Community discussions

MikroTik App
 
DitchRat95
newbie
Topic Author
Posts: 29
Joined: Tue Jul 19, 2022 5:43 pm

vlan access to winbox

Sat Oct 08, 2022 3:21 am

So I have two vlans setup on a bridge, I would like Vlan 10 to have management access and client to client with the ethernet ports on the bridge, I would like vlan 20 to only have internet access. I can't access the mt gui from the management witeless vlan 10. Could someone review this and see what they think?

Any other security concerns or tightening of ship recommendations would be welcome as well...
You do not have the required permissions to view the files attached to this post.
Last edited by DitchRat95 on Fri Apr 21, 2023 12:31 pm, edited 1 time in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: vlan access to winbox

Sat Oct 08, 2022 9:34 am

This rule defines who has access to the router:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
Together with this rule anything has access to your router:
/interface list member
add comment=defconf interface=CapDataPath list=LAN
I would sort the firewall rules, start with input and then forward.
I prefer both chains to end with "drop everything else" (this way, you only have to write allow rules)
You might want to enable VLAN filtering on your bridge

There might be more posible improvements, still early here.
 
DitchRat95
newbie
Topic Author
Posts: 29
Joined: Tue Jul 19, 2022 5:43 pm

Re: vlan access to winbox

Sun Oct 09, 2022 3:00 am

If anything has access then why can't I gain access to winbox from vlan 10 or 20, am I missing something snit how to access it from a vlan?
 
sid5632
Long time Member
Long time Member
Posts: 552
Joined: Fri Feb 17, 2017 6:05 pm

Re: vlan access to winbox

Sun Oct 09, 2022 3:23 am

You need to add the bridge to the list of interfaces that are tagged under /interface bridge vlan
and get rid of all those untagged entries and let them be determined dynamically by the pvid setting.

Did you actually turn on the bridge vlan filtering?
 
DitchRat95
newbie
Topic Author
Posts: 29
Joined: Tue Jul 19, 2022 5:43 pm

Re: vlan access to winbox

Fri Oct 21, 2022 6:00 am

This rule defines who has access to the router:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
Together with this rule anything has access to your router:
/interface list member
add comment=defconf interface=CapDataPath list=LAN
I would sort the firewall rules, start with input and then forward.
I prefer both chains to end with "drop everything else" (this way, you only have to write allow rules)
You might want to enable VLAN filtering on your bridge

There might be more posible improvements, still early here.
Do you have a example I could see?
 
DitchRat95
newbie
Topic Author
Posts: 29
Joined: Tue Jul 19, 2022 5:43 pm

Re: vlan access to winbox

Mon Oct 24, 2022 5:07 am

So when I enable vlan filtering it kills vlan 20, won't connect or issue ip addresses. And I sorted the rules but had to add drop rules to stop management access from vlan 20 but it can still ping the other subnets. I can access webfig from vlan 10 but when I login it times out.
 
DitchRat95
newbie
Topic Author
Posts: 29
Joined: Tue Jul 19, 2022 5:43 pm

Re: vlan access to winbox

Fri Apr 21, 2023 11:48 am

Got rid of the vlan's and tried to clean it up, seams to work well. left a copy of the script if anyone wants to look. still want to set up my guest radios to turn off and on w a scheduler if someone could help? Also would like to make sure i am using dns caching that both subnets are utilizing and just want google as secondary's... Thanks everyone!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: infabo and 46 guests