Handling all firewall rules in the routers for multiple access point.

homerouter · Wed Jan 05, 2022 1:41 pm

Handling all firewall(fw) rules in the routers for multiple access point(AP), some wireless and some wired.

For now i only have 1 router and 1 wireless AP. So i have fw rules in both, this is a mess when expanding to 7 AP.

There are 3 segment's in both, and they are not running VLAN.

How to handle all the fw rules in the router, and not in the AP too?

If i need to reconfigure it all, that's ok, i looking for hints and discussion.

anav · Wed Jan 05, 2022 2:24 pm

The APs dont need firewall rules!

Sob · Wed Jan 05, 2022 2:41 pm

It depends. If you have for example separate network for guests, one way to isolate it can be firewall on AP. But I'd rather choose VLAN, do all filtering on router and keep APs transparent.

anav · Wed Jan 05, 2022 2:54 pm

Rules to live by For Accredited Trainers:
From MTUNA Appendix, Things they dont teach you at MT School.
As soon as one has multiple subnets hitting the AP, a smart donkey would move towards vlans, a dumb ass would keep trying to shove spaghetti up a straw!

Analogous in a way is the other rule to live by
From MTUNA Appendix, Helping others on the forum
Don't be too soft, RIP OFF that bandage, its actually much more painful to remove it slowly!

homerouter · Wed Jan 05, 2022 3:00 pm

For now there are 3 segments and 3 SSID in the wireless AP.
In the fw chain there are about 25 rules in the AP, to allow/deny traffic between segment.
All are using the default gw to the main router, and there are static routes in the main router, so no double NAT.

-When extending to 5 or 7 AP i want a solution with no fw rules in the AP, and only in the main router.
But how to do that?

Sob · Wed Jan 05, 2022 3:12 pm

Well, listen to the wise ass, rip it off.

Convert your three segments into three VLANs on main router, and then connect as many APs as you want with only minimal config required to put users in VLANs. Everything else will be done on router. If you want more detailed instructions, provide more info, what exactly you want from those three segments, what's your current config, etc. And the friendly flaming animal will tell you how to change your router so well that you won't recognize it (but you may actually like the result).

homerouter · Wed Jan 05, 2022 3:34 pm

If making VLAN will you the use the trunk port to connect to the AP, If not i cant understand it?
What will it change if using VLAN according to the 3 segment, the ip must be routed...?
Maybe give an overview so i get what you mean:-)

Sob · Wed Jan 05, 2022 4:04 pm

Yes, AP will be connected to trunk port with VLANs, and then its config can be something like this (plus some wlan config):

/interface bridge
add name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=admin vlan-id=100
/interface wireless
set [ find default-name=wlan1 ] ssid=UserNet1 <other options>
add master-interface=wlan1 name=wlan2 ssid=UserNet2 <other options>
add master-interface=wlan1 name=wlan3 ssid=UserNet3 <other options>
/interface bridge port
add bridge=bridge interface=wlan1 pvid=10
add bridge=bridge interface=wlan2 pvid=20
add bridge=bridge interface=wlan3 pvid=30
add bridge=bridge interface=ether1
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=wlan1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wlan2 vlan-ids=20
add bridge=bridge tagged=ether1 untagged=wlan3 vlan-ids=30
add bridge=bridge tagged=bridge,ether1 vlan-ids=100
/ip address
add address=192.168.100.2/24 interface=admin
/ip dns
set servers=192.168.100.1
/ip route
add gateway=192.168.100.1

That's three separate networks (VLANs 10, 20, 30), with fourth for administration (VLAN 100). AP itself is part of only one network (admin), so it doesn't even try to route anything between others. Everything in those other networks (DHCP, inter-VLAN routing, firewall) happens on main router.

anav · Wed Jan 05, 2022 5:35 pm

What Sob missed out on was directing you to the standard for setting up vlans
There is an example there just for Access Points, post #4.
What I suggest you do is start at the beginning and digest the information and then go back and forth from the explanation and Post #4 to come to grips with the config setup.
viewtopic.php?t=143620

