Community discussions

MikroTik App
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Inter VLAN filtering fom VLAN A to VLAN B [Solved]

Fri Sep 17, 2021 11:41 pm

[Edit: please read carefully, I need additional hardware for testing and therefore I stop investigating]

Dear all,

I am migrating my home network with VLANs to a Mikrotik router and a Mikrotik switch :
CCR2004-1G-12S+2XS
CRS312-4C+8XG

My present setup has isolaged VLANs but some communication is allowed.
Each ethernet port is on a seperate VLAN to avoid data leak.
Sometimes I also allow a communication from VLAN-A to VLAN-B but the converse is not allowed.
Filtering is based on source IP range. For example this allow me to reach my printer on a separate VLAN but the printer cannot reach me.
All is done on the firewall.

I already replaced my old 1GB switch with a 10GB Mikrotik switch.
Now I need to replace the firewall (router).

How do I achieve inter VLAN filtering with a Mikrotik router?
Can it be done at wire speed?

Kind regards,
FF
Last edited by ffries on Thu Oct 28, 2021 1:35 pm, edited 1 time in total.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 12:00 am

 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 12:06 am

L3-Offloading is a nice solution in ROuterOS 7.X to increase performance

Alternatively for RouterOS 6.X:
Basic exemple how you can filter VLAN communication on your ROUTER via Firewall
In this exemple VLAN-A can ICMP and RDP TO VLAN-B, but the reverse isn't true.
/ip firewall filter
add action=accept chain=forward comment=\
    "Accept : Established & Related (VLAN-A --> VLAN-B)" connection-state=\
    established,related in-interface=VLAN-A out-interface=VLAN-B
add action=accept chain=forward comment="Accept : ICMP (VLAN-A --> VLAN-B)" \
    connection-state=new in-interface=VLAN-A out-interface=VLAN-B protocol=icmp
add action=accept chain=forward comment=\
    "Accept : Microsoft RDP (VLAN-A --> VLAN-B)" connection-state=new dst-port=\
    3389 in-interface=VLAN-A out-interface=VLAN-B protocol=tcp
add action=drop chain=forward comment=\
    "Drop : Everything Else (VLAN-A --> VLAN-B)\r\
    \n" in-interface=VLAN-A out-interface=VLAN-B
add action=accept chain=forward comment=\
    "Accept : Established & Related (VLAN-B --> VLAN-A )" connection-state=\
    established,related in-interface=VLAN-B out-interface=VLAN-A
add action=drop chain=forward comment=\
    "Drop : Everything Else (VLAN-B --> VLAN-A)\r\
    \n" in-interface=VLAN-B out-interface=VLAN-A
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 12:09 am

Sometimes I also allow a communication from VLAN-A to VLAN-B but the converse is not allowed
You already apply interVLAN filtering ...
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 12:31 pm

Thanks. Unfortunately, L3 HW offloading is not supported on the CCR2004.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 12:40 pm

Thanks. Unfortunately, L3 HW offloading is not supported on the CCR2004.
That's the beauty of L3 HW , you activate it on the Switch not the Router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 4:52 pm

Not sure what is going on here but for the router this is
an excellent guide for the router setup to get your vlans to the switch,
After that, I am out of my element wrt to switch optimization.

viewtopic.php?f=23&t=143620
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 6:48 pm

Great, I just realize the great possibilities.

To make sure I understand, I should not stick to Level2 on the switch rather move to Level3hw routing.
There should be a direct cable from switch to the Internet fiber box (this is a home setup).

Also, my router becomes useless except for VPN access and providing DHCP and DNS.

Very interesting.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 7:44 pm

Depends on the requirements!
If you need to move a lot of traffic between devices on a network then a powerful switch is a great idea.
If you dont and most of the traffic is between device on the network and the internet you dont need a powerful switch but a honking router.

In other words, IMHO, if your traffic (the majority of traffic) will need to pass through the router for permission to go from one vlan to another, then a powerful switch is a waste.

If somehow one can use the Router for DHCP and DNS, AND MOVE THE LAYER 3 firewall rules to the switch, that may be useful............. but at somepoint traffic will have to be evaluated when crossing vlans/subnets.

I have found this conundrum confusing most of the time so perhaps someone can point out where my thinking as gone off the beaten path.
What is the point of a powerful switch with weak routing capabilities - more the norm I think (router + switch scenario)
What is the point of a powerful switch with strong routing capabilities - most expensive. (switch only scenario)
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 10:42 pm

@Anav
hosts in one VLAN cannot communicate with hosts in another VLAN unless there is a router or a Layer 3 switch to provide routing services. Inter-VLAN routing is the process of forwarding network traffic from one VLAN to another VLAN.

So when inter-vlan communication is desirable no sense having the Router do the work when L3 on the switch can do the job better at line speeds. But of course the switch must be L3 capable and have the ASIC in place that allows line speed forwarding. TP Link have very reasonable priced switches that will do line speed routing …. With v7 of RoS some Tik switches will have the capability to do NEAR line speed forwarding … unfortunately the switch then OP SELECTED CANNOT DO IT.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 10:50 pm

With v7 of RoS some Tik switches will have the capability to do NEAR line speed forwarding … unfortunately the switch then OP SELECTED CANNOT DO IT.

