Community discussions

MikroTik App
 
fraksipon
newbie
Topic Author
Posts: 36
Joined: Mon Oct 14, 2013 8:46 am

Vlan blocking and communication between vlanes

Thu Nov 04, 2021 11:01 am

When I run rule 11, vlans do not ping each other.
11 X  chain=forward action=drop in-interface=all-vlan log=no log-prefix="" 
If i add rule
09 X chain=forward action=accept in-interface=vlan-200 out-interface=vlan-100 log=no log-prefix=""
10 X chain=forward action=accept in-interface=vlan-100 out-interface=vlan-200 log=no log-prefix="" 
INTERFACE:
-----eth1->
----------vlan-100
-----eth2->
----------vlan-200
-----eth3->
---------- vlan-300
-----eth4->
---------- vlan-400

I am asking for support how to block communication between all vlan, but enable communication between vlan100 and vlan200
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Vlan blocking and communication between vlanes

Thu Nov 04, 2021 3:08 pm

Please post your complete config to assess properly........

/export hide-sensitive file=anynameyouwish
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Vlan blocking and communication between vlanes

Thu Nov 04, 2021 10:23 pm

Without seeing your full config, you are essentially correct. Allow what you specifically want, then drop everything. You can even be more selective. For example, only certain devices on one VLAN can access another VLAN. I have a bunch of that on mine.
But the devil is in the details. As Anav requested, post a complete comfig:
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
fraksipon
newbie
Topic Author
Posts: 36
Joined: Mon Oct 14, 2013 8:46 am

Re: Vlan blocking and communication between vlanes

Fri Nov 05, 2021 3:28 pm

Please post your complete config to assess properly........

/export hide-sensitive file=anynameyouwish

it's only part of the code. I would like to allow ether2_trunk_110 to communicate with ether2_trunk_120
/interface bridge
add admin-mac=4C:5E:0C:3F:31:35 auto-mac=no name=BRIDGE_lokacja \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1_wan
set [ find default-name=ether2 ] name=ether2_TRUNK_110
set [ find default-name=ether3 ] name=ether3_TRUNK_120

/interface vlan
add interface=ether2_TRUNK_110 name=TEACH_LAN_110 vlan-id=110
add interface=ether3_TRUNK_120 name=TEACH_WIFI_120 vlan-id=120
add interface=ether1_wan name=BRIDGE_lokacja vlan-id=500

/ip dhcp-server
add add-arp=yes address-pool=TEACH_WIFI disabled=no interface=TEACH_WIFI_120 name=TEACH_WIFI
add add-arp=yes address-pool=TEACH_LAN disabled=no interface=BRIDGE_lokacja name=TEACH_LAN

/interface bridge port
add bridge=BRIDGE_lokacja interface=BRIDGE_lokacja
add bridge=BRIDGE_lokacja interface=TEACH_LAN_110

/ip address
add address=10.0.4.1/24 comment=TEACH_LAN interface=BRIDGE_lokacja network=10.0.4.0
add address=10.0.6.1/24 comment=TEACH_WIFI interface=TEACH_WIFI_120 network=10.0.6.0

/ip dhcp-server network
add address=10.0.4.0/24 comment=TEACH_LAN dns-server=10.0.4.4,10.0.4.1 gateway=10.0.4.1 netmask=24
add address=10.0.6.0/24 comment=TEACH_WIFI dns-server=10.0.6.1 gateway=10.0.6.1 netmask=24


/ip firewall filter
add action=accept chain=forward disabled=yes in-interface=ether3_TRUNK_120 out-interface=BRIDGE_lokacja
add action=accept chain=forward disabled=yes in-interface=BRIDGE_lokacja out-interface=ether3_TRUNK_120
add action=drop chain=forward disabled=yes in-interface=all-vlan

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Vlan blocking and communication between vlanes

Fri Nov 05, 2021 6:29 pm

Your configuration is very confusing and probably all wrong.
Why not use one bridge.
Assign all ports to it (except for the wan port of course)
Assign vlans to the bridge
and follow this guide.........


viewtopic.php?t=143620

Who is online

Users browsing this forum: anav and 48 guests