Community discussions

MUM Europe 2020
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

VLAN Firewall

Mon Jul 24, 2017 5:58 pm

Hi,
Ive a RB2011 running, there i have connectet 3 subnets without vlan. So i use the RB2011 to bridge the 3 subnets (connectet on port 7 till 9) to Port 6 with a VLAN Tag.
On Port 6 my esxi server is connected.
Till now everything works fine.

But what i wanna do now is, to install a firewall between those bridges. So can anybody tell me how i can do that? I already tried with ip firewall filter, but there i doesn't see any connection going trough the router??

If i use the way that i setup the firewall directly on the bridge it seems to work, but there i can enter any port/protocoll which i wanna filter.

So how is the correct way to do that?

Thanks for help!
Last edited by n4p on Mon Jul 24, 2017 5:58 pm, edited 1 time in total.
 
idlemind
Forum Guru
Forum Guru
Posts: 1108
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: VLAN Firewall

Mon Jul 24, 2017 8:57 pm

I'd have to see your exact configurations but the bridge interface can be toggled to support /ip firewall. There is a setting "use-ip-firewall" for this purpose.

Have a read of the relavent wiki page: /interface bridge wiki
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Wed Jul 26, 2017 11:06 am

Thanks for your answer,
now i see the connection on the connection list. The firewall rules works, but i got troubels with limitating the ports.
Especually i try to limt the port that only port 80 is allowed it fails.

Here the logs with only tcp allowed any port:
20:51:12 firewall,info forward: in:bridge-vlan800(eth6-vlan800) out:bridge-vlan800(ether8), src-mac 00:0c:29:1c:4c:71, proto TCP (SYN), 172.19.102.253:49889->172.19.102.2:80, len 52 
20:51:12 firewall,info forward: in:bridge-vlan800(ether8) out:bridge-vlan800(eth6-vlan800), src-mac 00:90:e8:1d:68:2e, proto TCP (SYN,ACK), 172.19.102.2:80->172.19.102.253:49889, len 48 
20:51:12 firewall,info forward: in:bridge-vlan800(eth6-vlan800) out:bridge-vlan800(ether8), src-mac 00:0c:29:1c:4c:71, proto TCP (ACK), 172.19.102.253:49889->172.19.102.2:80, len 40
if i select only port 80 as destination port this happens and it doesn't work:
20:54:08 firewall,info forward: in:bridge-vlan800(eth6-vlan800) out:bridge-vlan800(ether8), src-mac 00:0c:29:1c:4c:71, proto TCP (SYN), 172.19.102.253:49892->172.19.102.2:80, len 52 
20:54:11 firewall,info forward: in:bridge-vlan800(eth6-vlan800) out:bridge-vlan800(ether8), src-mac 00:0c:29:1c:4c:71, proto TCP (SYN), 172.19.102.253:49892->172.19.102.2:80, len 52 
20:54:17 firewall,info forward: in:bridge-vlan800(eth6-vlan800) out:bridge-vlan800(ether8), src-mac 00:0c:29:1c:4c:71, proto TCP (SYN), 172.19.102.253:49892->172.19.102.2:80, len 48
Any idea how to fix that?
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Thu Jul 27, 2017 1:36 pm

Bump

Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VLAN Firewall

Thu Jul 27, 2017 2:09 pm

As idlemind said - post your exact configuration (/export compact) and we can help you.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Thu Jul 27, 2017 5:18 pm