The key points are
one bridge
All subnets described/identified as vlans and with parent interface being the bridge.
No firewall rules
Only one interface list entry called MANAGE or BASE
The trusted vlan is usually the only interface as a list member (you dont need a separate vlan for management purposes if you the admin actually reside and exist on an existing trusted vlan like home (not guest or iot devices etc...).
What is important is that the AP gets an IP address on the trusted vlan subnet.
The interface list is used in three places typically, a. neighbours discovery setting and b. tools/winmac server
One IP route required and its typically dst-address= 0.0.0.0/0 gw=gatewayIPof trustedvlan table=main

However, its really tricky setting up the bridge when changing subnets and settings within the bridge.
Two recommendations
1. Get use to using SAFE MODE as a normal process.
2. Consider taking ether2 and using it off the bridge for all your configging of the bridge, safe and sound from bridge screwups.........
viewtopic.php?t=181718

homerouter · Wed Jan 05, 2022 8:39 pm

Thank you both:-)
You have pointed me in the right direction.
I actually have an extra router, and some AP.
Now I will try to set it up, and test in a closed environment.

I will return for sure when I hit a wall.

homerouter · Thu Jan 06, 2022 4:45 pm

My main router is connected to the big www. It also handle 192.168.10.0/24 for DHCP and DNS. It will be connected to the MT router in the untagged port 1.

On the MT router normally the WAN port is served with a DHCP client.
In my case it will be assigned a static ip as 192.168.10.4/24 and have a DHCP relay because the DHCP assignment for that segment is coming from the main router.
I still need a VLAN_10 to handout ip on the AP with ip from my main router.

Port 1 is static ip 192.168.10.4 connected to my main router.
Port 2 VLAN_10 and the same segment as the port 1 but DHCP is from the main router.
Port 3 VLAN_20 DHCP is from the MT router
Port 4 VLAN_30 DHCP is from the MT router
Port 5 Trunk port with VLAN_10, VLAN_20, VLAN_30.

The complicated thing is the MT router must have a VLAN_10 there are the same segment as the port 1

How to do that?

mkx · Thu Jan 06, 2022 5:55 pm

Any particular reason for requirement of having same subnet on two interfaces (ether1 and vlan_10)? It is possible to have it, but configuration for that is convoluted.

anav · Thu Jan 06, 2022 7:55 pm

I dont follow, it seems you have a modem router that you have no control over?
Most allow you to port forward any ports required!

Suggesting, just use the one LANIP from the main router, which is also the WANIP on the MT router as the one conduit to the MT Router.

Then you can do whatever you want on the MT router. All traffic will go out the WAN port of the MT router and through the main router to the internet???

I am not understanding the requirement for the additional complexity??

homerouter · Thu Jan 06, 2022 8:46 pm

This simple drawing show what i want.
It is only a drawing not a real network layout.

The 192.168.10.0 is the main segment and the DHCP i in ASUS.
The MT must connect to ASUS and have the VLAN 10,20,30. VLAN_10 is the same segment as in ASUS, and all client get ip from ASUS.
The MT do all the rest VLAN_20,30.
The Trunk from MT is to my MT AP, and other switch.

anav · Thu Jan 06, 2022 9:27 pm

So the switch connected to the Asus, is a dumb switch?
Any reason why you cannot connect the switch to the MT router instead?
Is the asus vlan aware?

In terms of dhcp you want
the asus to hand out DHCP for vlan10
the mt to hand out DHCP for vlan20,30
the mt to handle Firewall rules for all three vlans........

homerouter · Thu Jan 06, 2022 9:36 pm

The switch is just a normal networks switch. It just serve as illustration for the 25 client, some are connected with other switch.

Main reason for MT router is to get WIFI in all places, and segmentation for some users. For now we want the ASUS as the main router for 192.168.10.0/24. And therefore the MT must handout WIFI addresses for that segment too, DHCP 192.168.10.0 came from ASUS.

mkx · Thu Jan 06, 2022 10:04 pm

The simplest way of achieving what you want is to use mikrotik as a bridge (switch) main segment / vlan_10 and only act as router for the rest of vlans ... you would achieve that by configuring port1 as access port for vlan_10, other porrs as trunk ports for all vlans (or access ports for select vlan, depending on how they are used). Bridge interface is tagged member of all VLANs, you need vlan interfaces for all VLANs. Etc.

anav · Fri Jan 07, 2022 4:14 am

So MKX, the flexibility of MT RoS comes to the fore here quite nicely.
THe only question I have is regarding traffic going out to the internet........

should vlans 20,30,20 with interface bridge
have dns servers of 192.168.10.1 ??

