Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

drop traffic between interfaces without using VLANs

Sat Aug 06, 2022 9:09 pm

Hello my friends..!. Hope you are all doing good..
So i have this situation.

My mikrotik router 951ui have 5 interface
Eth1. The WAN interface with the ip
192. 168.134.2/30
Eth2. The camera interface with the ip range 192.168.10.1/24
The dhcp is enable on this interface and there is a src nat rule to
The out interface 192.168.134.2 so it has internet access.
Eth3. The pbx interface with ip range 192.168.20.1/24 also it has internet access and dhcp enable.
Eth4. The data interface with ip 192.168.30.1/23
Also interent access with dhcp on it.
So my question is : how can i prevent traffic between those interface, i mean not just prevent ping between ports but all traffic. In my current situation if some one connect to ethernet data port and take from 192.168.30.1 range it can easly access to camera and even the MK router it self, i want to prevent that.
Please anyone can give me advise on this situation..?

well i know how can i setup VLANs but only with two Mikrotik router, in my situation i have only one 952ui MK router with three switches connected to it's interfaces one by one.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: drop traffic between interfaces without using VLANs

Sun Aug 07, 2022 1:24 am

Look at this and extend it to more address subnets according your setup
viewtopic.php?p=948842#p948842
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: drop traffic between interfaces without using VLANs

Sun Aug 07, 2022 6:26 am

That's easy. In the forward chain of firewall rules, allow port 2 to port 1, and allow port 3 to port 1, and allow port 4 to port 1, then delete everything.
BTW, I am basing this on you NOT using a bridge - not much point with every interface being a separate network.. If you are using a bridge, it would be different.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: drop traffic between interfaces without using VLANs

Sun Aug 07, 2022 8:59 am

That's easy. In the forward chain of firewall rules, allow port 2 to port 1, and allow port 3 to port 1, and allow port 4 to port 1, then delete everything.
BTW, I am basing this on you NOT using a bridge - not much point with every interface being a separate network.. If you are using a bridge, it would be different.
hello Mr k6ccc..! thanks for your replay ..! but what you mean by delete every thing BTW, can you give me the corresponding rule for this phrase..?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: drop traffic between interfaces without using VLANs

Sun Aug 07, 2022 12:06 pm

The idea is:
/ip firewall filter
#... and there you explicity allow traffic from/to VLANs' interfaces
add action=accept chain=forward in-interface=VLAN64 out-interface=VLAN65
add action=accept chain=forward in-interface=VLAN65 out-interface=VLAN64
#
# The one ring ... upssss rule that rules them all :) to stop
# any trafic between VLANs esxcept the ones configured above.
# The order of rules is important .. you allow what you want to allow and then block the rest
#
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: drop traffic between interfaces without using VLANs

Sun Aug 07, 2022 12:29 pm

The idea is:
/ip firewall filter
#... and there you explicity allow traffic from/to VLANs' interfaces
add action=accept chain=forward in-interface=VLAN64 out-interface=VLAN65
add action=accept chain=forward in-interface=VLAN65 out-interface=VLAN64
#
# The one ring ... upssss rule that rules them all :) to stop
# any trafic between VLANs esxcept the ones configured above.
# The order of rules is important .. you allow what you want to allow and then block the rest
#
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
very thanksful Mr BartoszP it work...However, i couldnt prevent users in the same LAN from access the LAN devices, i mean for example the eth-4 has connected to ethernet switch and
all users that's connected to this switch can still access to all the devices on this LAN, i don't want from any of them to be able to access to those devices, yet without disconnect internet from them
do you have any idea a bout how i can achieve this situation .
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: drop traffic between interfaces without using VLANs

Sun Aug 07, 2022 12:46 pm

You can not do that as long as that switch is in between.
Traffic will already have passed before the router can do anything about it.

Unless that switch has the possibility to do such filtering ?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: drop traffic between interfaces without using VLANs

Sun Aug 07, 2022 12:51 pm

You rise a bar ... switch traffic is L2 traffic managed internaly by that switch so eg. PC communicate to eg. printer almost directly via that switch so the traffic is not noticed by the router as this traffic do not leave the switch as switches should be inteliigent enogh to not drodcast all traffic to all ports except broadcast traffic. The router does not participate in this traffic so there is no control over it.
You ask: how to isolate whole traffic between any device in the network. Hard task.

BTW. Please follow the link in my signature if you have a bit of free time.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: drop traffic between interfaces without using VLANs

Mon Aug 08, 2022 2:34 am

Thanks BartoszP for giving the code samples - I was dying to get to bed when I typed my reply last night...

The example given showed different VLANs which you were not wanting to use. So instead of VLANs, you specify the physical ports.. However with that said as Holvoetn said, if the port on the router has a switch so more than one device is connected, this will not isolate the devices on that same router port. But that is not what you originally asked about.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: drop traffic between interfaces without using VLANs

Mon Aug 08, 2022 2:43 am

Let this be a lesson to the @not OP

Why you guys like making judgments without context, or requirements is beyond me.
Put in another way why do you seem surprized when the OP introduces
a. but I want to do this as well OR
b. but I have this equipment here as well.

So bloody well dont start impulsively saving the planet before getting some facts.............
a. network diagram to see where internet is coming from and conceptually what devices are at play how they are connected and which subnets are flowing through which ports.
b. then see what has transpired thus far with the FULL config /export
c. finally get a complete set of requirements to get context and to make sense of the offered config
(what users/devices and groups of user/devices including the admin are at play, what they need to be able to do, and what they shouldnt be able to do)
d. with the requirements, a config design can be sorted out that is efficient and meets the requirements and matches the equipment available.

otherwise if you dont like this approach then you must spend all your spare time doing this.......
https://www.youtube.com/watch?v=VoP1E9J4jpg
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: drop traffic between interfaces without using VLANs

Mon Aug 08, 2022 3:04 am

@anav, they get to play without even having to pay for the privilege :lol:
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: drop traffic between interfaces without using VLANs

Mon Aug 08, 2022 3:17 am

In the OP you talked about limiting access between subnets on different router interfaces, and to the router itself.
So my question is : how can i prevent traffic between those interface, i mean not just prevent ping between ports but all traffic. In my current situation if some one connect to ethernet data port and take from 192.168.30.1 range it can easly access to camera and even the MK router it self, i want to prevent that.
Then you asked what appears to be a very different question; it seems you are asking how to keep devices on the same LAN from talking with each other.
i couldnt prevent users in the same LAN from access the LAN devices, i mean for example the eth-4 has connected to ethernet switch and
all users that's connected to this switch can still access to all the devices on this LAN, i don't want from any of them to be able to access to those devices, yet without disconnect internet from them
do you have any idea a bout how i can achieve this situation .
To you that may seem like the same thing, but it is very different. I suggest going through this to see what I mean.

And this is why @anav is asking for more details about what your real requirements are, so we don't have to play 20 questions or whack-a-mole. Also, if you don't already have the documentation, creating the documentation and explaining your problem will help you understand the problem better yourself.
Last edited by Buckeye on Mon Aug 08, 2022 8:24 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: drop traffic between interfaces without using VLANs

Mon Aug 08, 2022 12:41 pm

And this is why @anav is asking for more details about what your reals requirements are, so we don't have to play 20 questions or whack-a-mole. Also, if you don't already have the documentation, creating the documentation and explaining your problem will help you understand the problem better yourself.
This, organized thoughts lead to swift resolution of issues and when going through the process one often finds new requirements not previously thought of.
Bang on buckeye, well stated!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Who is online

Users browsing this forum: blejzu, Uqbar and 52 guests