I am used to Ubiquiti more, and on there I had LAN_LOCAL rules that prevented VLAN20 from talking to VLAN100, but the opposite worked.
This is useful to me as I need VLAN100 to be able to manage all VLANs and ssh them across.
Is it possible on Mikrotik? I tried some basic drop rules for VLAN20 to VLAN100 but it blocks traffic both ways, I only want it blocked one way.
Even tried with L3 blocking 10.10.10.0/24 from 10.1.1.0/24 but it blocks both directions.
TLDR - Can we block intervlan one direction but not the other?
Perhaps you should specify more criteria in your firewall-rule ? Why don't you include some src-interface and select "vlan 20" or something ? I don't use VLAN's but I guess these "interfaces" show up in the list no ? In Webfig I have a "all vlan" "interface" next to the pppoe, eth1... etc so if you create vlan-interfaces (L3) I guess they show up ?
If you move the VLAN100 allow rule to the top that should allow at least your management.
Omg I feel so dumb, you're right. On the Ubnt I had an allow local rule for VLAN100 out above the block intervlan rules.
I just added an accept forward rule for VLAN100 out, put it above block VLAN20 rule, and it works. I can send packets to vlan 20, but vlan 20 can't send back to VLAN100.
I feel so dumb lol. Thank you so much comrade!