Mikrotik's documentation says it does. (OP mentioned CRS312-4C+8XG )
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sat Sep 18, 2021 11:02 pm

@MKX
Thank you for correcting me …. :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 4:37 am

So what is the router involvement in those specific VLANS, nothing?
DHCP and everything done on the switch?? What is the breakdown..........
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 11:32 am

As per initial post of this thread: OP wants some limitations on connectivity between VLANs. Which means firewall (with fairly simple rules) is involved. While CRS can do fasttracking in hardware, it comes with some serious limitations. If they get hit, performance drop will be dramatic and in this case letting router route between VLANs would give more consistent results. If that doesn't happen, then CCR is there only as border gateway / firewall device (performing NAT as well). Since CCR isn't part of all VLANs, it can't be DHCP server for those subnets ... unless CRS runs DHCP relay. Probably CRS can do all DHCP servers just fine.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 4:45 pm

I see, I have to make the question simple to get a clear answer!!

Easy question 1: How does one get traffic to pass from one vlan to another on a switch, without access the parent router to do so!!

Easy question 2: In the above case, to what extent does the router provide any vlan interactions or services?
(example... does the router still provide dhcp services, identify and create the vlans (give Ip address and assign to interface)??
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 5:49 pm

Easy question 1: How does one get traffic to pass from one vlan to another on a switch, without access the parent router to do so!!
Simple, it won't pass... A Router is needed for traffic to be routed between VLANs.. If one VLAN could access another VLAN in the Layer 2, then what would be the point of VLANs ?
VLANs create separate broadcast domains...
(example... does the router still provide dhcp services, identify and create the vlans (give Ip address and assign to interface)??
That's what a Router does, provides Layer 3 services and more...

So, when communication between different VLANs is needed, a router must be used ...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 6:16 pm

What @zacharias wants to hide from @anav (by not saying it out loud) is the fact that any device running ROS can be a router. This includes switch CRS312-4C+8XG ... which can do (limited set of) L3 tasks wirespeed if running v7.1. I guess that (accompanied with a glass of Canadian rye) is making @anav's head spin.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 6:26 pm

What @zacharias wants to hide from @anav (by not saying it out loud) is the fact that any device running ROS can be a router.
Right :) :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 7:17 pm

What @zacharias wants to hide from @anav (by not saying it out loud) is the fact that any device running ROS can be a router. This includes switch CRS312-4C+8XG ... which can do (limited set of) L3 tasks wirespeed if running v7.1. I guess that (accompanied with a glass of Canadian rye) is making @anav's head spin.
No that would clarify my mind LOL........... ( clarity or bad liver...............hard choices)

But I think inadvertently you are on the cusp of reaching the nexus of the situation.
Do pray tell which L3 limited features could the Switch do with RoS7, that would offload the router..........
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 7:23 pm

Do pray tell which L3 limited features could the Switch do with RoS7, that would offload the router..........

Here is some food for your twisted mind.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 7:38 pm

So the switch is not the key, its the router that has to be able to hardware offload first??
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 8:56 pm

I think you're kicking in wrong direction here. CCR can't offload anything because it doesn't have needed and supported hardware. CRS might offliad something if it was used as L3 switch/router.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 9:01 pm

Can we rewind a bit? OP asked teo very well articulated questions:

How do I achieve inter VLAN filtering with a Mikrotik router?
Can it be done at wire speed?

Answer to first question: using IP firewall. Router needs to have connectivity to all VLANs, then it will use "usual" IP firewall to filter traffic between distinct VLANs.

Answer to second question: not by CCR. Perhaps by CRS if connection count is not too high.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Inter VLAN filtering fom VLAN A to VLAN B

Sun Sep 19, 2021 9:03 pm

@anav only CRS3xx devices can hardware offload on Layer 3 using ROS v7 ...
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Thu Oct 28, 2021 10:33 am

Thank you very much for all this information.

I enabled fasttrack on the CCR2004-1G-12S+2XS router and L3 hardware offloading on the CRS312-4C+8XG switch.

Inter VLAN hardware offloading is working within the same VLANs.
I am looking for a simple solution to enable communication from one VLAN to another VLAN on the switch.

I tried the following without result :
* Add the same tagged VLANs to an ethernet port.
Example :
ether1: VLAN30 tagged, VLAN20 untagged
ether2: VLAN20 tagged, VLAN30 untagged
I was quite surprised but it did not work.

* Use port forwarding on the switch.
I tried various commands without success.

Now I am going to try fasttrack offloading.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Thu Oct 28, 2021 11:52 am

I followed the guide for LW3 offloading with the following settings:
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related

add action=accept chain=forward connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-state=new in-interface=vlan20 out-interface=vlan40
add action=accept chain=forward connection-state=new in-interface=vlan20 out-interface=vlan40

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
I will test and report
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: Inter VLAN filtering fom VLAN A to VLAN B

Thu Oct 28, 2021 1:34 pm

Further testing shows that the bottleneck if lying on my side:
* I am using two USB3 5gb dongles which appear to be limited to 3.5Gb.
* My ISP fiber line is limited to 2.5 Gb downstream.
* I need an additional switch and additional computers with 10Gb cards for further testing.

So I am happy with Hardware switching and routing via the firewall.
There is no point in trying to measure bandwidth without proper hardware.

I am overall very satisfied with Mikrotik hardware.

Thanks!

Who is online

Users browsing this forum: gigabyte091, lurker888 and 50 guests