Community discussions

MUM Europe 2020
 
User avatar
az1984
newbie
Topic Author
Posts: 28
Joined: Thu Sep 14, 2017 3:58 pm
Location: Germany

Comfortable way to block inter-vlan traffic?

Wed Mar 14, 2018 4:41 pm

Hello,

I'am searching for a comfortable way to block traffic between VLANs on an Mikrotik router.

For example I have a CCR1009 with the SFP+ port as VLAN-trunk with VLAN IDs 10, 20 and 100. The only way I found in the forums was to make individual firewall rules for each VLAN and each direction. So in this case I would need six rules:

block 10 -> 20
block 10 -> 100
block 20 -> 10
block 20 -> 100
block 100 -> 10
block 100 -> 20

Now, for few VLANs this might be an option, but as more and more VLANs will join this trunk, it would be some kind of uncomfortable (for 4 VLANs I would need 12 rules, for 5 VLANs there will be 20 rules and so on...).

So, is there a nicer way to do this - especially if there will be more new VLANs in time?
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: Comfortable way to block inter-vlan traffic?

Wed Mar 14, 2018 5:05 pm

The only scalable way is using one firewall rule with either interface list (layer 2) or address list (layer 3).

Create interface (or address) list and add firewall rule that states that in (source) interface (address) list can't talk to the same out (destination) interface (address) list. You only need to update interace (address) list when adding new VLAN (subnet).
 
Sob
Forum Guru
Forum Guru
Posts: 5114
Joined: Mon Apr 20, 2009 9:11 pm

Re: Comfortable way to block inter-vlan traffic?

Wed Mar 14, 2018 5:09 pm

I didn't test it, but rule with both in-interface=all-vlan and out-interface=all-vlan looks promising.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
az1984
newbie
Topic Author
Posts: 28
Joined: Thu Sep 14, 2017 3:58 pm
Location: Germany

Re: Comfortable way to block inter-vlan traffic?

Thu Mar 15, 2018 4:34 pm

I didn't test it, but rule with both in-interface=all-vlan and out-interface=all-vlan looks promising.
I will try this in lab and see what will happen.
 
anav
Forum Guru
Forum Guru
Posts: 3209
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Comfortable way to block inter-vlan traffic?

Thu Mar 15, 2018 4:53 pm

What is more efficient and uses less CPU cycles, doing it by Interface List or by Address List?

https://www.manitonetworks.com/mikrotik ... face-lists

This seems to be somewhat applicable to what is being discussed here so I will give it a shot!

For example.......... three different type of interfaces on your network and we are keying in on the VLAN networks.
/interface list add name="UntrustedVLANs" comment="Untrusted InterVLAN traffic"
/interface list add name="Trusted" comment="Trusted networks"
/interface list add name="Guest Wireless" comment="Guest Wireless"

identify all the vlans..........
/interface list member add list=UntrustedVLANs interface=vlan10="nameofnetwork10"
/interface list member add list=UntrustedVLANS interface=vlan20="nameofnetwork20"
TO
/interface list member add list=UntrustedVLANs interface=vlan100="name of network100"

The following single rule would apply.........
/ip firewall filter add chain=forward in-interface-list=UnTrustedVLANs out-interface=UnTrustedVLANS action=drop comment="Block InterVLAN traffic"
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
az1984
newbie
Topic Author
Posts: 28
Joined: Thu Sep 14, 2017 3:58 pm
Location: Germany

Re: Comfortable way to block inter-vlan traffic?

Fri Mar 16, 2018 8:09 am

This looks like a elegant way of realizing blocking inter-VLAN traffic too.

I will also try this, but I'am also interested if this "all-VLANs" option will do the same.

I think I don't have to take care of CPU utilization that much, because the 1009s CPU will sleep most of it's life in my scenario ;-)
 
User avatar
az1984
newbie
Topic Author
Posts: 28
Joined: Thu Sep 14, 2017 3:58 pm
Location: Germany

Re: Comfortable way to block inter-vlan traffic?

Fri Mar 16, 2018 12:55 pm

So I just did a quick lab-test with this scenario:

One CRR1009 with VLANs 10,20,30 an 100, DHCP-server on every VLAN interface. With an old HP switch I distributed this VLANs to connect some devices in severals VLANs.