Assuming there is no WAN interface here really,,,,,,,,,,,,,,,,

Thus also one ip route should in play
dst-address=0.0.0.0/0 gwyIP=192.168.10.1 ??

OR should it be
dns servers of 192.168.10.4
dst-address=0.0.0.0/0 gwyIP=192.168.10.4

Seeing as the IP address of the MT device itself is 192.168.10.4

homerouter · Fri Jan 07, 2022 1:14 pm

For now the MT router is up and running as expected.
One more time thanks for all the hints, and help

But...
Is it normal that speed between two VLAN is about 310-350Mbit, and CPU load about 99% at one core (RB750Gr3).
Test is done in mimimal setup, no fw roules. Test is with cat6 cable, directly from MT to two computers.
When testing on same bridge without VLAN, speed is about 750Mbit, and CPU load is low.

Update: When doing more streams 3-8 are tested at VLAN, speed is about 700-750Mb between segments, so for me ok

. And then it spread it over more CPU.

This is what i cooked, for now:

# jan/07/2022 11:10:40 by RouterOS 6.49.2
#
# model = RB750Gr3
/interface ethernet
set [ find default-name=ether1 ] comment="vlan_10 and to main router"
set [ find default-name=ether2 ] comment=vlan_10
set [ find default-name=ether3 ] comment=vlan_20
set [ find default-name=ether4 ] comment=vlan_30
set [ find default-name=ether5 ] comment=trunk
/interface bridge
add name=bridge_vlan vlan-filtering=yes
/interface vlan
add interface=bridge_vlan name=vlan10 vlan-id=10
add interface=bridge_vlan name=vlan20 vlan-id=20
add interface=bridge_vlan name=vlan30 vlan-id=30
/interface list
add name=LAN
add name=BASE
/ip pool
add name=dhcp_pool_20 ranges=192.168.21.100-192.168.21.149
add name=dhcp_pool_30 ranges=192.168.30.100-192.168.30.149
/ip dhcp-server
add address-pool=dhcp_pool_20 disabled=no interface=vlan20 name=dhcp20
add address-pool=dhcp_pool_30 disabled=no interface=vlan30 name=dhcp30
/interface bridge port
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=30
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge_vlan tagged=ether5,bridge_vlan untagged=ether2,ether1 \
    vlan-ids=10
add bridge=bridge_vlan tagged=ether5,bridge_vlan untagged=ether3 vlan-ids=20
add bridge=bridge_vlan tagged=ether5,bridge_vlan untagged=ether4 vlan-ids=30
/interface list member
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add interface=vlan10 list=BASE
/ip address
add address=192.168.21.1/24 interface=vlan20 network=192.168.21.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.10.4/24 interface=vlan10 network=192.168.10.0
/ip dhcp-relay
add dhcp-server=192.168.10.1 disabled=no interface=vlan10 name=Relay_ASUS
/ip dhcp-server network
add address=192.168.21.0/24 dns-server=192.168.21.1 gateway=192.168.21.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.1
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    BASE
 ###masquerade will be replaced later by static route in ASUS...
/ip route
add distance=1 gateway=192.168.10.1

Sob · Fri Jan 07, 2022 2:47 pm

It may be better with v7:

What's new in 7.1rc5 (2021-Oct-25 20:15):

*) bridge - added HW offload support for vlan-filtering on MT7621 switch chip (hEX, hEX S, RBM33G, RBM11G, LtAP);

mkx · Fri Jan 07, 2022 3:37 pm

Inter-VLAN routing has (almost?) nothing to do with L2 HW offload.

While tagging/untagging of a frame doesn't seem such a complex task, it seems that SoHo (at least) Routerboards struggle a bit compared to similar task without dealing with VLAN tags. And don't forget, inter-VLAN routing also involves firewall if it's not entirely disabled.

mkx · Fri Jan 07, 2022 3:49 pm

should vlans 20,30,20 with interface bridge
have dns servers of 192.168.10.1 ??

