RB4011 VLAN / IP filter miskonfiguration?

forenuser · Thu Sep 30, 2021 10:10 pm

I used pcunite's RouterSwitchAP.rsc configuration as the basis for my own VLAN setup.

The whole thing goes so far that the relevant ports get IP addresses from the desired address range from the desired DHCP servers and Internet access also works. Only the VLAN does not work, i.e. cross-VLAN communication is possible.
Furthermore, the access restriction to the router via MAC server does not work and router access is possible from every VLAN.

The network diagram:
-->>
ether1 for WAN (default)

ether2, ether3, ether4, ether5 for VLAN "Entertainment".
- PIV 50, 10.10.50.1/24, Lease room 10.10.50.10 - 10.10.50.250

ether6, ether7, ether8, ether9 and 5 GHz WLAN fpr VLAN "Office".
- PIV 30, 10.10.30.1/24, Lease room 10.10.30.10 - 10.10.30.250

2.4 GHz WLAN for VLAN "Guest"
- PIV 70, 10.10.70.1/24, Lease room 10.10.70.10 - 10.10.70.250

ether10 für VLAN MGMT
- PIV 99, 10.10.99.1/24, Lease room 10.10.99.10 - 10.10.99.250
<<--

The router configuration:
-->>

# sep/30/2021 19:32:41 by RouterOS 6.48.4
# software id = 8ZEH-Z64L
#
# model = RB4011iGS+5HacQ2HnD
# serial number = no one cares
/interface bridge
add admin-mac=2C:C8:1B:40:F0:85 auto-mac=no comment=defconf disabled=yes name=Bridge
add name=Bridge_VLAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=Bridge_VLAN name=VLAN_30 vlan-id=30
add interface=Bridge_VLAN name=VLAN_50 vlan-id=50
add interface=Bridge_VLAN name=VLAN_70 vlan-id=70
add interface=Bridge_VLAN name=VLAN_99 vlan-id=99
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="VLAN 30, 50, 70 and 99" name=List_3579
add comment="VLAN 99 only" name=List_99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Tygat \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Tyche \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=germany disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge name=Tyche security-profile=Tyche ssid=Tyche \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge name=Tygat secondary-channel=auto \
    security-profile=Tygat ssid=Tygat wireless-protocol=802.11 wps-mode=\
    disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Pool_99 ranges=10.10.99.10-10.10.99.250
add name=Pool_50 ranges=10.10.50.10-10.10.50.250
add name=Pool_70 ranges=10.10.70.10-10.10.70.250
add name=Pool_30 ranges=10.10.30.10-10.10.30.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=Bridge name=defconf
add address-pool=Pool_30 disabled=no interface=VLAN_30 name=DHCP_30
add address-pool=Pool_50 disabled=no interface=VLAN_50 name=DHCP_50
add address-pool=Pool_70 disabled=no interface=VLAN_70 name=DHCP_70
add address-pool=Pool_99 disabled=no interface=VLAN_99 name=DHCP_99
/interface bridge port
add bridge=Bridge_VLAN comment=Entertainment frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=50
add bridge=Bridge_VLAN comment=Entertainment frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=50
add bridge=Bridge_VLAN comment=Entertainment frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=50
add bridge=Bridge_VLAN comment=Entertainment frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=50
add bridge=Bridge_VLAN comment=Office frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=30
add bridge=Bridge_VLAN comment=Office frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=30
