Community discussions

MikroTik App
 
ExplosiveRat
just joined
Topic Author
Posts: 5
Joined: Mon Aug 01, 2022 9:16 pm

Restricting a port to VLAN only

Mon Aug 01, 2022 10:10 pm

I'm looking into setting up a handful of IP cameras. I'd like to have them in a vlan. Ideally, this vlan would only be able to access devices on that specific vlan; however I will settle for just blocking internet access on their port(s). I attempted to add the rules from viewtopic.php?t=122279#p622925, but neither set of rules work as intended (first doesn't catch any packets, second one catches a few every few seconds).

Network currently looks like this;
Internet <-> Router <-> MikroTik C​RS354-48G-​4S+2Q+RM <-|
                                                       |->|Server #1 Proxmox 6.4-13
                                                       |   |->VM #1 Ubuntu 20.04
                                                       |   |->VM #2 Ubuntu 20.04
                                                       |   |->VM #3 Ubuntu 20.04
                                                       |->|Server #2 Proxmox 6.4-13
                                                       |   |->VM #1 Windows 10
                                                       |   |->VM #2 Windows 10
                                                       |---->|VM #3 Ubuntu 20.04 (testing vlans/ip camera handler)
                                                       |       |-> Dedicated 1G NIC for vlans, to simulate an IP camera
                                                       #Planned
                                                       |-> TP-Link TL-SG1005P (poe switch) -> up to 4x ip cameras
I intend to have the Mikrotik switch function as the router, however that has to wait until I'm moved out this weekend.

My switch has all ports (except vlans) bridged, this includes my internet uplink. I'm able to change port designation as needed. I'm quite new to this so I'm not entirely sure how to get the settings to my liking. Any help would be much appreciated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Restricting a port to VLAN only

Tue Aug 02, 2022 1:50 am

Speaking about the solution and the config doesnt help for example to state the vlan has to have access to vlan devices is redundant and not useful as all user/devices within a vlan are connected at L2.

So, state clearly what are the use cases.
identify the user/device or groups of users/devices
identify what they should be able to do
identify what they should NOT be able to do.

A network diagram helps us see what equipment you have what is attached to the ports and where the traffic flows are conceptually going to go.


Typically with a drop rule at the end of the forward chain and input chain, all traffic is blocked and one just needs to have the traffic they want to happen explicitly stated.
 
ExplosiveRat
just joined
Topic Author
Posts: 5
Joined: Mon Aug 01, 2022 9:16 pm

Re: Restricting a port to VLAN only

Tue Aug 02, 2022 3:08 am

for example to state the vlan has to have access to vlan devices is redundant and not useful as all user/devices within a vlan are connected at L2
I don't think you quite understood my post. I want devices on a specific vlan to only access devices on that vlan. Apologies for not making that clear.

So, state clearly what are the use cases.
  • identify the user/device or groups of users/devices
    • 4x IP Cameras (for now I have a test VM)
  • identify what they should be able to do
    • Connect to NVR - that's it
  • identify what they should NOT be able to do.
    • Connect to the internet, other local devices (with the exception of the NVR)

A network diagram helps us see what equipment you have what is attached to the ports and where the traffic flows are conceptually going to go
I did describe my network, although not in perfect detail its not entirely relevant, also a bit tedious to show a network topology in text.


Edit: I managed to figure out a solution without using vlans for the time being. By making a second bridge and setting up a DHCP server on the switch, I was able to isolate multiple ports to each other. I will leave the post unanswered since I would like to optimize the network, performance on the second bridge is terrible.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Restricting a port to VLAN only

Tue Aug 02, 2022 1:53 pm

You cannot realistically block other devices on the same vlan as the cameras or the NVR.
So suggesting you put the cameras and NVR on the same VLAN.
Then you allow certain IPs access to the NVR from a safe vlan.
Just one bridge with as many vlans as you need assigned to the bridge.
 
ExplosiveRat
just joined
Topic Author
Posts: 5
Joined: Mon Aug 01, 2022 9:16 pm

Re: Restricting a port to VLAN only

Tue Aug 02, 2022 3:49 pm

You cannot realistically block other devices on the same vlan as the cameras or the NVR.
So suggesting you put the cameras and NVR on the same VLAN.
I'm genuinely confused how you came to this conclusion after I've clarified it a second time.

I want a single vlan, we'll call it vlan-10. Vlan-10 will include all my IP cameras and the NVR. Devices on vlan-10 should not be able to access the internet, or devices that are not on vlan-10.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Restricting a port to VLAN only

Tue Aug 02, 2022 3:53 pm

I want devices on a specific vlan to only access devices on that vlan
If you don't want a specific VLAN to access devices on another VLAN, you block that through the Firewall...
Or if you have a drop all rule, then you accept the type of traffic you want before that rule as @anav already said...

In general, when you have InterVLAN routing, the firewall is what enables or disables communication between VLANs...
 
ExplosiveRat
just joined
Topic Author
Posts: 5
Joined: Mon Aug 01, 2022 9:16 pm

Re: Restricting a port to VLAN only

Tue Aug 02, 2022 3:57 pm

My current issue is with the vlan itself, the clients on the vlan won't get anything from dhcp. When I assign a static IP to them, they can ping other clients but not the gateway.

Bridge > bridge > VLAN Filtering : Enabled
Bridge > Ports > ether20 : PVID 10
Bridge > Ports > ether48 : PVID 10
Bridge > VLANs > bridge > VLAN ID : 10
  Tagged: ether1
  Untagged: ether20, ether48
Interfaces > VLAN > vlan-10 > Interface : bridge

                 Address        | Network     | Interface
IP > Addresses > 192.168.1.1/24 | 192.168.1.0 | vlan-10
Ether1 is towards my internet uplink, ether20 & ether48 are the testing machines.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Restricting a port to VLAN only

Tue Aug 02, 2022 4:00 pm

That is totally different...
Can you provide a network diagram of the Topology ?
And export with hide-sensitive the configuration of the CRS... Also manually remove serials, Public IPs etc if any visible on the config export...
 
ExplosiveRat
just joined
Topic Author
Posts: 5
Joined: Mon Aug 01, 2022 9:16 pm

Re: Restricting a port to VLAN only  [SOLVED]

Tue Aug 02, 2022 5:23 pm

That is totally different...
Can you provide a network diagram of the Topology ?
And export with hide-sensitive the configuration of the CRS... Also manually remove serials, Public IPs etc if any visible on the config export...
As requested, I put together a network diagram and exported the switch's config. See attached.

Edit: The folks over on the Homelab discord helped me figure out the issue. My tagged section in the vlan table needed to include the bridge itself. Once I did that and switched my vlan interface back to the bridge, the clients immediately grabbed DHCP. I attempted to connect to my main local subnet via one of the vlan clients and was unable to. I didn't add any filters or firewall rules, I assume this is because I never added a route to that subnet.

I got it working the way I want it to, thanks for your guy's help!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 38 guests