Community discussions

MikroTik App
 
MicrotikUser
newbie
Topic Author
Posts: 29
Joined: Tue Aug 21, 2018 12:42 am

Isolated VLAN "Bound" to Specified Ethernet Port.

Sat Nov 20, 2021 5:13 pm

Is it possible to create a scenario in which connecting an ethernet to a specified port patches you into a totally isolated VLAN? I've been able to achieve something very similar to this using Wi-Fi with a tutorial found here: https://www.youtube.com/watch?v=1ZJ-pM89N7o How would one go about "binding" an Ethernet port to a VLAN? Using the linked tutorial I was able to safely isolate a work PC from my home PC's, but I'd like to do the same thing with the reliability and speed of Ethernet. Does anyone have a tutorial on how to do this, or how my goal of doing this with Ethernet would differ from doing this with Wi-Fi? (See referenced tutorial) My hardware: MikroTik RB4011iGS+5HacQ2HnD RouterOS: 6.45.9
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11445
Joined: Thu Mar 03, 2016 10:23 pm

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sat Nov 20, 2021 5:19 pm

I'm not going to watch some video tutorial to learn your wishes. You better express them in a few sentences.

But anyway, if you remove ether port from bridge (/interface bridge port), then it'll be isolated from the rest of network(s). Nothing to do with VLANs (as in IEEE 802.1Q) so far. If you then add IP address on that port (and DHCP server and whatnot), then router can communicate with device connected to that port (or multiple devices if port is connected to ethernet switch).
 
MicrotikUser
newbie
Topic Author
Posts: 29
Joined: Tue Aug 21, 2018 12:42 am

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sat Nov 20, 2021 8:04 pm

I'm not going to watch some video tutorial to learn your wishes. You better express them in a few sentences.

But anyway, if you remove ether port from bridge (/interface bridge port), then it'll be isolated from the rest of network(s). Nothing to do with VLANs (as in IEEE 802.1Q) so far. If you then add IP address on that port (and DHCP server and whatnot), then router can communicate with device connected to that port (or multiple devices if port is connected to ethernet switch).
I've managed to create a bridge, a DHCP server, and an address list. I've also managed to bind this to my Ethernet, and it works. However, I can still ping other PC's I should not be able to ping. How can I prevent this?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11445
Joined: Thu Mar 03, 2016 10:23 pm

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sat Nov 20, 2021 9:43 pm

Use firewall.
 
MicrotikUser
newbie
Topic Author
Posts: 29
Joined: Tue Aug 21, 2018 12:42 am

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sat Nov 20, 2021 11:16 pm

Use firewall.
I've tried these without luck.

/ip firewall filter add chain=input action=drop src-address=192.168.88.0/24 dst-address=10.10.1.0/24
/ip firewall filter add chain=input action=drop src-address=10.10.1.0/24 dst-address=192.168.88.0/24
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sat Nov 20, 2021 11:47 pm

It won't do much good in input chain, the right place is forward chain.
 
MicrotikUser
newbie
Topic Author
Posts: 29
Joined: Tue Aug 21, 2018 12:42 am

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sun Nov 21, 2021 12:47 am

It won't do much good in input chain, the right place is forward chain.
I can still ping 192.168.88.1 with the rule on forward. Although I can see there was traffic on these rules.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sun Nov 21, 2021 1:09 am

If 192.168.88.1 is router (most likely), then it's correct, you can ping it, but it doesn't really matter. If you want to block it too, you can, but this time chain=input would be correct one. But again, it's probably pointless, it makes sense only if you want to block access to router completely, using any address. If you don't need that and access to 10.10.1.1 (my guess for other router's address) is allowed, there's no harm if 192.168.88.1 is allowed too.
 
MicrotikUser
newbie
Topic Author
Posts: 29
Joined: Tue Aug 21, 2018 12:42 am

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sun Nov 21, 2021 1:24 am

If 192.168.88.1 is router (most likely), then it's correct, you can ping it, but it doesn't really matter. If you want to block it too, you can, but this time chain=input would be correct one. But again, it's probably pointless, it makes sense only if you want to block access to router completely, using any address. If you don't need that and access to 10.10.1.1 (my guess for other router's address) is allowed, there's no harm if 192.168.88.1 is allowed too.
In testing i can also ping a PC on on my 192.168.88.X network. Maybe a reboot?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sun Nov 21, 2021 2:14 am

Then it could be some other rule(s) allowing access before these have a chance to block it. Reboot is not required, config is applied immediately, although some state may persist from before. Specifically for ping/icmp, router remembers it as "connection" and works with that, instead of with individual packets. Combined with default firewall, and if you keep the ping running, it would still be allowed. So you need to stop it and give it a minute before you try again. Or you can ping different address. Or reboot is a way too, that's sure thing.
 
MicrotikUser
newbie
Topic Author
Posts: 29
Joined: Tue Aug 21, 2018 12:42 am

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sun Nov 21, 2021 4:29 pm

Seems like a bad idea posting this here.... oh well! I haven't really touched these. I disabled the rules temporally because I'm testing this in production :shock: Anything look bad above the rules?
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Isolated VLAN "Bound" to Specified Ethernet Port.

Sun Nov 21, 2021 6:13 pm

Next time (if there is next time) don't post screenshots, because they don't show everything. It's better to post text export. You can get it from terminal, if you run e.g. "/ip firewall filter export" for just firewall filter, or "/export hide-sensitive file=somename" for whole thing and it will be saved as somename.rsc. But in this case, if it's default config and you didn't change the rules, it's ok.

But on topic, my suggestion is to do one small modification. Default firewall blocks new connections from WAN (rule #11) and allows everything else. I find it better to list what should be allowed and block everything else, which in this case can be accomplished by adding two rules at the end:
/ip firewall filter
add chain=forward in-interface-list=LAN out-interface-list=WAN action=accept comment="allow access from LAN to internet"
add chain=forward action=drop comment="block everything else"
Then you can disable #11. And you don't need to worry anymore about blocking your separate interface, because it's automatic. If you want to enable something else, e.g. access from that interface to internet, simply add another rule before the last blocking one:
/ip firewall filter
add chain=forward in-interface=etherX out-interface-list=WAN action=accept comment="allow access from etherX to internet"
Also check if you have interface lists configured correctly. Default ones are LAN and WAN, but you can add a new one for your port, if you want. It doesn't change how it works, but can be simpler to manage, if you use same interface in multiple rules.

Who is online

Users browsing this forum: araqiel, CGGXANNX, Google [Bot], Seko777, TheCat12 and 92 guests