Community discussions

 
sebastian001
just joined
Topic Author
Posts: 4
Joined: Thu Jan 15, 2015 6:58 pm

How to block traffic between vlans?

Fri Jan 23, 2015 2:00 pm

Hi, I have some problems with inter-vlan communication. I have vlan with id 10 and 20. I want vlan 10 to have acces to vlan 20, but vlan 20 cannot have acces to vlan 10. I can block all traffic between these two via Firewall or Routing rules but I cant disable the traffic as I described above, that is:
vlan 10 -> can acces vlan 20 and Internet
vlan 20 -> cannot access vlan 10 and can access the Internet
 
plankanater
Member Candidate
Member Candidate
Posts: 166
Joined: Wed Mar 14, 2012 3:56 am

Re: How to block traffic between vlans?

Fri Jan 23, 2015 6:15 pm

You would have to write a rule accepting all new traffic from vlan 10, and another rule allowing all established, and all related traffic. Then below that put a rule that drops all new traffic in interface vlan 20 and out interface vlan 10.
 
sebastian001
just joined
Topic Author
Posts: 4
Joined: Thu Jan 15, 2015 6:58 pm

Re: How to block traffic between vlans?

Sat Jan 24, 2015 12:58 pm

I have wrote something like this:
/ip firewall address-list
add address=172.16.100.0/24 list=vlan10
add address=10.0.200.0/24 list=vlan20

/ip firewall filter
add chain=forward connection-state=new src-address-list=vlan10
add chain=forward connection-state=established,related src-address-list=vlan10
add action=drop chain=forward in-interface=interf_vlan20 out-interface=interf_vlan10
but it blocks all the traffic between them. When I send ICMP packets they get the message but can't replay to each other. Did I mess up or something?
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: How to block traffic between vlans?

Sat Jan 24, 2015 1:07 pm

I think that should be

add chain=forward src-address-list=vlan10 <-- here you need all, not only new connections
add chain=forward connection-state=established,related src-address-list=vlan20
add action=drop chain=forward in-interface=interf_vlan20 out-interface=interf_vlan10
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
plankanater
Member Candidate
Member Candidate
Posts: 166
Joined: Wed Mar 14, 2012 3:56 am

Re: How to block traffic between vlans?

Mon Jan 26, 2015 2:48 pm

When doing established and related do not put an interface, do all established and related.


If you accept all new connections then you will allow all connections.


The rules posted above should work
 
sebastian001
just joined
Topic Author
Posts: 4
Joined: Thu Jan 15, 2015 6:58 pm

Re: How to block traffic between vlans?

Tue Jan 27, 2015 2:25 pm

Thanks guys for your efforts. I used what docmarius wrote and it looks fine. It works exactly as I wanted :)
 
eidigii
just joined
Posts: 1
Joined: Tue Sep 15, 2015 5:24 am

Re: How to block traffic between vlans?

Tue Sep 15, 2015 5:29 am

I have a similar problem, that I could not overcome with posted solution.

I have 5 vlans:
vlan100 - this vlan should be able to access all others + internet
vlan10 and vlan20 - these ones should only access vlan100 and internet (not 30 and 40)
vlan30 and vlan40 - these should only access internet

Any help would be greatly appreciated!

Edit://Figured it out :)
 
pratamaputra87
just joined
Posts: 1
Joined: Wed Sep 28, 2016 10:21 am

Re: How to block traffic between vlans?

Wed Sep 28, 2016 10:39 am

Hi All,
I a newbie on networking, yet I'm handling mikrotik now.

I have similar problem here.
Image

I have 2 network connected to ether 1 and ether 2
I need network on ether 1 can connect to internet , but cannot connect to network on ether 2
The Network on ether 2 can connect to internet and also Network 1

Edit :
Solved by tryin on method above, but only using interface
add chain=forward in-interface=eth2
add chain=forward connection-state=established,related in-interface=eth1
add action=drop chain=forward in-interface=eth1 out-interface=eth2
 
carfog81
just joined
Posts: 1
Joined: Thu Nov 03, 2016 11:57 pm

Re: How to block traffic between vlans?

Fri Nov 04, 2016 12:03 am

In the same way that sebastian001, How can I give access to a printer in vlan 10 to users in vlan 20?
 
edwinoliva
just joined
Posts: 1
Joined: Tue Dec 13, 2016 9:59 pm

Re: How to block traffic between vlans?

Tue Dec 13, 2016 10:07 pm

Hello Every One i Have Tried all the methods here it works in a RB751 mipsbe but then i tried to block on a RB3011 Arm these rules block the icmp but for example the access to a web of any thing to the other side can be view so what could be the issue

i already make a Router Os Upgrade to 6.37.3 and also firmware upgrade to 3.35 any help would be nice!

