Community discussions

MikroTik App
 
ozma64
just joined
Topic Author
Posts: 9
Joined: Sat Aug 29, 2020 6:15 am

Block access to inter-VLAN Router IPs

Sun Aug 30, 2020 5:46 pm

Greetings.
I am setting up VLAN Isolation on my router. I want 100% complete isolation between each VLAN except for any inter-VLAN connection that has been NATed.
I do not want any device on any VLAN Network to be able to connect to or even Ping an IP on another VLAN unless there is a NAT Rule allowing that connection.
I also do not want devices to be able to communicate with the Router's IP address on different VLAN.

My PC IP:
---192.168.100.100 - on VLAN 100 (Home)
My Router's IPs:
---192.168.100.1 - VLAN 100 (Home)
---192.168.150.1 - VLAN 200 (Work)
---192.168.200.1 - VLAN 300 (Security)
---192.168.250.1 - VLAN 1 (Management)

I have Address Lists containing the entire network for each Vlan (including the Router's IP addresses).

If my PC (192.168.100.100) pings the router, i want it to ONLY be able to communicate with the router at 192.168.100.1, but be denied communication at 192.168.150.1, 192.168.200.1, and 192.168.250.1.

Below are my Input Firewall rules that I have created to attempt to stop devices from being able to communicate with the router's IP that isnt on the same VLAN. Unfortunately they do not work and my PC can ping and access the Vband still.

add action=drop chain=input comment="Home Network Router Isolation Not NATed" \
connection-nat-state=!srcnat,dstnat connection-state=new dst-address-list=\
"Home Network" src-address-list="!Home Network"

add action=drop chain=input comment="Work Network Router Isolation Not NATed" \
connection-nat-state=!srcnat,dstnat connection-state=new dst-address-list=\
"Work Network" src-address-list="!Work Network"

add action=drop chain=input comment="Security Network Router Isolation Not NATed" \
connection-nat-state=!srcnat,dstnat connection-state=new dst-address-list=\
"Security Network" src-address-list="!Security Network"

add action=drop chain=input comment="Management Network Router Isolation Not NATed" \
connection-nat-state=!srcnat,dstnat connection-state=new dst-address-list=\
"Management Network" src-address-list="!Management Network"

Can anyone assist in identifying where my Firewall rules have gone wrong?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block access to inter-VLAN Router IPs

Mon Aug 31, 2020 3:58 pm

Here is how I would approach your issues.
(hint1: I would not use NAT to allow traffic I would use firewall rules).
(hint2: I can do it with one firewall rule!!)

my last rule in the forward chain is
add chain=forward action=block "drop everything else"
Done!!

If I wanted to allow specific traffic I would put it before that rule.
For example a printer on vlanb needs to be accessed by everyone in vlanA
add chain=forward action=allow in-interface=VLANA dst-address=IP of printer
 
ozma64
just joined
Topic Author
Posts: 9
Joined: Sat Aug 29, 2020 6:15 am

Re: Block access to inter-VLAN Router IPs

Mon Aug 31, 2020 9:47 pm

That isn't what I am wanting however, I just want 100% VLAN isolation, not just blocking everything and creating manual firewall rules for each allowed connection.
I want any device on the home network VLAN to be able to communicate with any IP on the home network VLAN ONLY, but be unable to communicate with any IP (including the router's .1 IP) on a different VLAN. Same for each of the other VLANs.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block access to inter-VLAN Router IPs

Mon Aug 31, 2020 11:00 pm

It probably is what you want. With unconditional block rule at the end, anything not previously allowed is blocked. If you forget to allow something, you'll notice immediately, because it won't work. With the opposite approach, if you forget to block something, you may never notice, because you'll hardly test everything that should be blocked.

And it's simple and easy to understand, you need only few rules. For forward:

- allow established, related and untracked
- drop invalid
- allow VLAN x to internet (if it should be allowed of course)
- allow VLAN y to internet
- allow VLAN x to VLAN z
- ...
- allow forwarded ports
- block the rest (drop or reject)

Similar for input:

- allow established, related and untracked
- drop invalid
- allow access from VLAN x
- allow access from VLAN y
- ...
- block the rest (drop or reject)

Some VLANs may not need to communicate with router at all, so you don't need to add those. Some may need e.g. only DNS, so you'd allow only tcp/udp 53 from them. In your case, if you want to allow access only to router's address on same VLAN (which I don't think will help you, but why not), you'd add extra dst-address=<router's address in selected VLAN> to accept rules. And that's it, nice and simple.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block access to inter-VLAN Router IPs

Mon Aug 31, 2020 11:05 pm

What you want is achieved in the way @anav indicated and @sob further elaborated.

