Community discussions

MikroTik App
 
rikpal
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Tue Mar 07, 2023 2:02 pm
Location: Italy

Mikrotik Router configuration - Blocking Inter-VLAN

Thu Mar 23, 2023 7:13 pm

Good morning,
I'm configuring a new mikrotik router (CCR2216) to replace my current one from Draytek (Vigor3910).
I have some doubts about firewall configuration. I've read carefully several times forum discussions and this guide: viewtopic.php?t=180838
my need is to keep completely isolated 4 VLANs I've (i searched a lot about the subject 'block inter-vlan routing in the forum).
I struggled to do it, but at the and I was able to make it working, also if I still have some doubts. In practice I was able to separate the vlans only if I use the IP filter chain=input, despite in several discussions I've clearly seen examples using chain=forward to block the inter-vlan routing end keep them completely isolated.
here my config. Is there something wrong I've done?
thank in advance you for your help and suggestions.

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment=\
"allow VLAN 50 only (inter-vlan is blocked)" dst-address=10.10.50.0/24 \
src-address=10.10.50.0/24
add action=accept chain=input comment=\
"allow VLAN 100 only (inter-vlan is blocked)" dst-address=10.10.100.0/24 \
src-address=10.10.100.0/24
add action=accept chain=input comment=\
"allow MANAGEMENT VLAN only (inter-vlan is blocked)" dst-address=\
10.10.99.0/24 src-address=10.10.99.0/24
add action=accept chain=input comment=\
"allow GUEST VLAN only (inter-vlan is blocked)" dst-address=\
192.168.0.0/24 src-address=192.168.0.0/24
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic (all vlans)" \
in-interface=all-vlan out-interface-list=WAN
add action=drop chain=forward comment="drop access to clients behind NAT from \
WAN - drops all new connection attempts from the WAN port to our LAN netwo\
rk (unless DstNat is used). Without this rule, if an attacker knows or gue\
sses your local subnet, he/she can establish connections directly to local\
\_hosts and cause a security threat." connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"*** INVALID ACCESS TO CLIENTS BEHIND NAT FROM WAN ***"
add action=drop chain=forward comment="block everything else"

Who is online

Users browsing this forum: Ahrefs [Bot], johnson73, mhn6868 and 79 guests