Community discussions

MikroTik App
 
simpleIT
just joined
Topic Author
Posts: 6
Joined: Fri Feb 05, 2021 3:11 am

Inter-vlan routing and default firewall

Fri Feb 12, 2021 1:43 am

Hi, First I have to inform you that I am a noob to both mikrotik & networking. I can hear the sighs from here :) I bought an RB750Gr3 because it looked like an excellent way to experiment and learn more about networking with the goal of getting my home network upgraded to include vlans and better security. Currently I am running with a Asus RT-AC68U wifi router with a TP-Link 16port switch(TL-1016DE) which has L2 vlan support(not yet using vlans) and a couple of 5port poe switches(also have vlan capability) for IP cameras. My goal is to create vlans and separate devices like cameras, IoT, video streaming, etc. The needs of the home network has been increasing over the last few years and I felt it was time to dig in.

I have not yet taken anything apart my existing network, instead I am just using the mikrotik RB750 on the work bench in an effort to do an experimental setup and learn ROS software. At this time for my experimentation I do not have any switches external to the RB750 because they are still in use in my main network. Long term I expect to use my switches and their vlan capability ahead of a router-on-a-stick config. But for now in these experiments I was not attempting a full router on a stick config, instead I was able to get the RB750 setup, connected to the internet(double nated behind my existing router during the experimental phase). I was able to create two vlans, vlan40 & vlan50 on ether4 & 5 in the bridge(ie the new way post 6.410. ether1 is WAN, ether2,3 are base LAN ports. I think I have the two vlans configured as 'access' port vlans, ie no tagging other than the bridge itself. I was able to setup 3 separate dhcp servers, one for ether2,3 on same subnet(10.62.0.2/24), vlan40(10.62.40.2) and vlan50(10.62.50.2). It seems to work because when I plug a computer into each of those ports I get an IP from the correct ip-pool.

Now for the question...
It appears that the default setup/firewall allows for routing between the vlans(L3 I presume, because vlan L2 should be blocked). I can ping between the vlans and the base network. So I decided I wanted to to try and drop the inter-vlan traffic, by using the drop forward in/out interface "all vlan" and that didn't work. So I created an interface list "all_VLANs" included vlan40,50 and used drop forward in/out interface list "all_VLANs" and that also did not block the ability to ping between vlans. So there is something wrong with my vlan configuration and/or I am missing some understanding with the ability to use the firewall and all vlan group/list notation. Does the egress traffic need to be vlan tagged in order for the drop interface "all vlan" to operate? I was hoping that once in the bridge vlan it would know that if was vlan data regardless of the fact that it was untagged access port config. I can see vlan traffic in the bridge when I use torch when I ping. But I can't seem to block it with the "all vlan" notation. p.s. some have suggested there is a "all-vlan" notation(note the hyphen)... but I could not see that in the interface or the interface list drop down. All I could find is "all vlan" in the interface and the "all_VLANs" in the interface list which I created.

p.s. I am aware that many folks suggest a firewall using a drop everything and only allow specific traffic as needed. And in fact that sort of approach would probably block my inter-vlan traffic. But before I move to that approach I would really like to understand why I am unable to block inter-vlan communication using the default firewall using my added drop vlan rules. See the two rules that are currently disabled down near the bottom of the firewall rules.

Over the last few days I have read many fine post in this forum. But at this point I am stuck. I am hoping that you folks can help get me going again.
In particular I have read and re-read the excellent article and examples in "Using RouterOS to VLAN your network" by pcunite, mkx, sindy which has been very useful. But I fear I am still missing a crucial piece of understanding in order to fix my current problem