add bridge=Bridge_VLAN comment=Office frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=30
add bridge=Bridge_VLAN comment=MGMT frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 pvid=99
add bridge=Bridge comment="Fiber currently unused" disabled=yes interface=sfp-sfpplus1
add bridge=Bridge_VLAN comment="5 GHz WLAN for Office " frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=Tygat pvid=30
add bridge=Bridge_VLAN comment="2.4 GHz WLAN for Guest" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=Tyche pvid=70
add bridge=Bridge_VLAN comment=Office frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=List_99
/interface bridge vlan
add bridge=Bridge_VLAN comment="VLAN for Office" tagged=Bridge_VLAN vlan-ids=30
add bridge=Bridge_VLAN comment="VLAN for Entertainment" tagged=Bridge_VLAN vlan-ids=50
add bridge=Bridge_VLAN comment="VLAN for Guest" tagged=Bridge_VLAN vlan-ids=70
add bridge=Bridge_VLAN comment="VLAN for MGMT" tagged=Bridge_VLAN vlan-ids=99
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf disabled=yes interface=Bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN_99 list=List_99
add interface=VLAN_30 list=List_3579
add interface=VLAN_50 list=List_3579
add interface=VLAN_70 list=List_3579
add interface=VLAN_99 list=List_3579
/ip address
add address=192.168.88.1/24 comment=defconf interface=Bridge network=192.168.88.0
add address=10.10.99.1/24 comment=MGMT interface=VLAN_99 network=10.10.99.0
add address=10.10.30.1/24 comment=Office interface=VLAN_30 network=10.10.30.0
add address=10.10.50.1/24 comment=Entertainment interface=VLAN_50 network=10.10.50.0
add address=10.10.70.1/24 comment=Guest interface=VLAN_70 network=10.10.70.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.30.0/24 dns-server=10.10.99.1 gateway=10.10.30.1
add address=10.10.50.0/24 dns-server=10.10.99.1 gateway=10.10.50.1
add address=10.10.70.0/24 dns-server=10.10.99.1 gateway=10.10.70.1
add address=10.10.99.0/24 dns-server=10.10.99.1 gateway=10.10.99.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=213.73.91.35,194.95.202.198,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=List_3579
add action=accept chain=input comment="VLAN 99 full local access" in-interface=VLAN_99
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="edited: drop ICMP // defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="NAS (LAN 1) no WAN" src-mac-address=24:5E:BE:15:05:27
add action=drop chain=forward comment="NAS (LAN 2) no WAN" src-mac-address= 24:5E:BE:15:05:28
add action=drop chain=forward comment="Printer (LAN) no WAN" src-mac-address=F4:81:39:E2:8A:54
add action=drop chain=forward comment="Printer (WLAN) no WAN" src-mac-address=74:C6:3B:A0:88:F6
add action=accept chain=forward comment="VLAN go WAN not across VLAN" connection-state=new in-interface-list=List_3579 out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router
/system leds
add interface=Tyche leds="Tyche_signal1-led,Tyche_signal2-led,Tyche_signal3-led,Tyche_signal4-led,Tyche_signal5-led" type=wireless-signal-strength
add interface=Tyche leds=Tyche_tx-led type=interface-transmit
add interface=Tyche leds=Tyche_rx-led type=interface-receive
/tool graphing interface
add interface=ether1
/tool mac-server
set allowed-interface-list=List_99
/tool mac-server mac-winbox
set allowed-interface-list=List_99

