Hi Guys,

I have a bridge for trunking, bri-trunk. I have added 5 vlans to the bridge to trunk to vmware. This works fine, however, I can access all vlans from all vlans. If that makes sense. How can I block traffic between vlans? Is there a better way to do this?

It make sense if you put vlans to a bridge. Then you bridge the vlans together. Put vlan to the Interface pointing to vmware. Not to a bridge. And tag in vmware.

If you put vlans to the interface, you get the same behavior.

then you somhow bridge them in Vmware switch etc.

Btw, its also possible that you have a route between Your vlan's, and that the traffic are routed.

Correct. When added to bridge or ethernet port, they are routed. That's what I am trying to stop.

You must add a firewall filter on the forward chain to that interface to stop your traffic then

Sent from my GT-I9100 using Tapatalk

So what's the easiest rule to add then?

I have 3 vlans.

Lets just say vlaid 1001,1002,1003

1001: 10.1.1.1/24
1002: 10.1.2.1/24
1003: 10.1.3.1/24

Is there a simple rule I can add to each to ensure that they cannot communicate with each other. I plan to have a lot of vlans,

The router will route (forward) all traffic unless you stop it in the forwarding filters.

You can start with a simple rule in the forwarding chain with action=drop. Then add rules above it with action="accept" for any traffic that you actually want to forward.

Yes. Do you have an example based on my info above?

Yes. Do you have an example based on my info above?

Try this in ip firewall filter:
chain=forward action=drop in-interface=VLAN1001 out-interface=!ether1-gateway

Then the traffic on VLAN1001 is only allowed to access your ether1 port.

If you put vlans to the interface, you get the same behavior.

No. You get the same behavior at l3 (routed) but you dont bridge the vlans together (l2)

Eg, when you put vlans to bridge, you will find all the other units's mac addresses. If you put to a Interface, you will not. ITs also possible to to a lot bad stuf, when put all vlan to one bridge. Then its no reasion to use the vlan's. Better to just add all ip to the Interface.

Hi Guys,

I have a bridge for trunking, bri-trunk. I have added 5 vlans to the bridge to trunk to vmware.

Have you tried adding VLANs on the bridge interface, not as bridge port, and bridging physical interfaces? That way you will keep VLAN isolation as you intended and their availability on all physical interfaces you added to the bridge.

Yes. Do you have an example based on my info above?

Go into /IP Firewall and add a filter in the forwarding chain with nothing selected except Action=Drop.

At that point no traffic will be routed between interfaces at level 3. You may then want to add specific rules *above* that "drop all" rule with specific traffic that *is* to be forwarded - e.g. by specifying specific interfaces, IP ranges etc.