It's up to your taste ... you can run DNS service on MT and allow remote access (and limit access to it via firewall rules by allowing only access from clients from select VLANs) and serve "native VLAN IP address" of router in each of DHCP servers ... or you can simply instruct DHCP clients to use "upstream" DNS server ... the second option is, from client's perspective, exactly the same as setting DNS server in DHCP leases to 1.1.1.1 or 8.8.8.8.

Assuming there is no WAN interface here really,,,,,,,,,,,,,,,,

But there is: it's vlan 10 interface:

/interface vlan
add interface=bridge name=vlan-10 vlan-id=10

(or whatever exact definition of it). It's the interface through which router communicates with "outside world" ... and to me, that's definition of "WAN interface".

You should not be distracted by the fact that that interface is not physical interface. E.g. if you get your internet via FO and ISP uses all-tagged ... then using SFP interface directly (i.e. tagless) won't allow your router to speak to anybody. Because device on the other end of the wire (or glass strand) will ignore all tagless frames.
Because one can not be entirely sure that's entirely true (ISP techs are nasty bastards, right?), it's safer to declare physical interface as WAN interface as well (so that firewall automatically drops all unsolicited traffic also from that direction). Another similar case is when you get your internet via PPPoE (via modem operating in bridge mode): your WAN interface is ppoe-out1 interface, physical interface will only allow you to connect to modem itself (usable sometimes) so it's not really WAN interface. But it's still recommended to treat it like one, you don't want some unsolicited connections coming in from that device.

Sob · Fri Jan 07, 2022 3:58 pm

I'm not sure (= I really don't know), but I have hEX S as main router at home, and it's a long time since I tested it, but even routing involving interfaces with bridge VLAN filtering was somehow slower than expected, when compared to regular ethernet with no bridge and no VLANs. I admit that I may be completely mistaken. I plan to test if v7 changes anything, but so far it's not stable enough for me (I have IPv6 with 6to4 and it kills v7 instantly).

anav · Fri Jan 07, 2022 4:06 pm

Okay mkx, smarty pants.

My point is not about wan lan definitions its about usage.

1. is it perfectly fine to put vlan10 on the bridge and as a LAN interface. and dont use IP dhcp client and dont use wan interface - simple question!!

Note: and still use the MT as dhcp for the other vlans, with the other vlans on the bridge etc........

mkx · Fri Jan 07, 2022 4:28 pm

My point is not about wan lan definitions its about usage.

My point as well. In OP's case VLAN 10 is expressly used to pass WAN IP services from one untagged (physical WAN) to another untagged (IPTV STB) port.(Because we're running many more VLANs over same bridge, we use pvid setting on appropriate ports so that traffic becomes tagged over bridge.) I
f RB itself didn't need internet access, it would be simple bridge business with bridge interface not being member of that VLAN. As RB itself does need access to that VLAN (because it's way to internet for RB and other VLANs), we configure bridge interface as tagged member of VLAN 10, then we create vlan-10 interface and use it as WAN interface ... whatever that means. E.g. we run DHCP client off that interface to get WAN IP for RB or we set WAN IP statically if ISP allows ... as opposed to LAN interfaces where we run (appropriately configured) DHCP servers. Etc.

I'm writing this often, but I'll do it again: port classification (WAN vs LAN) is not done according to label on the case, it's not done according to colour of cable attached, it's the functionality. On a true router-on-a-stick (which has single trunk interface connected to managed VLAN-enabled switch) one can not say that that interface is either LAN or WAN ... it's the vlan interfaces that can be classified according to the functionality (WAN, LAN, DMZ, ...).

anav · Fri Jan 07, 2022 7:19 pm

Yeah I need to go back to the diagram ( please kick me if I ever try to do something so convoluted as not having the MT router run everything............)
The first thing I would do is throw the main router in the garbage and run everything from the MT and I needed a smart switch where the MT is located now, so be it.

That being said, what I forgot was the need for the main router to provide dhcp services for the clients behind the MT router on vlan10, on the three MT APs.