A typical Mikrotik device running ROS performs two quite distinct functions:
  1. router
    Router with multiple interfaces (either physical, such as ethernet or wireless, or virtual, such as VLAN or IPIP or PPP*) configured with IP addresses, will route packets according to routing table(s). If router has multiple VLAN interfaces with corresponding IP addresses set, it will route traffic between VLANs.
    Unless routing is somehow forbidden, e.g. using negative routing rules.
  2. firewall
    Device can block certain traffic according to rules. The most simple firewall has two interfaces and filters traffic between those two interfaces. If firewall has multiple interfaces (i.e. is embedded in a router) its functionality is not changed (much).
    Hence using firewall to block traffic between two particular interfaces is pretty straight-forward. Further more, ROS firewal is a statefull one and us thus even more flexible than to use simpke routing filters.

And then we come to your dilemma about accessibility of different router's IP addresses. Firewall has 3 chains: forward (which works on traffic between third parties crossing router), input (traffic initiated by third party and targeting router itself at any interface) and output (traffic initiated by router). When a packet arrives at router's interface, it first checks which chain the packet belongs to: forward or input. If dst-address is one of router's own addresses and no dst-nat rule exists to forward that packet further, then packet belongs to input chain. And at this stage it doesn't really matter which of router's IP addresses was used, what most of time really matters is which client sent that packet (and which interface was used). Surely you can construct a rule which would drop packet originating from client X.Y.Z.W/24 and targeting any of router's IP addresses apart from X.Y.Z.1. But again: essentially there's no real point in doing it.
 
ozma64
just joined
Topic Author
Posts: 9
Joined: Sat Aug 29, 2020 6:15 am

Re: Block access to inter-VLAN Router IPs

Mon Aug 31, 2020 11:13 pm

That isnt the way I am setting up my network, there are other gears in the work on my network that I did not post because it is irrelevant to what I am asking. I appreciate the above mentioned Ideas but that is not what I am looking for. I am simply wanting to know what I am missing in the Filter rules that I posted that will get VLAN isolation to work (including the Router IPs).

@mkx, yeah... I have identical Forward rules made up as well for traffic between connected devices. I just posted the Input rules as that is the only test I have available to me until the rest of my equipment gets in.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block access to inter-VLAN Router IPs

Mon Aug 31, 2020 11:33 pm

Your rules should work too. That's if you have correct address lists, have them at the right place in chain, there are no other rules before them that would allow it before these have chance to block it, etc.

But they are not great, because they work only with IP addresses and those can be easily spoofed. Even though bidirectional communication won't work, you will be able to send packets between vlans. Well, with these to router, because it's input chain, but if you have forward rules done the same way, then also to other devices. Unless you'd use RP filter, but it's disabled by default.
 
ozma64
just joined
Topic Author
Posts: 9
Joined: Sat Aug 29, 2020 6:15 am

Re: Block access to inter-VLAN Router IPs

Mon Aug 31, 2020 11:45 pm

@Sob, I have moved all of the rules to the top of my filter list to test the theory of location in the filter list already. Unfortunately even at the top of my list the input filter rules will not work. My PC at 192.168.100.100 is still able to ping 150.1, 200.1, and 250.1

These are the networks (with their CIDR) that I am using:
---192.168.100.0/24 - VLAN 100 (Home)
---192.168.150.0/24 - VLAN 200 (Work)
---192.168.200.0/28 - VLAN 300 (Security)
---192.168.250.0/28 - VLAN 1 (Management)

My Address list match these networks 1 to 1. (Ive double checked, just in case)
 
ozma64
just joined
Topic Author
Posts: 9
Joined: Sat Aug 29, 2020 6:15 am

Re: Block access to inter-VLAN Router IPs

Mon Aug 31, 2020 11:52 pm

@Sob, Yes, I am aware of spoofing as well, Right now I'm wanting to focus on getting general isolation working, Once that Is done, I will be fine tuning it. I also thought that what I have so far should be working. I dont understand why it isnt though.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block access to inter-VLAN Router IPs

Tue Sep 01, 2020 12:03 am

Let's take ping from 192.168.100.100 to 192.168.150.1, it's access to work network, so it's this rule:
/ip firewall filter
add action=drop chain=input comment="Work Network Router Isolation Not NATed" \
connection-nat-state=!srcnat,dstnat connection-state=new dst-address-list=\
"Work Network" src-address-list="!Work Network"
If you have:
/ip firewall address-list
add address=192.168.150.0/24 list="Work Network"
then:

- dst-address-list="Work Network" - matches
- src-address-list="!Work Network" - matches
- connection-state=new - matches (for new connection)
- connection-nat-state=!srcnat,dstnat - matches, unless there's some dstnat rule that also matched (although I have no idea why would you ever need dstnat to router's other address, so this condition may be "good" only as source of errors)
 
ozma64
just joined
Topic Author
Posts: 9
Joined: Sat Aug 29, 2020 6:15 am

Re: Block access to inter-VLAN Router IPs

Tue Sep 01, 2020 12:17 am

@Sob, Exactly, when looking at it, everything matches, so therefore the pings should get dropped, but for some reason the pings still go through. I thought maybe it was because of the Bridges linking my VLAN Interfaces (Home VLAN Interfaces to Home Bridge, Work to work, and so on). So I enabled use-ip-firewall as well as use-ip-firewall-for-vlan on my bridge settings just in case that was the issue, but there was no change.