<<--

Quick note:
- The "Bridge" and the "sfp-sfpplus1" interface are device standards and have been deactivated. If everything goes well, I might delete Bridge too.
- The IP filters no. 12 to 15 should prevent NAS and printers with 2 interfaces each from accessing the WAN and must be above filter 16 (prevent cross-VLAN communication), otherwise they will not work. On their part, however, they have no effect on No. 16, since No. 12 to 15 can be deactivated without affecting the VLAN.

Thanks in advance for any hint and advise!

kind reagrds
forenuser

Edit: fixed the brokoen link at the beginning

forenuser · Sat Oct 09, 2021 5:19 pm

Hello world!

Thanks to a youtube comment i got the solution and a working VLAN setup on the RB4011 - at least i do not find any vital issues right now. My problems indeed were some IP filters. For me it seems that the default IP filters of the RB4011 causes conflicts with the additional suggested filter.

##################
# INPUT CHAIN
##################

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

is working when changed to

add chain=forward action=accept in-interface=BASE_VLAN out-interface-list=VLAN comment="Allow Base_Vlan Full Access"

##################
# FORWARD CHAIN
##################

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

is working when changed to

add chain=forward action=drop in-interface-list=VLAN out-interface-list=VLAN comment="no cross VLAN access"

With this setup all VLAN have WAN access and are separated from each others except BASE_VLAN which has WAN and cross VLAN access, as wanted.
However, there is one minor issue, nothing vital.