Proposal TrY #1 NO WAN, just switch and internal dhcp functionality.
Bridge1
vlan 10,20,30 with interface of Bridge1
Ip address/dhcp server/IP pool/dhcp-server-network for vlans20,30 ( dns-server=192.168.0.4 ip dns, allow remote, dns servers=1.1.1.2,9.9.9.9)

Interface list - LAN/MANAGE (not that I need a LAN actually)
LAN=vlan10
LAN=vlan20
LAN=vlan30
MANAGE=VLAN10

IP route
dst-address=0.0.0.0/0 gwy=192.168.10.4

Bridge port
Bridge1 port1 - access port pvid=10
Bridge1 port 2 - trunk port to AP
Bridge1 port3 - trunk port to AP
Bridge1 port4 - trunk port to AP
each AP gets an IP address on vlan10 from the main router.

Bridge vlans
Bridge1 tagged=Bridge1,ether2,ether3,ether4 vlan-ids=20,30
Bridge1 tagged=Bridge1,ether2,ether3,ether4 untagged=ether1 vlan-ids=10

neighbour discovery=MANAGE
winmacserver = MANAGE

What is missing or wrong ?????

homerouter · Fri Jan 07, 2022 8:44 pm

Maybe i need to explain why i use the ASUS. For me it is solid working SoHo out off the box routers.
-ASUS patch broken things fast, and release security patch too.
-There are a 4G fail-over, and it work.
-There are AiProtection by Trend Micro https://www.asus.com/Content/AiProtection. It work out of the box.

I have used pi-hole on a Raspberry pi, and some filter dns servers. Now i just use the ASUS.
There will always be better solution, but i like this one.

Therefore i don't replace it. I just add more stuff, in this case it is the MT router and some AP.

mkx · Sat Jan 08, 2022 7:34 pm

I'll make an exception and will write configuration for MT router (because this thread is getting stale): L2 and basic L3 configuration (with some in-line comments) ... hopefully it'll make life for everybody involved a bit easier.

# L2 configuration first

# bridge acts as a smart/managed switch
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
# ether1 and ether5 are access ports to main LAN (vlan 10), one is used to connect to ASUS
# ether2, ether3 and ether4 are trunk ports, carrying vlans 10, 20 and 30 and used to connect APs
add bridge=bridge interface=ether1 pvid=10 frame-types=allow-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridge interface=ether2 frame-types=admit-only-vlan-tagged ingress-filtering=yes
add bridge=bridge interface=ether3 frame-types=admit-only-vlan-tagged ingress-filtering=yes
add bridge=bridge interface=ether4 frame-types=admit-only-vlan-tagged ingress-filtering=yes
add bridge=bridge interface=ether5 pvid=10 frame-types=allow-only-untagged-and-priority-tagged ingress-filtering=yes

# no need to include ether1 and ether5 as untagged members of vlan 10, that's done automatically because of pvid setting above
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,ether4 vlan-ids=40



# now L3 setup

# router's access to vlan 10 ... as WAN port
# router's access to vlan 20 and vlan 30 as gateway for those subnets
/interface vlan
add interface=bridge name=vlan-10 vlan-id=10
add interface=bridge name=vlan-20 vlan-id=20
add interface=bridge name=vlan-30 vlan-id=30
/ip address
add interface=vlan-10 address=192.168.10.4/24
add interface=vlan-20 address=192.168.20.1/24
add interface=vlan-30 address=192.168.30.1/24

/ip route
# default route ... needed for clienrs in vlans 20 and 30 to reach internet
# needed by thus router as well (SW upgrades, anything else outside of vlans 10, 20 and 30)
add dst-address=0.0.0.0/0 gateway=192.168.10.1

# DHCP server settings for vlans 20 and 30
/ip pool
add name=pool-20 ranges=192.168.20.10-192.168.20.254
add name=pool-30 ranges=192.168.30.10-192.168.30.254
/ip dhcp-server network
# use ASUS as DNS server for all VLANs
add address=192.168.20.0/24 dns-server=192.168.10.1 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=192.168.10.1 gateway=192.168.30.1 netmask=24
/ip dhcp-server
add address-pool=pool-20 disabled=no interface=vlan-20 lease-time=6h name=dhcp-20
add address-pool=pool-30 disabled=no interface=vlan-30 lease-time=6h name=dhcp-30