Here you are
[admin@MikroTik] > /export compact
# jan/12/1970 03:05:01 by RouterOS 6.39.2
# software id = DIJI-TXA7
#
/interface bridge
add name=bridge-vlan200
add name=bridge-vlan300
add name=bridge-vlan400
add name=bridge-vlan500
add name=bridge-vlan600
add name=bridge-vlan700
add name=bridge-vlan800
/interface ethernet
set [ find default-name=ether10 ] name=ServicePort poe-out=off
/interface vlan
add interface=ether6 name=eth6-vlan300 vlan-id=300
add interface=ether6 name=eth6-vlan700 vlan-id=700
add interface=ether6 name=eth6-vlan800 vlan-id=800
add interface=sfp1 name=sfp1-vlan200 vlan-id=200
add interface=sfp1 name=sfp1-vlan300 vlan-id=300
add interface=sfp1 name=sfp1-vlan400 vlan-id=400
add interface=sfp1 name=sfp1-vlan500 vlan-id=500
add interface=sfp1 name=sfp1-vlan600 vlan-id=600
/ip pool
add name=pool1 ranges=192.168.88.2-192.168.88.5
add name=dhcp ranges=192.168.88.2-192.168.88.6
/ip dhcp-server
add address-pool=pool1 authoritative=after-2sec-delay disabled=no interface=\
    ServicePort name=server1
/interface bridge port
add bridge=bridge-vlan200 interface=sfp1-vlan200
add bridge=bridge-vlan200 interface=ether1
add bridge=bridge-vlan300 interface=sfp1-vlan300
add bridge=bridge-vlan300 interface=ether2
add bridge=bridge-vlan400 interface=sfp1-vlan400
add bridge=bridge-vlan400 interface=ether3
add bridge=bridge-vlan500 interface=sfp1-vlan500
add bridge=bridge-vlan500 interface=ether4
add bridge=bridge-vlan600 interface=sfp1-vlan600
add bridge=bridge-vlan600 interface=ether5
add bridge=bridge-vlan700 interface=eth6-vlan700
add bridge=bridge-vlan700 interface=ether7
add bridge=bridge-vlan800 interface=eth6-vlan800
add bridge=bridge-vlan800 interface=ether8
add bridge=bridge-vlan300 interface=eth6-vlan300
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.88.1/29 interface=ServicePort network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.0.0.0/8 gateway=192.168.88.1 netmask=8
add address=192.168.88.0/29 gateway=192.168.88.1
/ip firewall filter
add action=accept chain=input in-interface=ServicePort
add action=accept chain=forward comment="PING VLAN300 WINCC" in-interface=\
    bridge-vlan300 protocol=icmp
add action=accept chain=forward comment="HTTPS VLAN300 WINCC" in-interface=\
    bridge-vlan300 protocol=tcp
add action=accept chain=forward comment="PING VLAN800 LWL" out-interface=\
    bridge-vlan800 protocol=icmp
add action=accept chain=forward comment="HTTP VLAN800 LWL" dst-port=80 \
    in-interface=bridge-vlan800 log=yes protocol=tcp tcp-flags=fin,syn,ack
add action=accept chain=forward comment="HTTP VLAN800 LWL" disabled=yes \
    dst-port="" log=yes out-interface=bridge-vlan800 protocol=tcp
add action=drop chain=forward
add action=drop chain=input
But be carefully, i disabled the configuration that bridge traffic goes trough ip-firewall, because i need this system working.
The problem what i have is posted above, so i can't understand what this export should help.
I need to get port-based ip-firewall working

Thanks for help!
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VLAN Firewall

Thu Jul 27, 2017 5:26 pm

Umm...
I don't see any IP addresses on your vlan bridges.
So your router is basically just used as a switch. Is that correct? Your router is not the router for the vlans?
Additionally, I don't see any of your bridge filters - this is rather important to help you.

Edit:
Another point: the "Use IP Firewall for VLAN" setting is not the setting you are looking for in your scenario.
This counts for bridges carrying vlans. You have per-vlan-bridges, so you should just enable "Use IP Firewall"

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Thu Jul 27, 2017 8:41 pm

Hello,
no this router just have to add to different subnets a vlan tag. Port 1-5 terminates on a second rb2011 also on Port1-5 and those are connected through sfp.

The importent thing from me starts now on port 6 until 8.

I connect 2 subnets one on port 7 and one on port 8. The Router should add the VLAN Tag for me and give those tagged out on Port 6.
Thats what he should do and are currently working.

Days before i tried to add there a ip-filtering, you see it above. But because this is a sensitive system i set the config back to the working default.

So my problme is, that the ip-firewall for the bridge doesn't work correctly. So if i setup a forward rule with outgoing the bridge-vlan800 and allow only tcp, this works fine. But instead i add the port 80 so that i can only arrive http it stop working. Thats already descriped in and older post from me, there you can see the firewall logs.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VLAN Firewall

Thu Jul 27, 2017 8:47 pm

So let me conclude: that router is nothing more than a switch.
Put regular IP firewall rules on the router of those vlans - I presume it's the other 2011 you mentioned.
When you have administrative access to this, there's absolutely no reason to fiddle around with CPU-intensive workarounds on a router that is degraded to a switch.

And again: post your config and we can help.
Now the one of the other 2011.
Every description of a config leaves room for interpretation. A config doesn't.
And we need the whole picture of your config, not just the parts you describe.

Respectfully,
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Thu Jul 27, 2017 10:54 pm

I think you didn't understand what i wanna do? I already posted the configuration where i had to Start. The second RB2011 has nothing to do with this szenario.

I simply wanna add Firewall rules die those bridges vlan 700 and 800.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VLAN Firewall

Fri Jul 28, 2017 12:09 am

I precisely got what you want to do. And I asked for the config of the other router involved - because this one is the place to filter.
I just wanted to kindly point out that you are trying to achive something in the wrong place.
I am dealing with issues like this on a daily basis - averaging at 10 hours a day. Be more cooperative and people will help you.

k/r
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Fri Jul 28, 2017 11:11 am

I am cooperative, but it seems you won't understood that the second router had nothing to do with the setup which i need on this router.
But if it easyier for you let's start from new.

