Hi guys

I have a site with quite a few Vlans set up and I only just realised that I can ping IP's across different Vlans. I'd like to block and traffic between all vlans like what OP wanted here: https://superuser.com/questions/1021136 ... tik-router

There are 32 Vlans though, will I have to make 32 rules for each Vlan? 1024 firewall rules? That doesn't sound right.

Maybe a rule to drop all packets not destined to their own default gateway?

Maybe a magical button that will just make everything ok?!

Thought I'd consult you guys first before messing around.

Thanks

Pretty sure you could just do this

Hi,

in case you have configured the VLANs as VLAN interfaces on a RouterBoard, just add the VLAN interfaces in a interface list and create a block rule in forward chain with this interface list as source and destination.

Edit: I just saw the answer posted before mine. This is the simplest solution, but with interface lists you're a little more flexible. Apart from that, the solution provided is fine.

Regards,
Ape

Pretty sure you could just do this

Code: Select all

ip firewall filter add in-interface=all-vlan out-interface=all-vlan action=drop

Wouldn't that block a vlan from itself though?

I was thinking one of these for each VLAN:

chain=forward action=drop in-interface=Data VLAN out-interface-list=!WANs log=no log-prefix=""

It's blocking interVLAN pings on my office network. Can anyone think of any issues this would bring up before I roll it out?

Actually you guys are right. allvlans as the in and out interface seems to work. Thanks a lot guys.