##################
# INPUT CHAIN
##################

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

Currently i did not make it more granular because i do not understand how it is working.
If this filter is enabled everything is working fine. Disabling it cut some services but even this not completely. IP-Radio and Netflix are working. Accessing https://youtube.com fails while https://teltarif.de is working. Well, i can live with it but i would love to understand it.

Below please find my full RB4011 setup with working VLAN, WLAN etc.
To the more professional and experiences ones i would love if you may take a look to find niggles or dangerous misconfiguration and/or security holes.
If anyone find this usefull feel free to use whatever will help you.

# oct/09/2021 16:07:33 by RouterOS 6.49
# software id = 8ZEH-Z64L
#
# model = RB4011iGS+5HacQ2HnD
# serial number = blank
/interface bridge
add name=Bridge_VLAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=Bridge_VLAN name=VLAN_30 vlan-id=30
add interface=Bridge_VLAN name=VLAN_50 vlan-id=50
add interface=Bridge_VLAN name=VLAN_70 vlan-id=70
add interface=Bridge_VLAN name=VLAN_99 vlan-id=99
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="VLAN 30, 50, 70 and 99" name=List_3579
add comment="VLAN 99 only" name=List_99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Tygat \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Tyche \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=germany disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge name=Tyche security-profile=Tyche ssid=Tyche \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge name=Tygat secondary-frequency=\
    auto security-profile=Tygat ssid=Tygat wireless-protocol=802.11 wps-mode=\
    disabled
/ip pool
add name=Pool_99 ranges=10.10.99.10-10.10.99.250
add name=Pool_50 ranges=10.10.50.10-10.10.50.250
add name=Pool_70 ranges=10.10.70.10-10.10.70.250
add name=Pool_30 ranges=10.10.30.10-10.10.30.250
/ip dhcp-server
add address-pool=Pool_30 disabled=no interface=VLAN_30 name=DHCP_30
add address-pool=Pool_50 disabled=no interface=VLAN_50 name=DHCP_50
add address-pool=Pool_70 disabled=no interface=VLAN_70 name=DHCP_70
add address-pool=Pool_99 disabled=no interface=VLAN_99 name=DHCP_99
/interface bridge port
add bridge=Bridge_VLAN comment=Entertainment frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether2 pvid=50
add bridge=Bridge_VLAN comment=Entertainment frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=50
add bridge=Bridge_VLAN comment=Entertainment frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4 pvid=50
add bridge=Bridge_VLAN comment=Entertainment frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=50
add bridge=Bridge_VLAN comment=Office frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether6 pvid=30
add bridge=Bridge_VLAN comment=Office frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether7 pvid=30
add bridge=Bridge_VLAN comment=Office frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether8 pvid=30
add bridge=Bridge_VLAN comment=MGMT frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether10 pvid=99
add comment="Fiber currently unused" disabled=yes interface=sfp-sfpplus1
add bridge=Bridge_VLAN comment="5 GHz WLAN for Office " frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    Tygat pvid=30
add bridge=Bridge_VLAN comment="2.4 GHz WLAN for Guest" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    Tyche pvid=70
add bridge=Bridge_VLAN comment=Office frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether9 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=List_99
/interface bridge vlan
add bridge=Bridge_VLAN comment="VLAN for Office" tagged=Bridge_VLAN vlan-ids=\
    30
add bridge=Bridge_VLAN comment="VLAN for Entertainment" tagged=Bridge_VLAN \
    vlan-ids=50
add bridge=Bridge_VLAN comment="VLAN for Guest" tagged=Bridge_VLAN vlan-ids=\
    70
add bridge=Bridge_VLAN comment="VLAN for MGMT" tagged=Bridge_VLAN vlan-ids=99
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=VLAN_99 list=List_99
add interface=VLAN_30 list=List_3579
add interface=VLAN_50 list=List_3579
add interface=VLAN_70 list=List_3579
add interface=VLAN_99 list=List_3579
/ip address
add address=10.10.99.1/24 comment=MGMT interface=VLAN_99 network=10.10.99.0
add address=10.10.30.1/24 comment=Office interface=VLAN_30 network=10.10.30.0
add address=10.10.50.1/24 comment=Entertainment interface=VLAN_50 network=\
    10.10.50.0
add address=10.10.70.1/24 comment=Guest interface=VLAN_70 network=10.10.70.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.10.30.20 client-id=1:24:5e:be:15:5:27 mac-address=\
    24:5E:BE:15:05:27 server=DHCP_30
add address=10.10.30.25 client-id=1:f4:81:39:e2:8a:54 mac-address=\
    F4:81:39:E2:8A:54 server=DHCP_30
/ip dhcp-server network
add address=10.10.30.0/24 dns-server=10.10.99.1 gateway=10.10.30.1
add address=10.10.50.0/24 dns-server=10.10.99.1 gateway=10.10.50.1
add address=10.10.70.0/24 dns-server=10.10.99.1 gateway=10.10.70.1
add address=10.10.99.0/24 dns-server=10.10.99.1 gateway=10.10.99.1
/ip dns
set allow-remote-requests=yes servers=213.73.91.35,194.95.202.198,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="All VLAN go WAN" in-interface-list=\
    List_3579
add action=accept chain=forward comment="VLAN 99 go all VLAN" in-interface=\
    VLAN_99 out-interface-list=List_3579
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment=\
    "edited: drop ICMP // defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="VLAN 3579 no VLAN" connection-state="" \
    in-interface-list=List_3579 out-interface-list=List_3579
add action=drop chain=forward comment="NAS (LAN 1) no WAN" src-mac-address=\
    24:5E:BE:15:05:27
add action=drop chain=forward comment="NAS (LAN 2) no WAN" src-mac-address=\
    24:5E:BE:15:05:28
add action=drop chain=forward comment="Printer (LAN) no WAN" src-mac-address=\
    F4:81:39:E2:8A:54
add action=drop chain=forward comment="Printer (WLAN) no WAN" \
    src-mac-address=74:C6:3B:A0:88:F6
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router
/system leds
add interface=Tyche leds="Tyche_signal1-led,Tyche_signal2-led,Tyche_signal3-le\
    d,Tyche_signal4-led,Tyche_signal5-led" type=wireless-signal-strength
add interface=Tyche leds=Tyche_tx-led type=interface-transmit
add interface=Tyche leds=Tyche_rx-led type=interface-receive
/tool graphing interface
add interface=ether1
/tool mac-server
set allowed-interface-list=List_99
/tool mac-server mac-winbox
set allowed-interface-list=List_99

