Community discussions

MikroTik App
 
HondaFireblade
just joined
Topic Author
Posts: 5
Joined: Mon Jan 10, 2022 11:47 am

Help me with configuration

Mon Jan 10, 2022 12:01 pm

Good morning
I am attaching the configuration files that I would like to create.

The vlan50 must be able to see the vlan60 while the vlan60 must not see the vlan50.
The vlan99 is the management vlan and must be active on the ETH8 port (MKT RT 5009), on the ETH3 port (MKT RT 326) and on the SFP3 port (MKT RT 305).

All other ports are in a bridge called LAN-Bridge (one per router).

Can you help me with configuration script?
Thanks
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me with configuration

Mon Jan 10, 2022 8:51 pm

You need to help yourself first.
Help comes to those that make an effort.
Read this carefully through.........
viewtopic.php?t=143620
 
HondaFireblade
just joined
Topic Author
Posts: 5
Joined: Mon Jan 10, 2022 11:47 am

Re: Help me with configuration

Tue Jan 18, 2022 4:19 pm

I have read the document and made the following configuration (see attached files).
I still have a problem with the firewall rules. I wish vlan80 couldn't ping vlan70 (not even ip 192.168.70.1).
I thought it was enough to add

add action = drop chain = forward dst-address = 192.168.70.0 / 24 src-address = 192.168.80.0 / 24

but even so from any ip of vlan80 I can ping 192.168.70.1
I have to add a specific rule like:

add action = drop chain = forward dst-address = 192.168.70.1 src-address = 192.168.80.0 / 24

What do you recommend?
Thanks
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help me with configuration

Tue Jan 18, 2022 5:35 pm

Vlans do not prevent making all local INTERFACES (those on the router) from being pingable thats normal.
There is a way around this I believe using RAW rules but that has its dangers and is really not necessary.
However you should not be able to ping an individual user and most importantly you will not be able to access any user/device.

/interface bridge vlan
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 vlan-ids=60 missing untagged=BOND-NAS3
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 vlan-ids=70
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 vlan-ids=99
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 untagged=LINK-ASUS-RT-WIFI vlan-ids=80

/interface list member
add interface=WAN-TIM list=WAN
add interface=MGMT_VLAN list=BASE
add interface=MGMT_VLAN list=VLAN
add interface=PC_VLAN list=VLAN
add interface=NAS-TV_VLAN list=VLAN
add interface=WIFI_VLAN list=VLAN

Dont know how many times I have to say your input rules are not what you want.
/ip firewall filter
add action=accept chain=input comment="Default Configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router { GOOD - limited admin access to router and if all from interface-list BASE use that as in-interface-list=)
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN { BAD - now all vlans have full access to the router, why have the rule before? }
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=MGMT_VLAN { NOT USEFUL - you have already let everyone have access LOL, rule will never be used }
add action=accept chain=input protocol=icmp
add action=drop chain=input

CHANGE TO in this order..........
/ip firewall filter
add action=accept chain=input comment="Default Configuration" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=BASE src-address-list=allowed_to_router **********
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input

Where allowed addresses is
add name=allowed_to_router address=IPof admin desktop
add name=allowed_to_router address=IPof admin laptop
add name=allowed_to_router address=IPof admin smartphone

This is useless for a firewall address list because you have it already stated as an interface list entry "BASE" you have it as an interface "MGMT_VLAN" and finally you have it as a subnet, and all three can be used already in firewall rules................. thus the below list is a waste of time.
add address=192.168.0.0/24 list=allowed_to_router

If the intent is NOT to limit management vlan by specific devices then simply use the rule I created without source address list
add action=accept chain=input in-interface-list=BASE

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Forward chain............sigh

Change to
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid { moved up in order }
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=LAN-Bridge log=yes log-prefix=Prevent Private IP Destination Address Leakage"
add action=accept chain=forward comment="VLAN Internet Access only" in-interface-list=VLAN out-interface-list=WAN
add action=drop comment="drop all else"

Personally, I would not use the interface lan-bridge in your rule because not all traffic is on the bridge. Thinking any kind of vpn for example is parallel to the LAN, but is not on and cannot be put on the bridge. VPNs can be added to an interface list. In this case, currently there are no vpns so use the interface list of VLAN as it encompasses all the traffic described by the interface bridge, and later if you add a VPN such as wireguard, you can add wireguard interface to the VLAN list or USE the unused LAN interface and tie all the vlans and the wg interface to the LAN interface for this rule.....

add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=VLAN \
log=yes log-prefix=Prevent_Private_IP_Destination_Address-Leakage

Who is online

Users browsing this forum: 0xAA55, itsbenlol and 35 guests