Community discussions

MikroTik App
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Block Intervlan one direction but not other?

Thu May 07, 2020 11:16 pm

I am used to Ubiquiti more, and on there I had LAN_LOCAL rules that prevented VLAN20 from talking to VLAN100, but the opposite worked.

This is useful to me as I need VLAN100 to be able to manage all VLANs and ssh them across.

Is it possible on Mikrotik? I tried some basic drop rules for VLAN20 to VLAN100 but it blocks traffic both ways, I only want it blocked one way.

Even tried with L3 blocking 10.10.10.0/24 from 10.1.1.0/24 but it blocks both directions.

TLDR - Can we block intervlan one direction but not the other?
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
jvanhambelgium
Member
Member
Posts: 301
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Block Intervlan one direction but not other?  [SOLVED]

Thu May 07, 2020 11:28 pm

I am used to Ubiquiti more, and on there I had LAN_LOCAL rules that prevented VLAN20 from talking to VLAN100, but the opposite worked.

This is useful to me as I need VLAN100 to be able to manage all VLANs and ssh them across.

Is it possible on Mikrotik? I tried some basic drop rules for VLAN20 to VLAN100 but it blocks traffic both ways, I only want it blocked one way.

Even tried with L3 blocking 10.10.10.0/24 from 10.1.1.0/24 but it blocks both directions.

TLDR - Can we block intervlan one direction but not the other?
Perhaps you should specify more criteria in your firewall-rule ? Why don't you include some src-interface and select "vlan 20" or something ? I don't use VLAN's but I guess these "interfaces" show up in the list no ? In Webfig I have a "all vlan" "interface" next to the pppoe, eth1... etc so if you create vlan-interfaces (L3) I guess they show up ?
If you move the VLAN100 allow rule to the top that should allow at least your management.
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Block Intervlan one direction but not other?

Fri May 08, 2020 12:07 am

I am used to Ubiquiti more, and on there I had LAN_LOCAL rules that prevented VLAN20 from talking to VLAN100, but the opposite worked.

This is useful to me as I need VLAN100 to be able to manage all VLANs and ssh them across.

Is it possible on Mikrotik? I tried some basic drop rules for VLAN20 to VLAN100 but it blocks traffic both ways, I only want it blocked one way.

Even tried with L3 blocking 10.10.10.0/24 from 10.1.1.0/24 but it blocks both directions.

TLDR - Can we block intervlan one direction but not the other?
Perhaps you should specify more criteria in your firewall-rule ? Why don't you include some src-interface and select "vlan 20" or something ? I don't use VLAN's but I guess these "interfaces" show up in the list no ? In Webfig I have a "all vlan" "interface" next to the pppoe, eth1... etc so if you create vlan-interfaces (L3) I guess they show up ?
If you move the VLAN100 allow rule to the top that should allow at least your management.
Omg I feel so dumb, you're right. On the Ubnt I had an allow local rule for VLAN100 out above the block intervlan rules.

I just added an accept forward rule for VLAN100 out, put it above block VLAN20 rule, and it works. I can send packets to vlan 20, but vlan 20 can't send back to VLAN100.

Image

I feel so dumb lol. Thank you so much comrade!
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
anav
Forum Guru
Forum Guru
Posts: 4709
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Block Intervlan one direction but not other?

Fri May 08, 2020 12:47 am

To make it even better why not clean up many of your rules.

Put the last rule in the forward chain as
chain=forward action=drop comment="drop all else"

Then all you need in the forward chain is to identify all the traffic flow that is authorized, the rest will be dropped by the last rule!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 22 guests