Thanks for any help and hints!

With kind regards
forenuser

anav · Sat Oct 09, 2021 6:02 pm

Please keep in mind. Youtube can also get you into trouble LOL.

The input chain is for traffic to and from the router itself. WAN to Router, LAN to router, Router to WAN, Router to LAN
The Forward chain rules are for traffic through the Router LAN to WAN, WAN to LAN, LAN to LAN

What will help you help me, is a description of the requirement without mention of the config but in terms of your users.
What individuals or groups or devices etc should be able to do or not do.

The best reference on vlans follows, other than that asking here is a good idea.
viewtopic.php?t=143620

anav · Sat Oct 09, 2021 6:50 pm

Okay have had a look, and will discuss some of the findings as one goes from top to bottom of the config. Overall not bad at all.

(1) Minor point but I put in the untagged ports in my /interface bridge vlan rules, just so I can map them one to one to the /interface bridge port settings. The router creates the untagged ports dynamically on the fly so you are good to go.

(2) On a design note, you didnt really need to setup the interface list 3579 because that in effect is already covered under the LAN list.
The reason I say that is because the default firewall rules come with the LAN already stated. So by your approach one then has to replace all the LAN entries in the firewall rules with List_3759!!

Where it gets you into trouble is the following rule.. and why you were running into work arounds!....... (where the failure to define LAN will bite you)
Input Chain--> add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The other point to understand is that although the default rules are good, they allow ALL USERS on the netwok to have FULL access to the router./ Only the admiin needs full access while the users need access to services, typically only DNS.

Therefore you can remove this rule and replace it with better rules, which in a sense you have almost done already.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

i, add action=accept chain=input comment="allow admin access" in-interface=VLAN_99
ii. add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=List_3579 protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=List_3579 protocol=udp
iii. add action=drop chain=input comment="drop all else"

So the first rule says, let the management network have full access to the router, if you want to reduce that further to just the admin, then apply a firewall address list to the rule
via src-address-list=adminonly
where the firewall address list consists of static DCHP leases to specific devices
add IPof Admin Desktop list=adminonly
add IPof Admin IPad list=adminonly
add IPof Admin Smartphone list=adminonly

So it would look like:
add action=accept chain=input comment="allow admin access" in-interface=VLAN_99 src-address-list=adminonly

The second rule says allow LAN users to be able to access DNS services.
The last rule is similar to the rule I said we are getting rid of but this last rule blocks ALL other traffic not just WAN to router.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now in terms of FORWARD CHAIN it is much cleaner and less confusing and easier to manage if you put the same block all rule at the end of the forward chain.
and remove this rule: which only blocks Wan to LAN traffic and allows port forwarding, and seeing as you dont port forward another reason to eliminate.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

Default rules:
+++++++++++++++++++++++++++++++++
add action=drop chain=forward comment="drop all else"

So, any traffic you wish to allow is placed above the last rule where the +++++++++++++ are located.
This would include.
add action=allow chain=forward in-interface=Vlan_99 out-interface-list=List_3579
add action=allow chain=forward in-interface-list=List_3579 out-interface-list=WAN

NOW. I note the following rules as its clear you dont want full access to the internet for all users/devices and specifically ;you want to drop an NAS device from going to the WAN but by mac address and not IP address??? Same for a second NAS. and further you dont want a printer going to the internet wired or wireless??
BUT you are actually blocking them from LAN and WAN as you dont state any outgoing parameters, so all traffic at layer 3 coming out of these devices would be blocked, Which is not the intention.

add action=drop chain=forward comment="NAS (LAN 1) no WAN" src-mac-address=\
24:5E:BE:15:05:27
add action=drop chain=forward comment="NAS (LAN 2) no WAN" src-mac-address=\
24:5E:BE:15:05:28
add action=drop chain=forward comment="Printer (LAN) no WAN" src-mac-address=\
F4:81:39:E2:8A:54
add action=drop chain=forward comment="Printer (WLAN) no WAN" \
src-mac-address=74:C6:3B:A0:88:F6

I thiink a better way to approach this is the use of a firewall address list List=Block_Internet
Ensure the devices are assigned a static Ip on DHCP Leases.

add IPofNAS1 list=Block_Internet
add IPofNAS2 list=Block_Internet
add IPofPrinterW list=Block_Internet
add IPofPrinterWIFI list=Block_Internet

So your rules would become
add action=allow chain=forward in-interface=Vlan_99 out-interface-list=List_3579
add action=allow chain=forward in-interface-list=List_3579 out-interface-list=WAN src-address-list=!Block_Internet

*** So basically allow traffic from the LAN headed to the WAN for all source addresses not on the block internet list.

Notes:
-There is no reason in the input chain to drop ICMP, the default rule is to accept!
-You can disable the capsman input chain rule if not using capsman or remove it.

forenuser · Sat Oct 09, 2021 7:25 pm

Thanks for reply!

I was writing a small reply and now see that you wrote a further reply meanwhile yourself. I really appricate this!
And as far as i see it now you got me right but i will state my requirements down below.

It's a lot of stuff and i am going tru it step by step. But just some additional infos about the NAS and printer. It's one NAS with two LAN ports and one printer with a LAN port and a WLAN "port". I use MAC instead of IP address as i do not know if the router will assign the same IP to each device after say a reboot. Of course i can make static assigments but at some point i have to work woth MAC addresses anyway.