# do you need NAT for vlans 20 and 30? If you add routes towards 192.168.20.0/24
# and 192.168.30.0/24 on ASUS with gateway address 192.168.10.4, then ASUS can do
# NAT and you don't need to do it here.
# If you don't perform NAT here and decide to allow traffic from restricted vlans towards
# main LAN, then you might get into problems of routing triangle which may upset firewall on ASUS

# interface list is to make NAT rule only one. Can be used in firewall filter rules if you want to
# control traffic to and from vlans 20 and 30
/interface list
add name=restricted-vlans
/interface list member
add list=restricted-vlans interface=vlan-20
add list=restricted-vlans interface=vlan-30

/ip firewall nat
add chain=srcnat action=masquerade out-interface=vlan-10 in-interface-list=restricted-vlans

# example of firewall filter rules
/ip firewall filter
# block access to this router from restricted vlans
# but first allow access to DHCP server (could be this is not strictly necessary but won't hurt)
# and optionally to any other services this router might offer to clients in restricted vlans
# (place accept rules before next drop rule)
add chain=input action=accept protocol=udp dst-port=67 src-port=68 in-interface-list=restricted-vlans
add chain=input action=drop in-interface-list=restricted-vlans

# block access to devices in main LAN from restricted vlans
# but do allow access to main router, it may offer some services, such as DNS
add chain=forward action=accept dst-address=192.168.10.1 in-interface-list=restricted-vlans
add chain=forward action=drop dst-address=192.168.10.0/24 in-interface-list=restricted-vlans

# block traffic between devices in different restricted vlans
add chain=forward action=drop in-interface-list=restricted-vlans out-interface-list=restricted-vlans

anav · Sat Jan 08, 2022 10:48 pm

Yes, I was beginning to wonder if you ever have done any configs...............
I will try to follow the logic.......

(1) Not sure where you got
a. ether5 OR
b. that it was an access port.
The only evidence I can find above that is a trunk port with unknown purpose.
In any case lets say it was an access port to play along!!

(2) Bridge ports, look good!

(3) Bridge Vlans, hmm dont like the autogenerate method but its viable.
For some nagging reason I think you still need a rule to note that the bridge is tagged for this....
Ahh I see vlan10 is tagged in the first line by the bridge so that is covered......
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,ether4 vlan-ids=40

What I am saying, for example if vlan 10 was not tagged on ether2,3,4, then we would need a rule as such
add bridge=bridge tagged=bridge vlan-ids=10

Its here where manually inserting the untag makes sense or at least to make it clear why.

(4) /ip firewall nat
add chain=srcnat action=masquerade out-interface=vlan-10 in-interface-list=restricted-vlans

So this rule is designed to allow vlan20 and vlan30 traffic to reach the client computers on the vlan10 network if that the desire of the OP??
It will not allow traffic originating on vlan10 from reaching vlans20, 30 though? right?

(5) then with firewall rules you block such traffic so was a bit confusing for me... ?????????
add chain=forward action=drop dst-address=192.168.10.0/24 in-interface-list=restricted-vlans

(6) The rest of the rules are sweet, I gather port 68 is the source port and 67 is the destination port for traffic originating from dhcp clients on vlan10 behind the MT??

(7) Overall one of us a bit confused in the forward chain. The input chain was clear with a drop all rule at the end, why not carry through with the forward chain as well.
It could be?
add chain=forward action=accept dst-address=192.168.10.1 in-interface-list=restricted-vlans
add chain=forward action=drop

..

mkx · Sat Jan 08, 2022 11:25 pm

(1) Not sure where you got
a. ether5 OR
b. that it was an access port.

I invented this part. OP mentions 3 AP s, hence 3 trunk ports. OP also mentions one untagged connection towards main LAN, hence one access port. hEX has got 5 ports and I hate to waste hardware, so I thought OP could use another main LAN port.

(4) /ip firewall nat
add chain=srcnat action=masquerade out-interface=vlan-10 in-interface-list=restricted-vlans

So this rule is designed to allow vlan20 and vlan30 traffic to reach the client computers on the vlan10 network if that the desire of the OP??
It will not allow traffic originating on vlan10 from reaching vlans20, 30 though? right?