As for the NAT tests, I made the rules by copying the Forward rules and change the copy to Input... so really I can probably just remove the NAT tests in the input rules as you are right about not really needing them.
Last edited by ozma64 on Tue Sep 01, 2020 12:28 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block access to inter-VLAN Router IPs

Tue Sep 01, 2020 12:27 am

All I know is the following...........
a. me who knows very little but got things to work using the direct and simple way and you cant with a complicated indirect way.
b. the two yahoos that also suggested the simple way are bonafide experts

Im just sitting back drinking my beer enjoying the free show!!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block access to inter-VLAN Router IPs

Tue Sep 01, 2020 12:56 am

So I enabled use-ip-firewall as well as use-ip-firewall-for-vlan on my bridge settings ...
Don't. And good advice, stay away from those, because chances are that it will only bring headaches. It can be useful, but it does unexpected things.

For the rules, try simple test, e.g. take that one and make it into:
/ip firewall filter
add action=log log-prefix="match:!nat" chain=input connection-nat-state=!srcnat,dstnat
add action=log log-prefix="match:new" chain=input connection-state=new
add action=log log-prefix="match:dst=Work" chain=input dst-address-list="Work Network"
add action=log log-prefix="match:src=!Work" chain=input src-address-list="!Work Network"
You will see what matches and what doesn't, and you'll know where to look next. Depending on current traffic, these exact rule may not be good, because some can match too much. But you get the idea, instead of wondering why one rule with several conditions doesn't work, make it simpler and you'll eventually find what's the problem.

There's also always the option to post whole config and then maybe someone else can see something you might have missed.
 
ozma64
just joined
Topic Author
Posts: 9
Joined: Sat Aug 29, 2020 6:15 am

Re: Block access to inter-VLAN Router IPs

Tue Sep 01, 2020 1:17 am

@Sob Thank you, that is helpful advise. And yeah, I typically don't use those settings and I turned them off the moment I found that it didn't help. I was just testing them for troubleshooting sake.

I currently have to sleep and do some work tomorrow, Ill try your advice and see where the break is at once I get some free time tomorrow. Thank you again! I will advice whether it worked or not then.
 
rikpal
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Tue Mar 07, 2023 2:02 pm
Location: Italy

Re: Block access to inter-VLAN Router IPs

Thu Mar 23, 2023 2:52 pm

Good morning,
I'm configuring a new mikrotik router (CCR2216) to replace my current one from Draytek (Vigor3910).
I have some doubts about firewall configuration. I've read carefully several times forum discussions and this guide: viewtopic.php?t=180838
my need is to keep completely isolated 4 VLANs I've (i searched a lot about the subject 'block inter-vlan routing in the forum).
I struggled to do it, but at the and I was able to make it working, also if I still have some doubts. In practice I was able to separate the vlans only if I use the IP filter chain=input, despite in several discussions I've clearly seen examples using chain=forward to block the inter-vlan routing end keep them completely isolated.
here my config. Is there something wrong I've done?
thank in advance you for your help and suggestions.

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment=\
"allow VLAN 50 only (inter-vlan is blocked)" dst-address=10.10.50.0/24 \
src-address=10.10.50.0/24
add action=accept chain=input comment=\
"allow VLAN 100 only (inter-vlan is blocked)" dst-address=10.10.100.0/24 \
src-address=10.10.100.0/24
add action=accept chain=input comment=\
"allow MANAGEMENT VLAN only (inter-vlan is blocked)" dst-address=\
10.10.99.0/24 src-address=10.10.99.0/24
add action=accept chain=input comment=\
"allow GUEST VLAN only (inter-vlan is blocked)" dst-address=\
192.168.0.0/24 src-address=192.168.0.0/24
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic (all vlans)" \
in-interface=all-vlan out-interface-list=WAN
add action=drop chain=forward comment="drop access to clients behind NAT from \
WAN - drops all new connection attempts from the WAN port to our LAN netwo\
rk (unless DstNat is used). Without this rule, if an attacker knows or gue\
sses your local subnet, he/she can establish connections directly to local\
\_hosts and cause a security threat." connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"*** INVALID ACCESS TO CLIENTS BEHIND NAT FROM WAN ***"
add action=drop chain=forward comment="block everything else"

Who is online

Users browsing this forum: rplant and 77 guests