My requirements:
-->
VLAN "Entertainment"
- ether2, ether3, ether4, ether5
- PIV 50, 10.10.50.1/24, Lease range from 10.10.50.10 to 10.10.50.250

VLAN "Office"
- ether6, ether7, ether8, ether9 and 5 GHz WLAN
- PIV 30, 10.10.30.1/24, Lease range from 10.10.30.10 to 10.10.30.250

VLAN "Guest"
- 2.4 GHz WLAN
- PIV 70, 10.10.70.1/24, Lease range from 10.10.70.10 to 10.10.70.250

VLAN "MGMT"
- ether10
- PIV 99, 10.10.99.1/24, Lease room from 10.10.99.10 to 10.10.99.250

All VLAN need WAN access but only MGMT must have cross VLAN access for management reasons.
VLAN "Office" contains two devices (a NAS and a printer) with 2 ports each which must not have WAN access. No such devices restriction in any other VLAN.

ether1 is for WAN access and sfpplus-1 is unused and therfore disabled.
<--

And now i have a posting to read, to understand and then to fix and streamline a configuration.

with kind regards
fortenuser

forenuser · Sun Oct 10, 2021 1:00 pm

I worked myself tru your suggestions - spinning mind.

Part 1:

Minor point but I put in the untagged ports in my /interface bridge vlan rules, just so I can map them one to one to the /interface bridge port settings. The router creates the untagged ports dynamically on the fly so you are good to go.

I am afraid that my understanding and/or my english fails me here. However, any change in /interface bridge vlan cuts the corresponding VLAN from the router/DHCP server.

Part 2:
Input Chain--> add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

I changed anything pointing at the LAN list to point at List_3579. Maybe someday i will go back to the LAN list on all rules to keep as close to the default as possible.
And if i got you right i can disable that rule. Doing so a probing tests shows almost every port being wide open so i keep this rule enabled.

Part 3:
This is my current working IP filter setup. The VLAN incl. there Gateways are seperated from each other and the whole thing looks good to me.
It was some kind of a f... job. Can it be that same rules has a delay of a few minutes before their kick in? I mean i made the suggested changes, test them and nothing happens and again and again and so on. Then you got to pee or grab a pot of coffee and came back and oh wonder the changes kicked in...

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="MGMT can ping VLAN gateways. That's all, really!" in-interface=VLAN_99
add action=accept chain=input comment="VLAN_3579 got DNS (53/TCP)" connection-state=new dst-port=53 in-interface-list=List_3579 protocol=tcp
add action=accept chain=input comment="VLAN_3579 got DNS (53/UDP)" connection-state=new dst-port=53 in-interface-list=List_3579 protocol=udp
add action=drop chain=input comment="VLAN_3579 no VLAN gateways. Yes, without this cross VLAN gateway access is possible." in-interface-list=List_3579
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="edited: drop ICMP // defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="Changed \"In. Interface List\" from LAN to List_3579 (defconf: drop all not coming from LAN" in-interface-list=!List_3579
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="MGMT go cross all VLAN to any client" in-interface=VLAN_99 out-interface-list=List_3579
add action=drop chain=forward comment="VLAN_3579 no cross VLAN to any client" connection-state="" in-interface-list=List_3579 out-interface-list=List_3579
add action=accept chain=forward comment="All VLAN go WAN" disabled=yes in-interface-list=List_3579 out-interface-list=WAN
add action=drop chain=forward comment="NAS (LAN 1) no WAN" src-mac-address=24:5E:BE:15:05:27
add action=drop chain=forward comment="NAS (LAN 2) no WAN" src-mac-address=24:5E:BE:15:05:28
add action=drop chain=forward comment="Printer (LAN) no WAN" src-mac-address=F4:81:39:E2:8A:54
add action=drop chain=forward comment="Printer (WLAN) no WAN" src-mac-address=74:C6:3B:A0:88:F6
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

So everything except of supressing WAN access for specified clients by using list is working.
For testing purposes i created List_no_WAN and made the first NAS LAN port static (10.10.30.20). However

add 10.10.30.20 list=List_no_WAN

ended in "expected end of command (line 1 column 5)" and the coursor is pointing at the first 1 of the IP-Address.
And it was suggested to disable/remove the last rule

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Yes, anything seems to work properly without it. But it is a default rule so i decided to keep it.

