Community discussions

MikroTik App
 
User avatar
screetch
newbie
Topic Author
Posts: 30
Joined: Thu Dec 30, 2021 11:21 pm

Need assistance with VLAN Firewall and NAT rules

Thu Aug 29, 2024 5:45 am

Greetings. I am looking to do a VLAN / sandbox for my IP cameras. I followed The Network Berg videos as closely as possible to do a HW offloaded VLAN modified to my needs. I've used all of the stock firewall rules and added 4 FW/ 1 NAT rule to allow the BaseLAN access to VLAN10 and isolate the VLAN from the WAN.

I do realize the server PC should be attached to the managed switch but until I am comfortable with VLAN'ing my D-Link switches, this will suffice. I am planning the next stage of the net where I have 3 VLANs trunked to the switches and WiFi APs.

For the most part my code is working, but there is one particular rule that I am stuck on which is supposed to block VLAN10 from accessing BaseLAN. Also I am not sure about the Masquerade rule being used the way I did it, but it does work the way I want.
add action=drop chain=forward comment=\
    "***************     Drop anything from VLAN10 to LAN" dst-address=\
    192.168.88.0/24 src-address=192.168.10.0/24
The above rule kills DHCP on VLAN10, but if I disable it, VLAN10 can ping BaseLAN which is undesirable.

Complete config:
Image
# 2024-08-28 19:01:04 by RouterOS 7.15.3
# software id = 
#
# model = RB960PGS
# serial number = 
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=CamNet vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=88.xxx-dhcp ranges=192.168.88.10-192.168.88.254
add name=CamNET_pool1 ranges=192.168.10.10-192.168.10.100
add name=dhcp_pool3 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool4 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=88.xxx-dhcp comment="Base LAN Pool (VLAN1) " interface=\
    bridge name=88.xxx_dhcp
add address-pool=dhcp_pool4 comment="Pool for testing CamNET (VLAN10)" \
    interface=CamNet name=10.xxx_dhcp
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment="This interface to be used for VLAN10" interface=\
    ether5 pvid=10
add bridge=bridge comment="Set ether1 set as Bridge  SFP1 to WAN" interface=\
    ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether5 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.10.1/24 interface=CamNet network=192.168.10.0
/ip dhcp-client
add comment=defconf interface=sfp1
/ip dhcp-server network
add address=192.168.10.0/24 comment="CamNET DHCP" dns-server=192.168.88.1 \
    gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "***************    Allow VLAN1 to access VLAN10" dst-address=\
    192.168.10.0/24 src-address=192.168.88.0/24
add action=drop chain=forward comment=\
    "***************     Drop anything from VLAN10 to WAN" \
    out-interface-list=WAN src-address=192.168.10.0/24
add action=drop chain=input comment=\
    "***************     Drop anything from WAN to VLAN10" dst-address=\
    192.168.10.0/24 in-interface-list=WAN
add action=drop chain=forward comment=\
    "***************     Drop anything from VLAN10 to LAN" dst-address=\
    192.168.88.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="Allows VLAN1 onto VLAN10" \
    dst-address=192.168.10.0/24 dst-address-list="" ipsec-policy=out,none \
    src-address=192.168.88.0/24 src-address-list=""
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Vancouver
/system note
set show-at-login=no
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
 
erlinden
Forum Guru
Forum Guru
Posts: 2374
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Need assistance with VLAN Firewall and NAT rules

Thu Aug 29, 2024 9:21 am

Your life would be much easier if you choose to go VLAN all the way. Lots of (correct) and great examples can be found in this topic:
viewtopic.php?t=143620

In regards to the firewall, you could consider allowing explicitely and dropping everything else. Just make sure that you allow access to yourself so you can still manage the device.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20999
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need assistance with VLAN Firewall and NAT rules

Thu Aug 29, 2024 8:07 pm

examples of firewall rules
viewtopic.php?t=153581#p855249

simply in the forward chain, prior to the last rule ( Drop all else )
Add in the traffic required device A to Subnet B or Subnet C to device D for example.........
 
User avatar
screetch
newbie
Topic Author
Posts: 30
Joined: Thu Dec 30, 2021 11:21 pm

Re: Need assistance with VLAN Firewall and NAT rules

Thu Aug 29, 2024 11:29 pm

Your life would be much easier if you choose to go VLAN all the way. Lots of (correct) and great examples can be found in this topic:
viewtopic.php?t=143620

In regards to the firewall, you could consider allowing explicitely and dropping everything else. Just make sure that you allow access to yourself so you can still manage the device.
Thanks very much. I did read that whole thread. I could not find examples that fit my needs nor do I configure using the CLI.
I agree I should VLAN the BaseLAN into VLAN88 and will roll that into version 2.
 
User avatar
screetch
newbie
Topic Author
Posts: 30
Joined: Thu Dec 30, 2021 11:21 pm

Re: Need assistance with VLAN Firewall and NAT rules

Fri Aug 30, 2024 2:17 am

examples of firewall rules
viewtopic.php?t=153581#p855249

simply in the forward chain, prior to the last rule ( Drop all else )
Add in the traffic required device A to Subnet B or Subnet C to device D for example.........
Thanks for the link. I will have to delve a bit deeper.
 
User avatar
screetch
newbie
Topic Author
Posts: 30
Joined: Thu Dec 30, 2021 11:21 pm

Re: Need assistance with VLAN Firewall and NAT rules

Fri Sep 20, 2024 2:43 am

So a quick question on accessing the VLAN subnets. With 4 VLANs on different subnets, should the subnet mask of the router and switches be set to other than 255.255.255.0 ?

Subnets in use:
192.168.1.0/24
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24

While testing the router could ping the subnets but the PC could not ping the subnets. I watched the videos on firewall rules and tried many forward chain accepts which looked to be ignored. Interestingly if I used NAT masquerade it appeared to loop over the wan and back and would connect.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12445
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need assistance with VLAN Firewall and NAT rules

Fri Sep 20, 2024 5:19 pm

You should use /24 netmask on those subnets. Without proper subnet masks, routing won't work.

And keep in kind when pinging around: some OSes on end devices include firewalls and some firewalls (e.g. windows) block everything coming in from other than "home" subnet. Home subnet is the one assigned to device's network interface. So when troubleshooting cross-subnet connectivity issues, disable device firewall (temporarily) to remove one possible blocking point.

Who is online

Users browsing this forum: Ahrefs [Bot] and 29 guests