I have not yet taken anything apart my existing network, instead I am just using the mikrotik RB750 on the work bench in an effort to do an experimental setup and learn ROS software. At this time for my experimentation I do not have any switches external to the RB750 because they are still in use in my main network. Long term I expect to use my switches and their vlan capability ahead of a router-on-a-stick config. But for now in these experiments I was not attempting a full router on a stick config, instead I was able to get the RB750 setup, connected to the internet(double nated behind my existing router during the experimental phase). I was able to create two vlans, vlan40 & vlan50 on ether4 & 5 in the bridge(ie the new way post 6.410. ether1 is WAN, ether2,3 are base LAN ports. I think I have the two vlans configured as 'access' port vlans, ie no tagging other than the bridge itself. I was able to setup 3 separate dhcp servers, one for ether2,3 on same subnet(10.62.0.2/24), vlan40(10.62.40.2) and vlan50(10.62.50.2). It seems to work because when I plug a computer into each of those ports I get an IP from the correct ip-pool.
Now for the question...
It appears that the default setup/firewall allows for routing between the vlans(L3 I presume, because vlan L2 should be blocked). I can ping between the vlans and the base network. So I decided I wanted to to try and drop the inter-vlan traffic, by using the drop forward in/out interface "all vlan" and that didn't work. So I created an interface list "all_VLANs" included vlan40,50 and used drop forward in/out interface list "all_VLANs" and that also did not block the ability to ping between vlans. So there is something wrong with my vlan configuration and/or I am missing some understanding with the ability to use the firewall and all vlan group/list notation. Does the egress traffic need to be vlan tagged in order for the drop interface "all vlan" to operate? I was hoping that once in the bridge vlan it would know that if was vlan data regardless of the fact that it was untagged access port config. I can see vlan traffic in the bridge when I use torch when I ping. But I can't seem to block it with the "all vlan" notation. p.s. some have suggested there is a "all-vlan" notation(note the hyphen)... but I could not see that in the interface or the interface list drop down. All I could find is "all vlan" in the interface and the "all_VLANs" in the interface list which I created.
p.s. I am aware that many folks suggest a firewall using a drop everything and only allow specific traffic as needed. And in fact that sort of approach would probably block my inter-vlan traffic. But before I move to that approach I would really like to understand why I am unable to block inter-vlan communication using the default firewall using my added drop vlan rules. See the two rules that are currently disabled down near the bottom of the firewall rules.
Over the last few days I have read many fine post in this forum. But at this point I am stuck. I am hoping that you folks can help get me going again.
In particular I have read and re-read the excellent article and examples in "Using RouterOS to VLAN your network" by pcunite, mkx, sindy which has been very useful. But I fear I am still missing a crucial piece of understanding in order to fix my current problem
Here is my export. note all my firewall mods are currently disabled and have comments that start with (DEBUG). I am wanting to understand why the two drop interface "all vlan" rules near the bottom don't block traffic, or at least not ping.
Code: Select all
# feb/09/2021 20:05:36 by RouterOS 6.46.8
# software id = TMDJ-5CYR
#
# model = RB750Gr3
# serial number = xxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan40 vlan-id=40
add interface=bridge name=vlan50 vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="List of All VLANs" name=all_VLANs
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.62.0.30-10.62.0.149
add name=vlan40-pool ranges=10.62.40.10-10.62.40.30
add name=vlan50-pool ranges=10.62.50.10-10.62.50.30
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=vlan40-pool disabled=no interface=vlan40 name=vlan40-DHCP
add address-pool=vlan50-pool disabled=no interface=vlan50 name=vlan50-DHCP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 pvid=40
add bridge=bridge comment=defconf interface=ether5 pvid=50
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4,ether5 vlan-ids=40,50
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Add to list of all VLANs" interface=vlan40 list=all_VLANs
add comment="Add to list of all VLANs" interface=vlan50 list=all_VLANs
/ip address
add address=10.62.0.2/24 comment=defconf interface=ether2 network=10.62.0.0
add address=10.62.40.2/24 interface=vlan40 network=10.62.40.0
add address=10.62.50.2/24 interface=vlan50 network=10.62.50.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.62.0.3 client-id=1:14:dd:a9:8d:41:b0 mac-address=\
14:DD:A9:8D:41:B0 server=defconf
/ip dhcp-server network
add address=10.62.0.0/24 comment=defconf dns-server=10.62.0.2 gateway=\
10.62.0.2 netmask=24
add address=10.62.40.0/24 comment="VLAN network address" dns-server=10.62.0.2 \
gateway=10.62.40.2 netmask=24
add address=10.62.50.0/24 dns-server=10.62.0.2 gateway=10.62.50.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.62.0.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"(DEBUG) Accept DHCP request on VLAN interfaces" disabled=yes dst-port=67 \
in-interface-list=all_VLANs protocol=udp src-port=68
add action=accept chain=input comment=\
"(DEBUG) Accept DNS request (UDP) on VLAN interfaces" disabled=yes \
dst-port=53 in-interface-list=all_VLANs protocol=udp
add action=accept chain=input comment=\
"(DEBUG) Accept DNS request (TCP) on VLAN interfaces" disabled=yes \
dst-port=53 in-interface-list=all_VLANs protocol=tcp
add action=accept chain=input comment="(DEBUG) Allow any service onto VLAN int\
erfaces(for testing must remove when done, this allows winbox to work from\
\_a VLAN but there are better ways to do it)" disabled=yes \
in-interface-list=all_VLANs
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="(DEBUG) Allow all VLANs to access the\
\_Internet Only, NOT each other. But for whatever reason this rule was not\
\_needed because the dflt firewall was allowing vlan to internet access." \
connection-state=new disabled=yes in-interface-list=all_VLANs \
out-interface-list=WAN
add action=drop chain=forward comment="(DEBUG) Drop all traffic between all vl\
ans. But rule didnt work could still ping between vlans." disabled=yes \
in-interface=all-vlan out-interface=all-vlan
add action=drop chain=forward comment="(DEBUG) Drop all traffic between all vl\
ans using my \"all-VLANs\" list. But rule didnt work could still ping betw\
een vlans." disabled=yes in-interface-list=all_VLANs out-interface-list=\
all_VLANs
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
