Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Confused how to do VLAN Firewall filters?  [SOLVED]

Post Reply
 
Mellivice
just joined
Topic Author
Posts: 7
Joined: Tue Feb 09, 2021 1:33 pm

Confused how to do VLAN Firewall filters?

Tue Feb 09, 2021 1:45 pm

Hi all, I am new overall and I am trying to see what I am doing wrong here for using filters to block access between my VLANs.

Router Config
Code: Select all
# model = RB760iGS

My interface config
Code: Select all
/interface vlan
add interface=ether3 name=DMZ_VLAN vlan-id=100
add interface=ether2 name=LAN_VLAN vlan-id=10

My Firewall config
Code: Select all
/ip firewall address-list
add address=192.168.10.0/24 list=LAN_ADDRESS_VLAN
add address=192.168.100.0/24 list=DMZ_ADDRESS_VLAN
/ip firewall filter
add action=drop chain=input comment="Drop all packets from outside" in-interface=ether1
add action=accept chain=forward disabled=yes dst-address-list=DMZ_ADDRESS_VLAN src-address-list=LAN_ADDRESS_VLAN
add action=drop chain=forward disabled=yes dst-address-list=LAN_ADDRESS_VLAN log=yes src-address-list=DMZ_ADDRESS_VLAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

My goals are quite simple
  • I want full communication from my LAN_VLAN to DMZ_VLAN
  • I do not want my DMZ_VLAN to access my LAN_VLAN
I was thinking if I enabled those two rules it would work, but when I enable the drop rule all packets seem to drop from LAN to DMZ.

What am I doing wrong?
Top
 
Mellivice
just joined
Topic Author
Posts: 7
Joined: Tue Feb 09, 2021 1:33 pm

Re: Confused how to do VLAN Firewall filters?

Thu Feb 11, 2021 11:19 am

bump one more time.
Maybe I need to do my vlans differently?
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 1958
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Confused how to do VLAN Firewall filters?

Thu Feb 11, 2021 11:58 am

Volgens mij volstaat het om de volgende regel aan te maken:
Code: Select all
add action=drop chain=forward comment="Block guest network except WAN" in-interface=GUEST_VLAN out-interface-list=!WAN
Herewith my guest network is blocked from any other network (VLAN), WAN is allowed
Last edited by erlinden on Thu Feb 11, 2021 5:29 pm, edited 1 time in total.
Top
 
Mellivice
just joined
Topic Author
Posts: 7
Joined: Tue Feb 09, 2021 1:33 pm

Re: Confused how to do VLAN Firewall filters?

Thu Feb 11, 2021 1:23 pm

Volgens mij volstaat het om de volgende regel aan te maken:
Code: Select all
add action=drop chain=forward comment="Block guest network except WAN" in-interface=GUEST_VLAN out-interface-list=!WAN
Dit zorgt ervoor dat mijn gastennetwerk (op basis van de VLAN) alleen naar WAN mag.
Thanks I tried this as well with again it dropping all packets from LAN to the DMZ. I feel like I am doing something wrong but can't figure it out
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1847
Joined: Sat May 05, 2018 11:55 am

Re: Confused how to do VLAN Firewall filters?

Thu Feb 11, 2021 1:37 pm

To have a conversation between LAN and DMZ after the initial packet from LAN to DMZ there will be a reply packet from DMZ to LAN and your drop DMZ to LAN rule will drop these too, typically you have an allow established/related/untracked rule as the first item in the forward chain to permit the ongoing conversation.

Similarly the drop input rule without an allow input established/related/untracked rule will prevent the Mikrotik itself from communicating with the outside world - no DNS, no timesync, etc.

The default rules are a good starting point, then add/adjust as necessary.
Top
 
Mellivice
just joined
Topic Author
Posts: 7
Joined: Tue Feb 09, 2021 1:33 pm

Re: Confused how to do VLAN Firewall filters?

Thu Feb 11, 2021 4:02 pm

To have a conversation between LAN and DMZ after the initial packet from LAN to DMZ there will be a reply packet from DMZ to LAN and your drop DMZ to LAN rule will drop these too, typically you have an allow established/related/untracked rule as the first item in the forward chain to permit the ongoing conversation.

Similarly the drop input rule without an allow input established/related/untracked rule will prevent the Mikrotik itself from communicating with the outside world - no DNS, no timesync, etc.

The default rules are a good starting point, then add/adjust as necessary.
Can you give me an example how that would look? Just trying to understand why this would need to be this explicit with rules.
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1847
Joined: Sat May 05, 2018 11:55 am

Re: Confused how to do VLAN Firewall filters?  [SOLVED]

Thu Feb 11, 2021 5:07 pm

For input you should allow established/related/untracked connections, drop invalid connections, allow ICMP as blocking it breaks things such as PMTU detection, then have your drop from outside rule:
/ip firewall filter
add action=accept chain=input comment="Allow input 'established', 'related' and 'untracked' connections" connection-state=established,related,untracked
add action=drop chain=input comment="Drop input 'invalid' connections" connection-state=invalid
add action=accept chain=input comment="Allow input ICMP" protocol=icmp
add action=drop chain=input comment="Drop input all from outside" in-interface=ether1


For forward you should again allow established/related/untracked connections and drop invalid connections, then allow what you wish to and drop everything else:
/ip firewall filter
add action=accept chain=forward comment="Allow forward 'established', 'related' and 'untracked' connections" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop forward 'invalid' connections" connection-state=invalid
add action=accept chain=forward comment="Allow forward all to outside" out-interface=ether1
add action=accept chain=forward comment="Allow forward LAN to DMZ" dst-address-list=DMZ_ADDRESS_VLAN src-address-list=LAN_ADDRESS_VLAN
add action=drop chain=forward comment="Drop forward all else"
Top
 
Mellivice
just joined
Topic Author
Posts: 7
Joined: Tue Feb 09, 2021 1:33 pm

Re: Confused how to do VLAN Firewall filters?

Thu Feb 11, 2021 8:52 pm

Thank you very much that actually solved my issue.

I am going to spend some time looking at this.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Confused how to do VLAN Firewall filters?

Fri Feb 12, 2021 4:53 pm

What I end up doing is modifying my input chain and forward chain with a last DROP all rule.

add action=drop chain=input or forward comment="drop all else"

What this does is basically drop any traffic that you, as an admin, have not explicitly allowed.

So in the input chain BEFORE you do this you need a
add action=accept chain=input source-address-list=AdminAccessList in-interface-list=LAN

Basically stating the IP addresses (your desktop, laptop, ipad etc) that are allowed access from the LAN to access the router.
Note this stops any wan to router traffic and stops any LAN to router traffic automatically.
So if your users on the LAN need any router services such as DNS or NTP, you will have to add this in
as ALLOW rules prior to the last drop all rule.

As for the forward chain.
You only need besides the defaults and the last new rule of drop all,
add LAN to WAN traffic for the most part as a rule.
The rest, is all blocked Vlan to Vlan traffic for example.
Top
Post Reply

Who is online

Users browsing this forum: Wxjeep and 71 guests
  4. RouterOS
  5. Beginner Basics