I have not yet taken anything apart my existing network, instead I am just using the mikrotik RB750 on the work bench in an effort to do an experimental setup and learn ROS software. At this time for my experimentation I do not have any switches external to the RB750 because they are still in use in my main network. Long term I expect to use my switches and their vlan capability ahead of a router-on-a-stick config. But for now in these experiments I was not attempting a full router on a stick config, instead I was able to get the RB750 setup, connected to the internet(double nated behind my existing router during the experimental phase). I was able to create two vlans, vlan40 & vlan50 on ether4 & 5 in the bridge(ie the new way post 6.410. ether1 is WAN, ether2,3 are base LAN ports. I think I have the two vlans configured as 'access' port vlans, ie no tagging other than the bridge itself. I was able to setup 3 separate dhcp servers, one for ether2,3 on same subnet(10.62.0.2/24), vlan40(10.62.40.2) and vlan50(10.62.50.2). It seems to work because when I plug a computer into each of those ports I get an IP from the correct ip-pool.
Now for the question...
It appears that the default setup/firewall allows for routing between the vlans(L3 I presume, because vlan L2 should be blocked). I can ping between the vlans and the base network. So I decided I wanted to to try and drop the inter-vlan traffic, by using the drop forward in/out interface "all vlan" and that didn't work. So I created an interface list "all_VLANs" included vlan40,50 and used drop forward in/out interface list "all_VLANs" and that also did not block the ability to ping between vlans. So there is something wrong with my vlan configuration and/or I am missing some understanding with the ability to use the firewall and all vlan group/list notation. Does the egress traffic need to be vlan tagged in order for the drop interface "all vlan" to operate? I was hoping that once in the bridge vlan it would know that if was vlan data regardless of the fact that it was untagged access port config. I can see vlan traffic in the bridge when I use torch when I ping. But I can't seem to block it with the "all vlan" notation. p.s. some have suggested there is a "all-vlan" notation(note the hyphen)... but I could not see that in the interface or the interface list drop down. All I could find is "all vlan" in the interface and the "all_VLANs" in the interface list which I created.
p.s. I am aware that many folks suggest a firewall using a drop everything and only allow specific traffic as needed. And in fact that sort of approach would probably block my inter-vlan traffic. But before I move to that approach I would really like to understand why I am unable to block inter-vlan communication using the default firewall using my added drop vlan rules. See the two rules that are currently disabled down near the bottom of the firewall rules.
Over the last few days I have read many fine post in this forum. But at this point I am stuck. I am hoping that you folks can help get me going again.
In particular I have read and re-read the excellent article and examples in "Using RouterOS to VLAN your network" by pcunite, mkx, sindy which has been very useful. But I fear I am still missing a crucial piece of understanding in order to fix my current problem
Here is my export. note all my firewall mods are currently disabled and have comments that start with (DEBUG). I am wanting to understand why the two drop interface "all vlan" rules near the bottom don't block traffic, or at least not ping.
Code: Select all
# feb/09/2021 20:05:36 by RouterOS 6.46.8 # software id = TMDJ-5CYR # # model = RB750Gr3 # serial number = xxxxxxxx /interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \ vlan-filtering=yes /interface vlan add interface=bridge name=vlan40 vlan-id=40 add interface=bridge name=vlan50 vlan-id=50 /interface list add comment=defconf name=WAN add comment=defconf name=LAN add comment="List of All VLANs" name=all_VLANs /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /ip pool add name=dhcp ranges=10.62.0.30-10.62.0.149 add name=vlan40-pool ranges=10.62.40.10-10.62.40.30 add name=vlan50-pool ranges=10.62.50.10-10.62.50.30 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf add address-pool=vlan40-pool disabled=no interface=vlan40 name=vlan40-DHCP add address-pool=vlan50-pool disabled=no interface=vlan50 name=vlan50-DHCP /user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\ sword,web,sniff,sensitive,api,romon,dude,tikapp" /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 pvid=40 add bridge=bridge comment=defconf interface=ether5 pvid=50 /ip neighbor discovery-settings set discover-interface-list=LAN /interface bridge vlan add bridge=bridge tagged=bridge untagged=ether4,ether5 vlan-ids=40,50 /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add comment="Add to list of all VLANs" interface=vlan40 list=all_VLANs add comment="Add to list of all VLANs" interface=vlan50 list=all_VLANs /ip address add address=10.62.0.2/24 comment=defconf interface=ether2 network=10.62.0.0 add address=10.62.40.2/24 interface=vlan40 network=10.62.40.0 add address=10.62.50.2/24 interface=vlan50 network=10.62.50.0 /ip dhcp-client add comment=defconf disabled=no interface=ether1 /ip dhcp-server lease add address=10.62.0.3 client-id=1:14:dd:a9:8d:41:b0 mac-address=\ 14:DD:A9:8D:41:B0 server=defconf /ip dhcp-server network add address=10.62.0.0/24 comment=defconf dns-server=10.62.0.2 gateway=\ 10.62.0.2 netmask=24 add address=10.62.40.0/24 comment="VLAN network address" dns-server=10.62.0.2 \ gateway=10.62.40.2 netmask=24 add address=10.62.50.0/24 dns-server=10.62.0.2 gateway=10.62.50.2 netmask=24 /ip dns set allow-remote-requests=yes /ip dns static add address=10.62.0.2 comment=defconf name=router.lan /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=accept chain=input comment=\ "(DEBUG) Accept DHCP request on VLAN interfaces" disabled=yes dst-port=67 \ in-interface-list=all_VLANs protocol=udp src-port=68 add action=accept chain=input comment=\ "(DEBUG) Accept DNS request (UDP) on VLAN interfaces" disabled=yes \ dst-port=53 in-interface-list=all_VLANs protocol=udp add action=accept chain=input comment=\ "(DEBUG) Accept DNS request (TCP) on VLAN interfaces" disabled=yes \ dst-port=53 in-interface-list=all_VLANs protocol=tcp add action=accept chain=input comment="(DEBUG) Allow any service onto VLAN int\ erfaces(for testing must remove when done, this allows winbox to work from\ \_a VLAN but there are better ways to do it)" disabled=yes \ in-interface-list=all_VLANs add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=accept chain=forward comment="(DEBUG) Allow all VLANs to access the\ \_Internet Only, NOT each other. But for whatever reason this rule was not\ \_needed because the dflt firewall was allowing vlan to internet access." \ connection-state=new disabled=yes in-interface-list=all_VLANs \ out-interface-list=WAN add action=drop chain=forward comment="(DEBUG) Drop all traffic between all vl\ ans. But rule didnt work could still ping between vlans." disabled=yes \ in-interface=all-vlan out-interface=all-vlan add action=drop chain=forward comment="(DEBUG) Drop all traffic between all vl\ ans using my \"all-VLANs\" list. But rule didnt work could still ping betw\ een vlans." disabled=yes in-interface-list=all_VLANs out-interface-list=\ all_VLANs add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN /system clock set time-zone-name=America/New_York /system package update set channel=long-term /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN