I can't remember when it stopped working, because it used to work. I wonder if one of the recent firmware updates changed the implementation of inter-vlan routing.
Correct me if I am wrong, inter-vlan routing (a device in vlan A being able to ping/access a device in vlan B does not require "Use IP Firewall" and "Use IP Firewall for VLAN" to be enabled, is this correct? Both are unchecked.
----
Simple setup, HAPAC2 as router/dhcp-server/firewall with several vlans (NETWORK DEVICES, CCTV, OFFICE, IT).
This inter-vlan routing is not working. It works if I enable bridge "Use IP Firewall" and "Use IP Firewall for VLAN" but as I understand it, this is not necessary. I am stumped. Would appreciate some tips.
Relevant sections of the setup:
Code: Select all
/ip firewall address-list
add address=172.16.35.50 list="CCTV SERVER"
add address=172.16.35.40 list="CCTV SERVER"
add address=172.16.35.41 list="CCTV SERVER"
add address=172.16.35.42 list="CCTV SERVER"
add address=172.16.10.2-172.16.10.254 list="VL10 - Office"
add address=172.16.10.105 list="IP GROUP - PC IT"
add address=172.16.10.186 list="IP GROUP - PC IT"
add address=172.16.2.2-172.16.3.254 list="VL03 - Network Devices"
add address=172.16.1.2-172.16.1.254 list="No Internet Access"
/ip firewall filter
### INPUTS ###
add action=accept chain=input comment="Accept established, related" connection-state=established,related
add action=accept chain=input comment="Accept DNS Request from LAN" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Accept DNS Request from LAN" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop Everything Else"
### FWD PART 1 ###
add action=accept chain=forward comment="Accept established, related" connection-state=established,related
add action=drop chain=forward comment="Drop specific LAN to WAN" \
connection-state=new out-interface-list=WAN src-address-list="No Internet Access"
add action=accept chain=forward comment="LAN allowed to WAN" \
connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow WAN Port Fwd" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
### FWD PART 2 - INTER VLAN ROUTING ###
add action=accept chain=forward comment="Allow Office LAN to CCTV" \
dst-address-list="CCTV SERVER" src-address-list="VL10 - Office"
add action=accept chain=forward comment="Allow IT access to VL03" \
dst-address-list="VL03 - Network Devices" src-address-list="IP GROUP - PC IT"
add action=drop chain=forward comment="Drop all else"