First I tried the method described by anav and che:

I created an interface-list with all the VLANs inside and made the following filter-rule:

add action=drop chain=forward in-interface-list=seperateVLANs out-interface-list=seperateVLANs comment="drop all inter-VLAN traffic"

This works! Unless I'am in VLAN10, I can't ping any devices within this VLAN.


Second, I tried the method described by Sob:

add action=drop chain=forward comment="drop all inter-VLAN traffic" in-interface=all-vlan out-interface=all-vlan

This also works! Same behaviour as with the first method. To allow traffic between some VLANs, I just had to create a suitable filter-rule for that.
Example:
add action=accept chain=forward in-interface=intVLAN30 out-interface=intVLAN10
add action=accept chain=forward in-interface=intVLAN10 out-interface=intVLAN30


Unless there are any disadvantages (...I only will get out in working environment) I would prefer the second method, as it is very quick and simple. I also think it is a bit clearer as you only have to take care of the filter-rules when controlling inter-VLAN traffic and don't have to take care of interface- or address-lists.
 
anav
Forum Guru
Forum Guru
Posts: 3209
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Comfortable way to block inter-vlan traffic?

Fri Mar 16, 2018 8:05 pm

High AZ, Sob wins again LOL.
No worries, my concern was primarily which was more efficient
interface list layer2 or
address list layer3
and hopefully SOB will tell me and why.

I initially thought SOBs method was using address lists but upon closer inspection and reading your last post I realized SOB was advising a completely different approach that I do not understand.

What the heck is all-vlan? Is this a special function or pull down menu selection that already exists? Where is it found and what is its purpose? (I had assumed all-VLAN was simply a name given to an address list of all the vlan).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 5114
Joined: Mon Apr 20, 2009 9:11 pm

Re: Comfortable way to block inter-vlan traffic?

Fri Mar 16, 2018 8:22 pm

I wanted to point you to the manual, as a wonderful resource, but it doesn't seem to be documented there (except being mentioned in some RouterOS v6 announcement). But you can see it in WinBox (all-ether, all-wireless, all-vlan, all-ppp) and the names sounds pretty self-explanatory.

Edit: And regarding your question about effectiveness, interface list is for interfaces and address list for IP addresses, two different things. There may be some overlap in specific cases where you could use both. But what's better depends on exact details, and for just few items there's probably hardly any measurable difference.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
az1984
newbie
Topic Author
Posts: 28
Joined: Thu Sep 14, 2017 3:58 pm
Location: Germany

Re: Comfortable way to block inter-vlan traffic?

Mon Mar 19, 2018 9:00 am

What the heck is all-vlan? Is this a special function or pull down menu selection that already exists? Where is it found and what is its purpose? (I had assumed all-VLAN was simply a name given to an address list of all the vlan).
I think this option will handle all existing vlan-interfaces in a way. I also searched for a documentary but did'nt find anything.

I also think it's a matter of what you want to achieve, weather you are using interface-lists or address-lists...it depents on your scenario.
If it is enough just to work with your VLAN-interfaces, than an interface-list will be sufficient. For this case the "all-vlan" option will do nearly the same.

But maybe you want to filter traffic more in detail (for example you just want to block a small IP-range of a VLAN) - than an address-list will be needed.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6226
Joined: Mon Jun 08, 2015 12:09 pm

Re: Comfortable way to block inter-vlan traffic?

Mon Mar 19, 2018 10:45 am

What the heck is all-vlan? Is this a special function or pull down menu selection that already exists? Where is it found and what is its purpose? (I had assumed all-VLAN was simply a name given to an address list of all the vlan).
all-vlan is a special interface name that was already there before the "interface list" feature appeared.
so you select it in in-interface rather than in-interface-list.

This special interface should probably be migrated to a special interface list in RouterOS, similar to the "all", "none" and "dynamic" special lists.
"all ethernet", "all ppp", "all vlan" and "all wireless" are in this same category.
Making them a special interface list would be clearer, now that is possible.

Who is online

Users browsing this forum: Anumrak, erlinden, matiss, MSN [Bot], pe1chl and 140 guests