Hello all,

New to Mikrotik and confused on firewall rules. By default does RouterOS 6.45.9 block traffic between VLANS? I've seen posts saying yes and others saying to use a firewall rule. I want to use my HapAC2 as the DNS/DHCP server for both VLANS with VLAN 100 only allowed access to the internet. I plan on replacing my current router with this one and want to iron out any issues before switching.
EDIT: I setup VLAN 100 on eth2 but my laptop is getting assigned an IP address on the bridge network (10.10.10.1 where I want most of devices).

I read that I have to set up a firewall rule for port 53 when making remote requests. Is this firewall rule/ordering correct? Should the port 53 rule get moved all the way to top?

Full config...appreciate any feedback:
https://pastebin.com/eiXi7E4Q

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1 netmask=24
add address=10.10.20.0/24 dns-server=1.1.1.1 gateway=10.10.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=10.10.10.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop ICMP edit" in-interface-list=WAN log=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="block remote DNS " dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="block remote DNS" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

By default, a Mikrotik router will router whenever it can. In other words, unless you block it with a firewall rule, it will happily route between VLANs.

In each chain, the router will start at the top of the firewall rules in that chain, and keep processing rules until it finds a rule that matches, or it gets to the end of that chain. If no rules match, then the packet will by default be accepted. So what most of us do is have a series of rules that accept what is desired, and at the of the chain have a drop everything rule, similar to this: As for your code, my first comment would be to move your two port 53 rules up to where the rest of the Input chain rules are. The outer couldn't care less, but it makes it far easier for us humans to read when all the Input chain rules are together and then all the Forward chain, etc. Not that big of a deal when you have 12 rules, but trying to sift through 180 rules to find one more in the Input chain is a royal pain in the ass!

Now as for your port 53 rules, they wont ever see any matches because the previous Input chain rule drops anything coming in from the WAN anyway.

kcsunshineband, nailed it........

add action=drop chain=input comment="block remote DNS " dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="block remote DNS" dst-port=53 in-interface=ether1 protocol=udp
are not required due to this rule you have in place.

......
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

It gets one to thinking that you really haven't grasped what the rules are actually doing and thus shouldn't be changed from defaults yet.


DEFAULT SETTING.
ALLOWS ALL TRAFFIC from LAN to ROUTER (input chain) by default is not blocked and assumed allowed
BLOCKS ALL TRAFFIC from WAN to ROUTER (input chain)

ALLOW ALL TRAFFIC FROM LAN TO WAN (forward chain) by default is not blocked and assumed allowed
BLOCKS ALL TRAFFIC from WAN to LAN (except if traffic has been identified in Destination NAT (port forwarding).


CHANGES TO MAKE ROUTER MORE SECURE and when using VLANS.
Input chain
ADD ADMIN ACCESS TO ROUTER (input chain ) (lan users do not require full access to the router for best security practices)
ADD SERVICES REQUIRED BY LAN USERS TO ROUTER (input chain). This is where you state specifically lan users should have access to DNS services provided by the router port 53
Get rid of default rule
THEN AND ONLY THEN ADD BLOCK EVERYTHING ELSE AS LAST RULE. (Danger, clearly if you have not added yourself as as admin with access properly you will get locked out!!


....
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Forward Chain
Add as LAST RULE BLOCK EVERYTHING ELSE - this changes the concept of allow everything to block everything unless you allow it.
ADD rule to allow VLAN100 to internet
ADD rule to allow admin access to both VLANS
Add rule for port forwarding if you require it.
remove default rule

Thanks for the update! I'll give this a try. So will adding VLAN 100 internet access allow my laptop to stop pulling an IP from the bridge network pool?

I cannot comment because you have not provided the entire config for reference.
/export hide-sensitive file=anynameyouwish (just remove the wanip and/or wan gateway IP)

The full config is here:

https://pastebin.com/eiXi7E4Q

Is it better to create a file and upload it on these forums?

Yup your config is a bit messed up.
If you are going to go the vlan route you should probably read this reference......
viewtopic.php?t=143620

From a logic standpoint how can you have ether3 belong to both the vlan and the bridge with different DHCP service.......................

You only require VLANs to share multiple networks over a single interface, if you only require one interface to be on a separate network that interface can be removed from the bridge and have an IP address, DHCP server, etc. added to it.

If confused, thats okay.

As stated vlans are best utilized if using multiple subnets over single ports.
If you dont have to you can run subnets on their own interface/port and no need for vlans.

Vlans come into play also if you want to segregate your network with smart switches or other smart devices.

I tried reading the official docs, I'll give the link a look. The end goal is to have an internet only VLAN for work laptop/guests, media VLAN, and home office VLAN (printer, NAS, desktops). Right now I'm trying to get smart enough to make this my main router and have an internet only VLAN. The reason I left bridge on that port was it was connected to a Tp-link switch that supports VLANs and thought it would function as a trunk. I'll see if I can remove the bridge network from eth3 and try the "trunk" when I'm smarter.

Since you are keen on vlans the link is most excellent and will get you 90% of the way.
The rest we can help you with.
The only things I would advise is not to use the bridge to give out dhcp and to not use vlan1 (its the default and is best left that way).
The only port that need not be on the bridge are the WAN port(s) and any subnets you dont want on the bridge (rare).