Here is my export. note all my firewall mods are currently disabled and have comments that start with (DEBUG). I am wanting to understand why the two drop interface "all vlan" rules near the bottom don't block traffic, or at least not ping.
# feb/09/2021 20:05:36 by RouterOS 6.46.8
# software id = TMDJ-5CYR
#
# model = RB750Gr3
# serial number = xxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan40 vlan-id=40
add interface=bridge name=vlan50 vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="List of All VLANs" name=all_VLANs
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.62.0.30-10.62.0.149
add name=vlan40-pool ranges=10.62.40.10-10.62.40.30
add name=vlan50-pool ranges=10.62.50.10-10.62.50.30
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=vlan40-pool disabled=no interface=vlan40 name=vlan40-DHCP
add address-pool=vlan50-pool disabled=no interface=vlan50 name=vlan50-DHCP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 pvid=40
add bridge=bridge comment=defconf interface=ether5 pvid=50
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4,ether5 vlan-ids=40,50
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Add to list of all VLANs" interface=vlan40 list=all_VLANs
add comment="Add to list of all VLANs" interface=vlan50 list=all_VLANs
/ip address
add address=10.62.0.2/24 comment=defconf interface=ether2 network=10.62.0.0
add address=10.62.40.2/24 interface=vlan40 network=10.62.40.0
add address=10.62.50.2/24 interface=vlan50 network=10.62.50.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.62.0.3 client-id=1:14:dd:a9:8d:41:b0 mac-address=\
    14:DD:A9:8D:41:B0 server=defconf
/ip dhcp-server network
add address=10.62.0.0/24 comment=defconf dns-server=10.62.0.2 gateway=\
    10.62.0.2 netmask=24
add address=10.62.40.0/24 comment="VLAN network address" dns-server=10.62.0.2 \
    gateway=10.62.40.2 netmask=24
add address=10.62.50.0/24 dns-server=10.62.0.2 gateway=10.62.50.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.62.0.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "(DEBUG) Accept DHCP request on VLAN interfaces" disabled=yes dst-port=67 \
    in-interface-list=all_VLANs protocol=udp src-port=68
add action=accept chain=input comment=\
    "(DEBUG) Accept DNS request (UDP) on VLAN interfaces" disabled=yes \
    dst-port=53 in-interface-list=all_VLANs protocol=udp
add action=accept chain=input comment=\
    "(DEBUG) Accept DNS request (TCP) on VLAN interfaces" disabled=yes \
    dst-port=53 in-interface-list=all_VLANs protocol=tcp
add action=accept chain=input comment="(DEBUG) Allow any service onto VLAN int\
    erfaces(for testing must remove when done, this allows winbox to work from\
    \_a VLAN but there are better ways to do it)" disabled=yes \
    in-interface-list=all_VLANs
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="(DEBUG) Allow all VLANs to access the\
    \_Internet Only, NOT each other. But for whatever reason this rule was not\
    \_needed because the dflt firewall was allowing vlan to internet access." \
    connection-state=new disabled=yes in-interface-list=all_VLANs \
    out-interface-list=WAN
add action=drop chain=forward comment="(DEBUG) Drop all traffic between all vl\
    ans. But rule didnt work could still ping between vlans." disabled=yes \
    in-interface=all-vlan out-interface=all-vlan
add action=drop chain=forward comment="(DEBUG) Drop all traffic between all vl\
    ans using my \"all-VLANs\" list. But rule didnt work could still ping betw\
    een vlans." disabled=yes in-interface-list=all_VLANs out-interface-list=\
    all_VLANs
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6157
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Inter-vlan routing and default firewall

Fri Feb 12, 2021 4:47 pm

Did you use this document as a ref guide??
viewtopic.php?f=13&t=143620
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1147
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Inter-vlan routing and default firewall

Fri Feb 12, 2021 5:33 pm

This surely wins an award as the longest first post ever. Well done simpleIT! You win a prize! Cozy up to a fireplace and read the provided material anav has linked for you. Read slowly, its all there.
 
simpleIT
just joined
Topic Author
Posts: 6
Joined: Fri Feb 05, 2021 3:11 am

Re: Inter-vlan routing and default firewall

Sat Feb 13, 2021 12:36 am

Hi pcunit & anav,
per anav pointer, I have read and did use your guide before getting started. It is an excellent resource for which I gave credit in the 1st post. But since I wasn't attempting to create any one of the specific topo that you outlined in the guide I decided my goal was more modest. Also that guide uses a "drop-all" firewall approach and instead initially I was simply attempting to augment the default firewall. I am not putting this router into production anytime soon, this is just for learning at this time. My initial goal for learning was modest... I was simply attempting to create isolated vlans under a single bridge. Which I "think" is what got created per the config that I posted. The concern that showed up right away when I started simple testing was that I was able to ping between the two vlans. Even after adding a forward chain firewall rule per many of mkx posts, it did not block pings. Today I found a post where mkx, anav and tdw explain that in order to block pings you need an input rule. see viewtopic.php?f=13&t=172384 . Which I suspect outlines the same ping issue that I ran into. But that post left me with an even more basic question which I left in that post. Maybe you can respond to my question in viewtopic.php?f=13&t=172384 which will help answer the original question in this post. Thank you all.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6157
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Inter-vlan routing and default firewall

Sat Feb 13, 2021 5:04 am

Hi pcunit & anav,
per anav pointer, I have read and did use your guide before getting started. It is an excellent resource for which I gave credit in the 1st post. But since I wasn't attempting to create any one of the specific topo that you outlined in the guide I decided my goal was more modest. Also that guide uses a "drop-all" firewall approach and instead initially I was simply attempting to augment the default firewall. I am not putting this router into production anytime soon, this is just for learning at this time. My initial goal for learning was modest... I was simply attempting to create isolated vlans under a single bridge. Which I "think" is what got created per the config that I posted. The concern that showed up right away when I started simple testing was that I was able to ping between the two vlans. Even after adding a forward chain firewall rule per many of mkx posts, it did not block pings. Today I found a post where mkx, anav and tdw explain that in order to block pings you need an input rule. see viewtopic.php?f=13&t=172384 . Which I suspect outlines the same ping issue that I ran into. But that post left me with an even more basic question which I left in that post. Maybe you can respond to my question in viewtopic.php?f=13&t=172384 which will help answer the original question in this post. Thank you all.
Naw that was MKXs suggestion, because he has deeper knowledge of how firewall rules work.
However I find his suggestions untidy and not efficient.
If you have the drop all rule in place at then end of both input and forward chains I am pretty sure that would have solved your ping issues, although as mkx pointed out they arent really issues as no real access was gained from one vlan to another.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: No registered users and 65 guests