Community discussions

MikroTik App
 
palii
just joined
Topic Author
Posts: 23
Joined: Sun Nov 19, 2017 6:57 pm

Bridge VLAN filtering and VLAN isolation

Mon Jun 18, 2018 8:23 pm

Hi Guys,

I'm struggling with vlan filtering and vlan isolation with the new bridge.

My rb750gr3 config:
  • ether1: pppoe wan port
  • ether2-5 are bridged together
  • ether2-5 are trunk ports that can carry VLANS to the managed switch
  • PVID1 is untagged for bridge, ether2-5
  • all other vlan ids are tagged for bridge, ether2-5
  • vlan filtering is switched on

My question is:
  • Shouldn't this setup isolate VLANs automatically without any firewall rules?
  • My understanding is that VLAN filtering keeps VLAN tags intact.
  • Currently I can ping devices in other VLANS
___________________________________________________________________

My config:
/interface bridge
add admin-mac=*:*:*:*:*:* auto-mac=no name=bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=*********** service-name=**** use-peer-dns=yes user=***********
/interface vlan
add interface=bridge name=VLAN110 vlan-id=110
add interface=bridge name=VLAN111 vlan-id=111
add interface=bridge name=VLAN112 vlan-id=112
add interface=bridge name=VLAN113 vlan-id=113
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=pool-root ranges=10.1.7.100-10.1.7.254
add name=pool0-security ranges=10.1.0.100-10.1.0.254
add name=pool1-primary ranges=10.1.1.100-10.1.1.254
add name=pool2-secondary ranges=10.1.2.100-10.1.2.254
add name=pool3-guest ranges=10.1.3.100-10.1.3.254
/ip dhcp-server
add address-pool=pool-root disabled=no interface=bridge name=dhcp
add address-pool=pool0-security disabled=no interface=VLAN110 name=dhcp0
add address-pool=pool1-primary disabled=no interface=VLAN111 name=dhcp1
add address-pool=pool2-secondary disabled=no interface=VLAN112 name=dhcp2
add address-pool=pool3-guest disabled=no interface=VLAN113 name=dhcp3
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/interface bridge vlan
add bridge=bridge comment=Root untagged=bridge,ether2,ether3,ether4,ether5 \
    vlan-ids=1
add bridge=bridge comment=Security tagged=bridge,ether2,ether3,ether4,ether5 \
    vlan-ids=110
add bridge=bridge comment=Primary tagged=bridge,ether2,ether3,ether4,ether5 \
    vlan-ids=111
add bridge=bridge comment=Secondary tagged=bridge,ether2,ether3,ether4,ether5 \
    vlan-ids=112
add bridge=bridge comment=Guest tagged=bridge,ether2,ether3,ether4,ether5 \
    vlan-ids=113
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
add interface=VLAN110 list=LAN
add interface=VLAN111 list=LAN
add interface=VLAN112 list=LAN
add interface=VLAN113 list=LAN
/ip address
add address=10.1.7.1/24 interface=bridge network=10.1.7.0
add address=10.1.0.1/24 interface=VLAN110 network=10.1.0.0
add address=10.1.1.1/24 interface=VLAN111 network=10.1.1.0
add address=10.1.2.1/24 interface=VLAN112 network=10.1.2.0
add address=10.1.3.1/24 interface=VLAN113 network=10.1.3.0
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=10.1.0.1 domain=secure.mynetwork.net gateway=\
    10.1.0.1
add address=10.1.1.0/24 dns-server=10.1.1.1 domain=primary.mynetwork.net gateway=\
    10.1.1.1
add address=10.1.2.0/24 dns-server=10.1.2.1 domain=secondary.mynetwork.net \
    gateway=10.1.2.1
add address=10.1.3.0/24 dns-server=10.1.3.1 domain=guest.mynetwork.net gateway=\
    10.1.3.1
add address=10.1.7.0/24 dns-server=10.1.7.1 domain=mynetwork.net gateway=10.1.7.1 \
    netmask=24
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="[INVALID]"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="[INVALID]"
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix="[!NAT]"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge VLAN filtering and VLAN isolation

Mon Jun 18, 2018 8:40 pm

My understanding is that VLAN is a layer2 construct whereas the FW rules are needed to prevent the router from routing between the vlans at layer 3.
However I could be mistaken but that is my impression.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Bridge VLAN filtering and VLAN isolation

Mon Jun 18, 2018 8:45 pm

My understanding is that VLAN is a layer2 construct whereas the FW rules are needed to prevent the router from routing between the vlans at layer 3.
However I could be mistaken but that is my impression.
i agree

also you can use firewall rules in bridge enabling that option in bridge general settings
 
palii
just joined
Topic Author
Posts: 23
Joined: Sun Nov 19, 2017 6:57 pm

Re: Bridge VLAN filtering and VLAN isolation

Mon Jun 18, 2018 8:59 pm

Alright. Then if I use firewall rules to isolate VLANs, do I need VLAN filtering at all?

All my VLANS pass through one or more trunk port(s) to the managed switch.

Who is online

Users browsing this forum: Amazon [Bot], anav, Bing [Bot], brunoemmels, gigabyte091, htdbnbj, kub1x, menyarito and 101 guests