I take a another RB2011 and wanna make this setup only on this standalone router. Is that ok for you? I would think the networks how are connected to port 8 and port 9 doesn't make sense for the config or?

Here is a shema of the setup what i wanna do and instead is working:
Image

But i wanna stop that the esxi hosts can access every port on the untagged lans, so i think i need there a firewall or?
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VLAN Firewall

Fri Jul 28, 2017 11:59 am

Now we're getting closer.
I still absolutely understand what you're trying to achieve and still can't understand why you insist on doing it that way.
But it's not on me to judge about that.

Would you please be so kind and post your bridge filter rules that don't work?

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Fri Jul 28, 2017 12:07 pm

Just for you to help you understand what i wanna do. Outside this ESX Cluster is unsecure Network. I mean the both subnets.
The traffic amount from the esx cluster out to those subnets are minimal. I speak in kb size.
So i thougt the right way would be ip-firewall.
But if you have another solution i am ready to learn new ways :)

So what i already tried out is to enable in the bridges ip-firewall. Then i saw first time the connections going trough the router in /ip firewall connections.
And in /ip firewall filter i tried to setup those rules.

But there it stop working. I can setup a forward icmp rule with outgoing interface the bridge-vlan600 and it works. Same with tcp, but if i enter a dst.Port especually port 80 it stops working.

Thanks for your help!
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VLAN Firewall

Fri Jul 28, 2017 12:12 pm

I guess I finally got you now - you want to filter within the vlans, right?
Sorry that I missed that one.
So, please post your filter rules which didn't work and we can figure it out.
Bridge filter might do the trick better.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Fri Jul 28, 2017 12:27 pm

Yes, you are right, i wanna filter inside the VLAN. Or especually on the untagged out port. Doesn't know whats better.
I already tried the way with the bridge firewall, but there i didn't found anywhere the config for dest.port or something.

Just for understanding, in the esx system there are windows machines running with 2 network cards and those cards access the two subnets. But i wanna secure the host, that only defined ports can be opened inbound and outbound.

I will add the rules on monday, hope thats ok for you, currently i have no access on the router.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VLAN Firewall

Fri Jul 28, 2017 12:29 pm

Totally OK.
To use IP addresses and ports in bridge filter, make sure you selected MAC protocol 800 (ip), you won't have an option to use IP addresses without.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Mon Jul 31, 2017 2:34 pm

So,
here we are. I already try something, but it happens the same as with the ip-firewall. If i select Port/Protokoll it stops working.

Current bridge filter looks like this:
add action=accept chain=forward comment="HTTP allow" \
    dst-address=172.19.102.0/24 dst-port=80 in-interface=ether8 ip-protocol=tcp \
    mac-protocol=ip packet-mark=""
add action=accept chain=forward comment="Ping allow" \
    dst-address=172.19.102.0/24 in-interface=ether8 ip-protocol=icmp \
    mac-protocol=ip
add action=drop chain=forward comment="Drop" \
    dst-address=172.19.102.0/24 in-interface=ether8 log=yes mac-protocol=ip 
what i wanna do is to allow only ping and tcp/80 trough this bridge. Concretly the esxi should only ping engine in this subnet and arrive them on port 80.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VLAN Firewall

Mon Jul 31, 2017 2:39 pm

Doesn't look too bad on first sight.
But I would be more specific in the filter definitions (for reducing CPU load on the one hand, to bavoid strange behavior (as you are experiencing) on the other):
specify the bridge that filter is intended for.
Specify src-addresses (for the ESXi host/vms).

Are you sure you want to complete disallow DNS servie as I don't see a rule allowing udp/53?

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Mon Jul 31, 2017 2:59 pm

Yes thats right, i doesn't need dns or something like that.
Do you mean i need to specify the source and the destination address? Please remember, those are the same subnet.
The ping rule and the drop rule works as espected. The problems are only with the tcp :(

Looks like the ack,syn packets are getting dropped. Can this be the problem?
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Tue Aug 01, 2017 4:36 pm

The Problem now looks the same as descriped in post 3 with ip-firewall in use.
So what can be the problem here?

Does i need different ip-adresses on one side to get it working?

Or does the router didn't support that what i wanna do?
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VLAN Firewall

Tue Aug 01, 2017 7:12 pm

Ah... I guess now I see...
Just a guess but worth a shot:
This would filter replies as well because the replies go to a different dst-port.
Try adding an accept rule for src-port=80 as well.

Or, when going via IP firewall, accept all established and related connections and add 'new' for dst-port 80.

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: VLAN Firewall

Sun Aug 06, 2017 8:14 pm

Thanks!
Now its working as mentoned!
I will try it out with nmap if it is working correctly :)

But until this,
Thanks Chris!

Who is online

Users browsing this forum: No registered users and 76 guests