If OP doesn't do anything on ASUS, then ASUS doesn't know anything about the two extra IP subnets ... if devices in those two subnets require access to internet, that wouldn't work unless RB does src-nat for those clients. Allowing traffic between these two vlans and the rest of main LAN is side effect and if it is not desired, it has to be blocked using firewall rules. If ASUS gets those two static routes, then the whole NAT stuff is not necessary any more.
You're right, connections originating from vlan10 and targeting other two vlans are not affected by this src-nat rule.

(6) The rest of the rules are sweet, I gather port 68 is the source port and 67 is the destination port for traffic originating from dhcp clients on vlan10 behind the MT??

Yup. Here's an article on DHCP for your good-night reading.

(7) Overall one of us a bit confused in the forward chain. The input chain was clear with a drop all rule at the end, why not carry through with the forward chain as well.

Since this router is not on perimeter of OP's network (not yet

), I think this router doesn't need a very strict firewall. It's job is to protect itself and to protect main LAN (as far as it can). The rest is then up to ASUS. Or, depending on ASUS configuration, even up to config on this router. And, your suggestion would block clients of those two vlans from reaching internet ... because dst-address of those packets is not ASUS' address, it's everything else...

But, as I wrote: this is only basic L3 config, I'm leaving the rest to OP's immagination. And your suggestions ...

BTW, I see you missed a typo in this line:

add bridge=bridge tagged=bridge,ether2,ether3,ether4 vlan-ids=40

anav · Sun Jan 09, 2022 4:08 am

Right, I missed the blocking of lan to wan traffic,,,,,,,so
thats easy....

add chain=forward action=accept dst-address=0.0.0.0/0 in-interface-list=restricted-vlans out-interface=vlan10
add chain=forward action=drop

homerouter · Mon Jan 10, 2022 9:23 pm

Need to ask this:
I have no firewall accept to allow DHCP, and when using log tools "Torch" at the VLAN i see this, (look picture). But nothing in the fw?
Computer get nice ip. DHCP is part of the firewall input chain, right? or is it Layer2, if so how to handle that in the fw?

mkx · Tue Jan 11, 2022 7:07 am

Firewall acts as if it had implicit last rule in each chain to accept the packet. So if you don't have any explicit rule that would drop certain packets, they are allowed.

Now, as to DHCP packets: it seems that ROS implements DHCP server in a way that sits below normal IP stack and grabs its share of packets before IP firewall can do anything about it (I've seen the same behaviour with an older implementation of ISC DHCP server on linux as well). That's why I wrote (in config example commentary) that DHCP allow rules might not be necessary.

anav · Tue Jan 11, 2022 1:58 pm

mkx is that the same reason why two vlans cannot see each other but on MT setups can ping each others gateway? There was a rule to block that and now forget it,,,,,,,,, but really not needed I dont think.........thoughts.

mkx · Tue Jan 11, 2022 9:03 pm

mkx is that the same reason why two vlans cannot see each other but on MT setups can ping each others gateway?

No. The reason for that is different: one of initial tasks router does on ingress packet is to determine if packet is targeting one of router's own addresses. If it is, then it's dealt with in chain=input (unless it's subject to dst-nat, but let's forget about this possibility for now). Obviously in-interface is not relevant for this decission. The block-vlan-to-vlan rules are part of chain=forward and hence don't affect the packets we're talking about. So if one really wants to block traffic targeting "non-native" router's address, one has to construct appropriate rules in chain=input ... e.g.:

# let's assume vlan-10 interface has address 192.168.10.1/24
# let's assume vlan-20 interface has address 192.168.20.1/24
/ip firewall filter
add chain=input action=drop dst-address=192.168.20.1 in-interface=vlan-10

Of course there are many ways to skin the cat ... so use whatever way fitting the rest of firewall rules ...

As you put it: this is purely cosmetic thing. One doesn't gain any security by blocking access to "non-native" router addresses, it's enough to have access to any of router's addresses to hack it (if the rest of FW rules are not secure).

Handling all firewall rules in the routers for multiple access point.

Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.

Re: Handling all firewall rules in the routers for multiple access point.