and using it on L2 doesn't offer all the bells and whistles one would want to have.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: What is the use of interface lists in VLAN firewall

Tue May 05, 2020 12:22 am

Btw, if you check the packet flow diagram, you'll see that traffic enters bridge as vlan and leaves bridge accordingly.

It's not very clear from documentation, but bridge in ROS has two, quite distinct, personalities:
  1. switch-like entity which forwards frames between member ports. If vlan-filtering=yes, then it's VLAN-aware.
  2. interface which serves as CPU's access to network.
    All L3 parts in ROS work with tagless packets, hence need for vlan interfaces (which have tagged and untagged ends) to add/remove tags for traffic to/from router's upper layers. These interfaces don't affect traffic between other interfaces, members of a bridge.
Whenever bridge is referred in interface= parameter, it's about entity #2. Additionally there are a few settings where it is not stated explicitly (e.g. when setting bridge a pvid).
However, when firewall filters are used for traffic over bridge (by setting use-ip-firewall*=yes, it's about entity #1.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot] and 47 guests
  4. RouterOS
  5. Beginner Basics