Page 1 of 1

Isolating hosts inside vlan

Posted: Wed Apr 01, 2020 3:25 am
by usovalx5

I need a bit of advise on how to isolate hosts inside vlan.
My setup -- I have hap AC2 working as internet router, a bunch of devices connected directly to it and then another few via a couple of mikrotik managed switches (RB260GS).

I have set up a couple of vlans, to separate my nas & PCs from less thrustworthy internet-connected devices.

I would like to add a bit more isolation between various devices on the guest vlan - none of them should really be talking to each other, and I would like to enforce it (or at least make it reasonably hard).
The most reliable way of isolation would have been to place each device into separate VLAN, but it is too much work (and quite error-prone at it) to set up large number of vlans, especially given web interface of SwOS.

And because I don't need it to be absolutely bullet-proof, I figured it should be enough to block the APR between devices in guest VLAN, so they would only be able to communicate with the router.

My current plan (and things I'm uncertain about):

* Set up ACL #1 in RB260GS:
From: all ports except trunk
VLAN: tag present, vlan id = 5 (guest vlan)
Ethertype: 0806 (ARP)
Redirect to: trunk

* ACL #2
From, vlan -- same as above
No redirect to,hopefully this means DROP?
Dest MAC: ff:ff:ff:ff:ff:ff

* on HAP AC2, vlans are set up via "interface swith", set up similar rules in "switch rule"
* on HAP AC2, VLAN interface set APR to "reply only", set DHCP server to add ARP entries for leases.

Things I'm not completely sure about:
1) Would ACLs actually work when traffic is switched between ports? I do recall reading somewhere that swithc is adding VLAN tag on the packets from access ports only when they are forwarded to trunk port. So I wonder if my vlan settings (tag present, id=5) would match when packets are switched between access ports?
2) Exactly the same question applies to HAP ac2 switch rules, it has the very same
3) What is the correct ARP settings for the router? First of all it has to be set on VLAN interface, right?
Second I'm not actually sure which mode it should be (disable, reply only, local-proxy-arp)?

Re: Isolating hosts inside vlan

Posted: Wed Apr 01, 2020 4:24 am
by anav
I would go with more vlans (i have about 15 of them LOL). my 260GS are rock solid once setup.

Re: Isolating hosts inside vlan

Posted: Wed Apr 01, 2020 12:59 pm
by usovalx5
I was afraid of that answer :/

I don't question that switches & HAP can do it, just feels as massive overcomplication.

10 more vlans, set them up on HAP AC and two switches (those are even worse with web-page only interface).
Then corresponding vlan interfaces, single--vlan-port bridges to change MAC and 10 more DHCP servers.

I think I can save on setting up DHCP servers if I throw all VLAN interfaces into the bridge and set up bridge filter rule to deny forwarding.

Re: Isolating hosts inside vlan

Posted: Wed Apr 01, 2020 2:13 pm
by anav
I wouldnt use bridge firewall filtering.
In your forward chain simply state the traffic flow you want to allow.
like VLANs to internet
then for the last rule put in chain-forward action=drop, and anything else will be blocked.

Re: Isolating hosts inside vlan

Posted: Wed Apr 01, 2020 4:39 pm
by usovalx5
Hmm, the reason I thought about brdige filtering - I want default route on the guest vlans to have different MAC from internal network.
The reason being, windows uses MAC address of default route to recognize networks, and stores network parameters (like public / private, name, etc) per-MAC.

From what I found so far, RouterOS doesn't let you set mac address on the VLAN interface itself, instead I do something like this:
/interface vlan
add interface=br1 name=v5-guest vlan-id=5
/interface bridge
add admin-mac=AA:BB:CC:DD:EE:0F auto-mac=no name=br-v5-guest protocol-mode=none
/interface bridge port
add bridge=br-v5-guest interface=v5-guest
And then assign ip address & set up DHCP server on br-v5-guest.

