Hi everyone,

I have kind of stumped myself with a recent change i made to my CCR1009 router. I am going to be implementing Capsman in the coming months so i decided to clean up my config and change my existing vlan configuration with multiple bridges to a single bridge using vlan filtering. I have addresses for each vlan assigned to the vlan interface and all of the vlans seem to be working correctly. The issue i am having now is my firewall filter rules seem to have no effect in blocking traffic between the vlans. Even a drop all rule for all vlans doesn't appear to do anything. I feel like i am missing something simple here, i tried turning on the "use filter rules" for the bridge with no improvement. I cant seem to figure out how traffic is routing between the interfaces without the filter rules being able to affect them. I am running the latest stable release. Does anyone have any ideas?

I have a brilliant one - follow the hint in my automatic signature. All the psychics here who can find the issue without seeing the config are currently on vacation.

Well despite the sarcastic responses from some individuals i sorted out the issue. In addition to turning on "use-ip-firewall" on the bridge (which doesnt apply to routed traffic i learned), you need to turn on "use-ip-firewall-for-vlan" which did the trick.

The point is that between VLANs, normally the traffic can be only routed, not switched, so none of the L2-related settings (neither /interface bridge vlan-filtering nor the use-ip-firewall... items of /interface bridge settings) have any effect on it. /interface bridge vlan-filtering is used to control membership of bridge ports in individual VLANs (and dropping, on each port of that bridge, of ingress and egress traffic of all VLANs of which that port is not a member), whereas the topic title mentions explicitly routing and you've also mentioned firewall filter rules blocking traffic between VLANs in the text.

So I've asked for the actual configuration, and yes, I was a bit sarcastic because too many people here expect other people to mysteriously find the mistake in a configuration they haven't seen. You may find this common frustration manifest in various ways here, because you have to be creative when asking the same thing all over again. And the final stage is to simply ignore this kind of questions.

I am in accord with @mkx - it may well be your current configuration has solved the issue, however it is quite likely that your RouterBoard is spending more CPU on the task than actually necessary. Or maybe you actually need to filter traffic between two external devices within the same VLAN, but even if this is the case, better-suited tools exist than use-ip-firewall....

BTW, when using CAPsMAN, you don't need to use VLANs at all in some scenarios - in particular, where no L2 interconnection between wired ports and wireless interfaces is required and where all the traffic of the clients of the cAPs is routed at the CAPsMAN device (i.e. no local forwarding, L2 or L3, is required directly on the cAPs).

So all in all - so far the benefit of this topic for the forum community is zero or less. You have provided insufficient and confusing information about the initial issue, I was sarcastic above your tolerance threshold (and I've sent that response with such a delay that the only noticeable part remained the sarcasm because @mkx has asked for the same but neutrally in the meantime), @Anav has just complained about a person who didn't even take part in the topic, and as a final product we have here a topic which does propose a solution to people coming here via keyword search, but it is most likely a solution of something else than the topic subject.

So shall we try once again and better from the beginning or shall we let the waters close over it?