Community discussions

MikroTik App
 
User avatar
Kelalatir
newbie
Topic Author
Posts: 42
Joined: Mon Feb 29, 2016 7:22 pm

Can VLAN traffic be excluded from routing?

Tue Aug 03, 2021 1:57 am

Hello,
I'm preparing to setup a CRS354 48 Port Switch to act as a router for a small network, and also to act as a switch for VLANs. My scenario is for a public computing center attached to a library, with a public computer lab and 2 library employee computers.
I plan to have 3 subnets attached to the switch:
1) A subnet connecting to the Internet from our ISP
2) A subnet for the public computers where the CRS354 switch acts as the gateway and DHCP server
3) a VLAN subnet where the library computers can connect to the rest of the library intranet
My question is in regards to keeping subnet 3 completely independent of traffic on the other two subnets. How do I prevent the swtich, running routeros, from routing traffic between the private VLAN subnet and the other two subnets?
I know I could do it if I used two devices, one acting as the router and one acting as the switch, where the switch only processed switching and VLANs. In this case I'd have 2 VLANs, one for the public computers and one for the library computers. This scenario separates everything in layer 2. By adding routing to the swtich, connections can be made at layer 3, and I'd like to avoid that.
Are firewalls the only way to prevent layer 3 connections? Is there a networking solution, while still only using a single CRS354 switch?
Thank you,
 
mada3k
Long time Member
Long time Member
Posts: 682
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Can VLAN traffic be excluded from routing?

Tue Aug 03, 2021 11:04 am

Thats what's firewall rules, VRF's or routing policy rules are for :)

The number 3) VLAN, is the switch going to be default gateway for that as well?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can VLAN traffic be excluded from routing?

Tue Aug 03, 2021 11:18 am

Without any firewall rule, I give you a hint: on IP / Settings disable ip-forward, this stop auto-forwarding between subnets.
This cause a separation (only on Layer 3) between subnets (on VLAN or not)

Sorry if I do not have time to explain better at this moment.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Can VLAN traffic be excluded from routing?

Tue Aug 03, 2021 12:34 pm

My question is in regards to keeping subnet 3 completely independent of traffic on the other two subnets. How do I prevent the swtich, running routeros, from routing traffic between the private VLAN subnet and the other two subnets?
By adding a rule in the /ip firewall filter (and /ipv6 firewall filter) that matches the source interface of that VLAN and drops all traffic.
And for good measure also a rule that matches the destination interface and drops traffic.
You need to move it up sufficiently so that it will be evaluated before any other rules that pass on the traffic.
 
User avatar
Kelalatir
newbie
Topic Author
Posts: 42
Joined: Mon Feb 29, 2016 7:22 pm

Re: Can VLAN traffic be excluded from routing?

Tue Aug 03, 2021 10:17 pm

Thank you all for your replies!
@mada3k the switch will not be the default gateway for VLAN 3. One of the ports in the switch from VLAN 3 will be link from the main library building next door, which has it's own router. The devices on VLAN 3 will all be using the router next door as their default gateway.
@rextended Thanks for that hint! I'm going to dig into disabling ip-forward. I'll have to see if that can be configured to allow forwarding between subnets 1 and 2, but prevent subnet 3 from forwarding to either.
@pe1chl Thanks for those rule templates. If I need to use firewall rules, matching interfaces and putting a block on both sides sounds like the safest way to prevent public traffic from mixing with the library traffic. I suspect I'll put those rules in anyway, even if I can disable the auto ip-fowarding, just to be on the safe side.
 
nagylzs
Member
Member
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: Can VLAN traffic be excluded from routing?

Wed Aug 04, 2021 6:55 pm

Without any firewall rule, I give you a hint: on IP / Settings disable ip-forward, this stop auto-forwarding between subnets.
This cause a separation (only on Layer 3) between subnets (on VLAN or not)

Sorry if I do not have time to explain better at this moment.
After disabling ip-forward, how is it possible to enable forwarding in SOME directions? I guess that adding firewall accept rules won't work. (?)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Can VLAN traffic be excluded from routing?

Wed Aug 04, 2021 7:19 pm

That is true. The question stated "to act as a router for a small network, and also to act as a switch for VLANs" and so IP forward has to be enabled, else it cannot act as a router.
Then firewall filter rules can be used to limit the VLANs for which it will forward.
It is not possible to globally disable ip-forward and then still allow forwarding to happen for some specific case.

Who is online

Users browsing this forum: joshnielsen, phascogale and 57 guests