Thanks!
 
ovidiu
just joined
Posts: 11
Joined: Sun Jan 15, 2017 9:28 am

Re: How to block traffic between vlans?

Sat Feb 03, 2018 1:55 pm

My vlan2 is for wifi guests. But they should be able to see the public NATed ports, so I blocked routing but allow NAT between the 2 networks
add chain=forward action=drop comment="Block guest to LAN" connection-nat-state=!srcnat,dstnat dst-address=192.168.0.0/24 src-address=10.1.102.0/24
 
Mozah
just joined
Posts: 2
Joined: Tue Apr 11, 2017 4:18 pm

Re: How to block traffic between vlans?

Thu Aug 30, 2018 12:23 pm

I think that should be

add chain=forward src-address-list=vlan10 <-- here you need all, not only new connections
add chain=forward connection-state=established,related src-address-list=vlan20
add action=drop chain=forward in-interface=interf_vlan20 out-interface=interf_vlan10
Hi,

I have Mikrotik RB951 as gateway Router and DHCP Server then a trunk to Catalyst 2960 Series Switch... set 6 VLANS (100-600) and servers are in VLAN -100. I have followed what Docmarius wrote and added something like here in red "add action=accept chain=forward comment=2>1 dst-address-list=100 src-address-list=200" (i have added a destination address since it was not working with source address only). I have managed to filter traffic between VLANs, all the VLANs are able to reach VLAN-100 and access internet but they are unable to see each other as per my expectations.

Please see below configs and advise if there is any redundancy :) :) .

/ip firewall address-list
add address=10.5.51.0/24 list=100
add address=10.5.53.0/24 list=300
add address=10.5.54.0/24 list=400
add address=10.5.55.0/24 list=500
add address=10.5.52.0/24 list=200
add address=10.5.56.0/24 list=600

/ip firewall filter
add action=accept chain=forward comment="Accept traffic from VLAN subnets to WAN" out-interface=ether4-Gateway
add action=accept chain=forward comment=2>1 dst-address-list=100 src-address-list=200
add action=accept chain=forward comment=2<>1 connection-state=established,related src-address-list=100
add action=accept chain=forward comment=3>1 dst-address-list=100 src-address-list=300
add action=accept chain=forward comment=3<>1 connection-state=established,related src-address-list=100
add action=accept chain=forward comment=4>1 dst-address-list=100 src-address-list=400
add action=accept chain=forward comment=4<>1 connection-state=established,related src-address-list=100
add action=accept chain=forward comment=5>1 dst-address-list=100 src-address-list=500
add action=accept chain=forward comment=5<>1 connection-state=established,related src-address-list=100
add action=accept chain=forward comment=6>1 dst-address-list=100 src-address-list=600
add action=accept chain=forward comment=6<>1 connection-state=established,related src-address-list=100
add action=drop chain=forward dst-address=10.5.54.0/24 src-address=10.5.52.0/24
add action=reject chain=forward comment="Block Communication between all VLAN subnets" reject-with=icmp-net-prohibited src-address=10.5.52.1-10.5.255.255
 
mkx
Forum Guru
Forum Guru
Posts: 3180
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to block traffic between vlans?

Thu Aug 30, 2018 3:30 pm

You have 6 identical rules for accepting established and related traffic with src-address-list=100 ... only comments are different. All but first one (with comment 2<>1) won't receive any hit.

Rule add action=drop chain=forward dst-address=10.5.54.0/24 src-address=10.5.52.0/24 allows connections from VLAN200 to VLAN400 (but is formulated differently than the rest of rules allowing access to VLAN100 from all other VLANs, those rules use address lists), but you don't have similar rule to allow responses. Either remove this rule or create another rule that accepts established and related from VLAN200 to VLAN400.
BR,
Metod
 
jackmo12
just joined
Posts: 2
Joined: Mon Aug 27, 2018 1:46 am

Re: How to block traffic between vlans?

Thu Aug 30, 2018 4:20 pm

I have wrote something like this:
/ip firewall address-list
add address=172.16.100.0/24 list=vlan10
add address=10.0.200.0/24 list=vlan20

/ip firewall filter
add chain=forward connection-state=new src-address-list=vlan10
add chain=forward connection-state=established,related src-address-list=vlan10
add action=drop chain=forward in-interface=interf_vlan20 out-interface=interf_vlan10
but it blocks all the traffic between them. When I send ICMP packets they get the message but can't replay to each other. Did I mess up or something?
Block traffic between VLANs on pfSense. VLANs are a great way to separate components of your network and to protect 8 Ball Pool Google Hangouts Omegle important infrastructure from being messed around by others. By default, traffic between VLANs are blocked by the invisible 'block everything' rule at the bottom of the rules
thank you my friend , that's cool[/u]

Who is online

Users browsing this forum: No registered users and 37 guests