Tue Jan 18, 2022 5:35 pm
Vlans do not prevent making all local INTERFACES (those on the router) from being pingable thats normal.
There is a way around this I believe using RAW rules but that has its dangers and is really not necessary.
However you should not be able to ping an individual user and most importantly you will not be able to access any user/device.
/interface bridge vlan
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 vlan-ids=60 missing untagged=BOND-NAS3
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 vlan-ids=70
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 vlan-ids=99
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 untagged=LINK-ASUS-RT-WIFI vlan-ids=80
/interface list member
add interface=WAN-TIM list=WAN
add interface=MGMT_VLAN list=BASE
add interface=MGMT_VLAN list=VLAN
add interface=PC_VLAN list=VLAN
add interface=NAS-TV_VLAN list=VLAN
add interface=WIFI_VLAN list=VLAN
Dont know how many times I have to say your input rules are not what you want.
/ip firewall filter
add action=accept chain=input comment="Default Configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router { GOOD - limited admin access to router and if all from interface-list BASE use that as in-interface-list=)
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN { BAD - now all vlans have full access to the router, why have the rule before? }
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=MGMT_VLAN { NOT USEFUL - you have already let everyone have access LOL, rule will never be used }
add action=accept chain=input protocol=icmp
add action=drop chain=input
CHANGE TO in this order..........
/ip firewall filter
add action=accept chain=input comment="Default Configuration" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=BASE src-address-list=allowed_to_router **********
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input
Where allowed addresses is
add name=allowed_to_router address=IPof admin desktop
add name=allowed_to_router address=IPof admin laptop
add name=allowed_to_router address=IPof admin smartphone
This is useless for a firewall address list because you have it already stated as an interface list entry "BASE" you have it as an interface "MGMT_VLAN" and finally you have it as a subnet, and all three can be used already in firewall rules................. thus the below list is a waste of time.
add address=192.168.0.0/24 list=allowed_to_router
If the intent is NOT to limit management vlan by specific devices then simply use the rule I created without source address list
add action=accept chain=input in-interface-list=BASE
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Forward chain............sigh
Change to
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid { moved up in order }
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=LAN-Bridge log=yes log-prefix=Prevent Private IP Destination Address Leakage"
add action=accept chain=forward comment="VLAN Internet Access only" in-interface-list=VLAN out-interface-list=WAN
add action=drop comment="drop all else"
Personally, I would not use the interface lan-bridge in your rule because not all traffic is on the bridge. Thinking any kind of vpn for example is parallel to the LAN, but is not on and cannot be put on the bridge. VPNs can be added to an interface list. In this case, currently there are no vpns so use the interface list of VLAN as it encompasses all the traffic described by the interface bridge, and later if you add a VPN such as wireguard, you can add wireguard interface to the VLAN list or USE the unused LAN interface and tie all the vlans and the wg interface to the LAN interface for this rule.....
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=VLAN \
log=yes log-prefix=Prevent_Private_IP_Destination_Address-Leakage