Thanks for any help, hint and ideas!

With kind reagrds
forenuser

anav · Sun Oct 10, 2021 3:53 pm

Rule number 1, dont put in the last rule on the input chain, drop everything etc. until you are happy with the rest of the input chain rules otherwise you will lock yourself out of the router!!

Will attempt to address the questions!!

(1) Your /interface bridge vlan rules are fine as you have put them, dont worry too much about it...........
/interface bridge vlan
add bridge=Bridge_VLAN comment="VLAN for Office" tagged=Bridge_VLAN vlan-ids=30
add bridge=Bridge_VLAN comment="VLAN for Entertainment" tagged=Bridge_VLAN vlan-ids=50
add bridge=Bridge_VLAN comment="VLAN for Guest" tagged=Bridge_VLAN vlan-ids=70
add bridge=Bridge_VLAN comment="VLAN for MGMT" tagged=Bridge_VLAN vlan-ids=99

I would just do it differently so I can compare to my bridge port settings more easily.....
/interface bridge vlan
add bridge=Bridge_VLAN tagged=Bridge_VLAN untagged=ether6,ether7,ether8,ether9,Tygat vlan-ids=30
add bridge=Bridge_VLAN tagged=Bridge_VLAN untagged=ether2,ether3,ether4,ether5 vlan-ids=50
add bridge=Bridge_VLAN tagged=Bridge_VLAN untagged=Tyche vlan-ids=70
add bridge=Bridge_VLAN tagged=Bridge_VLAN untagged=ether10 vlan-ids=99

(2) Yes, a good start is to ensure that rule is set at !List_3759 vice LAN (since LAN was not defined).
As for open probes, one should disconnect from the internet while making changes LOL
However once the last drop all rule is in place , in the input chain, then there will be no holes as this rule accomplishes the same and more than the default rule.
The default rule only stops WAN to ROUTER, the drop all rule stops WAN to ROUTER, LAN to Router, Router to WAN and Router to LAN

(3) Not sure what you are talking about on this one. Sessions that are in play already are not likely to be affected by new rules, but new sessions would certainly fall under the rules made??
add action=accept chain=input comment="MGMT can ping VLAN gateways. That's all, really!" in-interface=VLAN_99
This is the rule that allows the ADMIIN to have full access to the router GOOD, can be refined to single IP addresses if desired as per previous post

add action=accept chain=input comment="VLAN_3579 got DNS (53/TCP)" connection-state=new dst-port=53 in-interface-list=List_3579 protocol=tcp
add action=accept chain=input comment="VLAN_3579 got DNS (53/UDP)" connection-state=new dst-port=53 in-interface-list=List_3579 protocol=udp
These are the rules that allow Users on the LAN to access only what is required from the router (DNS services)

add action=drop chain=input comment="VLAN_3579 no VLAN gateways. Yes, without this cross VLAN gateway access is possible." in-interface-list=List_3579
VLAN to VLAN traffic is handled in the FORWARD CHAIN so its intent is wrong located here. What this rule does is
duplicate part of the drop all rule you should have at the end because this states DROP all traffic from the LAN to the ROUTER.

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
Good

add action=drop chain=input comment="edited: drop ICMP // defconf: accept ICMP" protocol=icmp
Nope. leave this as accept, unless you have a specific reason.