But doing this for 10 new vlans is way too much work & clutter. Plus my static DHCP leases would have to be manually tuned.
So I can create 1 bridge for all VLANs, use that bridge to set up single DHCP server for all guest vlans and then use
/interface bridge filter add chain=forward in-bridge=br-vlans action=drop

To prevent bridge from switchin between vlans. No?

Re: Isolating hosts inside vlan

Posted: Wed Apr 01, 2020 5:28 pm
by pe1chl
Your problem is that MikroTik switches do not have this feature. Some other manufacturers do have it, either in a
simple configuration where you can just specifiy "port isolation" which means e.g. ports 1-11 can talk to port 12 but
not between eachother. Then the router is connected to port 12.
More recent switches even have a more complex capability called "private VLAN" where you can configure an entire
VLAN with this capability and it will even work when you have multiple switches connected together (using a trunk
where all VLANs are tagged) and you can configure ports across the switches that are intended to connect to some
server and others that are just clients, and the clients will not be able to talk to eachother but they can talk to the

Well, it would be nice when MikroTik switches had one of those features but unfortunately they don't.

There is however a bridge feature that you can use inside a MikroTik router such as the hAP AC2. You can put several
ports in a bridge (that you use for this guest VLAN only) and in the ports you connect to this bridge you specify a
horizon value, all the same for the single network. E.g. everywhere you put the value 10. The ports with the same
horizon value will not be able to talk to eachother, but they all can talk to the router side of the bridge.

Of course this means you will not have hardware acceleration anymore (no switch function).
Probably you can achieve the same thing by making a couple of switch rules that have action "redirect to CPU"
for traffic incoming on each port.

Re: Isolating hosts inside vlan

Posted: Wed Apr 01, 2020 7:56 pm
by usovalx5
Thanks for reply.

From a little googling, it seems that switches I found with support for PVLAN are from very different price/size bracket.
I'll try in the evening to set up some form of port isolation using switch level rules, it seems to work on both switches & HAP ac2, and should be HW-accelerated too.

One thing I'm not sure -- do you know if switch rules with vlan tags work on packets from access ports?
I've seen somewhere on the wiki that switch only adds vlan headers when it decides to forward the packet into trunk port, while forwarding between access ports from the same vlan it never really adds the vlan tag to the packet.

Re: Isolating hosts inside vlan

Posted: Wed Apr 01, 2020 8:32 pm
by pe1chl
When you tag all incoming traffic on the ports with a fixed VLAN just for forwarding across a trunk, it should not matter.
When you want mixed tags on a port and want to restrict only traffic from 1 VLAN, it will be more difficult...
Switch rules on RouterOS can still filter it, but on the switch probably not.

Re: Isolating hosts inside vlan  [SOLVED]

Posted: Thu Apr 02, 2020 2:55 pm
by usovalx5
So, just to summarize what I tried and what worked (or not):

* Both HAP AC2 and RB260GS switches (product code CSS106, based on AR8327 switch chip) seem to ignore forwarding overrides table when set up to do vlan switching on the chip.

* Both appear to respect switch rules (called ACL in the SwOS). I ended up setting them up as following:
HAP AC2, everything terminates on it, so just redirect vlan to CPU:
/interface ethernet switch rule add ports=e1,e2,e3,e4,e5 new-dst-ports=switch1-cpu switch=switch1 vlan-id=5
Switches - redirect to trunk pointing towards HAP AC2.
from: all interfaces except trunk
redirect to: trunk
vlan id = 5
vlan header: ANY

* It's important to set vlan header=ANY, otherwise access ports aren't matched by the rule.

* guest wifi -- it's easiest to just move it to separate vlan. Otherwise it will be bridged with wired guest vlan, and it's not trivial to set up correct bridge filter rule.
Set forwarding=no to isolate wifi clients from each other.

Given this setup, it seems that clients in gues vlan are isolated from each other and can only communicate with the router.