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
good, either disable or remove.

add action=drop chain=input comment="Changed \"In. Interface List\" from LAN to List_3579 (defconf: drop all not coming from LAN" in-interface-list=!List_3579
So this rule ONLY drops Wan to Router traffic.
YOu will note you previously dropped all LAN to Router traffic.
Thus remove this rule and replace with the last drop all rule suggested, which will block all LAN to ROuter and WAN to router traffic in one clean rule that does not confuse yourself or the reader

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
Good but wrong in the order, put this here before the MGMT rule below.

add action=accept chain=forward comment="MGMT go cross all VLAN to any client" in-interface=VLAN_99 out-interface-list=List_3579
good, allows management vlan to access all other vlans.

add action=drop chain=forward comment="VLAN_3579 no cross VLAN to any client" connection-state="" in-interface-list=List_3579 out-interface-list=List_3579
This is plain silly, you are stating block every vlan from every vlan. If you hadnt had the rule above this one you would have blocked the management vlan from every vlan as well.
Remember, this is already covered by the simple and clean last drop all rule suggested.

add action=accept chain=forward comment="All VLAN go WAN" disabled=yes in-interface-list=List_3579 out-interface-list=WAN
add action=drop chain=forward comment="NAS (LAN 1) no WAN" src-mac-address=24:5E:BE:15:05:27
add action=drop chain=forward comment="NAS (LAN 2) no WAN" src-mac-address=24:5E:BE:15:05:28
add action=drop chain=forward comment="Printer (LAN) no WAN" src-mac-address=F4:81:39:E2:8A:54
add action=drop chain=forward comment="Printer (WLAN) no WAN" src-mac-address=74:C6:3B:A0:88:F6

So the first rule allows all vlans to have internet access BUT IT IS DISABLED?
The next 4 rules drop all traffic originating from the NAS or printers to go anywhere.

My impression of the requirements is that you want ALL VLANS to access the internet EXCEPT the four IP addresses
SO why have you not put in the IP addresses? Why are you using mac addresses?
This is one rule as described
add action=accept chain=forward in-interface-list=List_3759 out-interface-list=WAN src-address-list=!Blocked

Where Blocked is a firewall address list containing the 4 IPs.

This states that the firewall should allow all traffic coming from the vlans going to the WAN with a source address that is NOT on the blocked list.
If the source address if from the blocked list, the router will not permit the traffic, DONE!

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Why have a rule that blocks all wan to lan traffic except for destination nat packets (port forwarding).
Firstly you dont have any port forwarding and secondly we want to block all uneccesary traffic wan to lan, lan to wan, lan to lan (or in your case vLAN to Vlan).

Thus you need at the end
add chain=forward action=drop comment="drop all else"

(3) Put in the block all else rule at the end of the forward chain to replace and remove the DSTNatted rule.
The firewall address rule should work.
add action=accept chain=forward in-interface-list=List_3759 out-interface-list=WAN src-address-list=!List_no_WAN

anav · Sun Oct 10, 2021 3:59 pm

Final comment,
Its more important you understand how the rules work and what they do and then the config will make sense.
IF your just copying and pasting, then you will not be able to progress.

forenuser · Sun Oct 10, 2021 8:55 pm

I appreciate your help and time you spend here in this thread!
I will read your post when i find the needed time, sadly the weekend is over.

And yes you are right. One have to learn and understand how the Mikrotik is ticking... working. And i will! But it will take some time, trial and error, sleepless nights and a spinning mind. This device is some what different than any (consumer) the router i had so far. It starts with the wireless settings and the security policies, goes by the DHCP server with address- and pool ranges definied in different places and it will not end IP filter rules.

But it is fun and i do not earn my money with it. Lucky me!

With kind regards
forenuser

anav · Sun Oct 10, 2021 9:18 pm

Exactly, I was in your boat not to long ago and thanks to the patience of the folks here I have managed to learn just enough to be dangerous.

Dont be shy to ask questions, it is fun once you get over some basic understanding hurdles.
As anything else the more you learn, the more you realize there is that you dont know.

RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

RB4011 VLAN / IP filter miskonfiguration?

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Re: RB4011 VLAN / IP filter miskonfiguration?

Re: RB4011 VLAN / IP filter miskonfiguration?

Re: RB4011 VLAN / IP filter miskonfiguration?

Re: RB4011 VLAN / IP filter miskonfiguration?

Re: RB4011 VLAN / IP filter miskonfiguration?

Re: RB4011 VLAN / IP filter miskonfiguration?

Re: RB4011 VLAN / IP filter miskonfiguration?

Re: RB4011 VLAN / IP filter miskonfiguration?

Who is online