Community discussions

MikroTik App
 
button
just joined
Topic Author
Posts: 12
Joined: Mon May 02, 2022 1:18 am

Inter-VLAN allowed?

Thu May 12, 2022 1:03 pm

Hello friends,

I have inter-vlan access to all possible clients via ping and www. I was able to determine via /inteface/vlan that the correct vlans are used and the IPs are also distributed in their ranges. I just don't understand which firewall rule, which route etc. is responsible that I can reach the clients across vlans. Can you please help me understand and explain a little?
# may/12/2022 11:47:26 by RouterOS 7.2.3
# software id = K0NM-6Q2K
#
# model = RB5009UG+S+
/interface bridge
add frame-types=admit-only-vlan-tagged igmp-snooping=yes ingress-filtering=no name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-half,1000M-full comment=WAN
set [ find default-name=ether2 ] advertise=100M-half,100M-full,1000M-half,1000M-full comment=TPLink_Ext
set [ find default-name=ether3 ] advertise=1000M-half,1000M-full comment=up_AP1_EG1
set [ find default-name=ether4 ] advertise=100M-half,100M-full comment=up_AP2_CAPlite
set [ find default-name=ether5 ] comment=dLAN
set [ find default-name=ether6 ] advertise=1000M-half,1000M-full comment=up_HP1810
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes comment=sfp-sfpplus1 name=sfp1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
add listen-port=13232 mtu=1420 name=wireguard2
/interface vlan
add interface=BR1 name=VLAN10_admin vlan-id=10
add interface=BR1 name=VLAN20_mobiles vlan-id=20
add interface=BR1 name=VLAN30_iot vlan-id=30
add interface=BR1 name=VLAN40_smarthome vlan-id=40
add interface=BR1 name=VLAN50_entertain vlan-id=50
add interface=BR1 name=VLAN60_guest vlan-id=60
add interface=BR1 name=VLAN90_pis vlan-id=90
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/interface list
add name=TRUSTED
add name=WAN
add name=VLAN
/caps-man datapath
add bridge=BR1 client-to-client-forwarding=no interface-list=VLAN local-forwarding=no name=datapath1 vlan-mode=use-tag
/caps-man configuration
add country=germany datapath=datapath1 datapath.vlan-id=10 distance=indoors installation=indoor mode=ap multicast-helper=full name=cfg1-admin \
    rx-chains="" security=security1 ssid=tipic tx-chains=""
add country=germany datapath=datapath1 datapath.vlan-id=60 distance=indoors installation=indoor mode=ap multicast-helper=full name=cfg6-guest \
    rx-chains="" security=security1 ssid=showboxx tx-chains=""
add country=germany datapath=datapath1 datapath.vlan-id=40 distance=indoors installation=indoor mode=ap multicast-helper=full name=cfg4-smarthome \
    rx-chains="" security=security1 ssid=amnesia tx-chains=""
add country=germany datapath=datapath1 datapath.vlan-id=30 distance=indoors installation=indoor mode=ap multicast-helper=full name=cfg3-iot \
    rx-chains="" security=security1 ssid=blitz tx-chains=""
add country=germany datapath=datapath1 datapath.vlan-id=20 distance=indoors installation=indoor mode=ap multicast-helper=full name=cfg2-mobiles \
    rx-chains="" security=security1 ssid=harryklein tx-chains=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=42 name=NTP-Server value="'130.149.17.21'"
/ip pool
add name=POOL01 ranges=192.168.1.2-192.168.1.254
add name=POOL10 ranges=192.168.10.2-192.168.10.254
add name=POOL20 ranges=192.168.20.2-192.168.20.254
add name=POOL30 ranges=192.168.30.2-192.168.30.254
add name=POOL40 ranges=192.168.40.2-192.168.40.254
add name=POOL50 ranges=192.168.50.2-192.168.50.254
add name=POOL90 ranges=192.168.90.2-192.168.90.254
add name=POOL60 ranges=192.168.60.2-192.168.60.254
/ip dhcp-server
add address-pool=POOL10 interface=VLAN10_admin name=VLAN10_DHCP
add address-pool=POOL20 interface=VLAN20_mobiles name=VLAN20_DHCP
add address-pool=POOL30 interface=VLAN30_iot name=VLAN30_DHCP
add address-pool=POOL40 interface=VLAN40_smarthome name=VLAN40_DHCP
add address-pool=POOL50 interface=VLAN50_entertain name=VLAN50_DHCP
add address-pool=POOL90 interface=VLAN90_pis name=VLAN90_DHCP
add address-pool=POOL60 interface=VLAN60_guest name=VLAN60_DHCP
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=ether4
add disabled=no interface=ether3
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1-admin radio-mac=xxx slave-configurations=\
    cfg2-mobiles,cfg3-iot,cfg4-smarthome,cfg6-guest
add action=create-dynamic-enabled master-configuration=cfg1-admin radio-mac=xxx slave-configurations=\
    cfg2-mobiles,cfg3-iot,cfg4-smarthome,cfg6-guest
add action=create-dynamic-enabled master-configuration=cfg1-admin radio-mac=xxx slave-configurations=\
    cfg2-mobiles,cfg3-iot,cfg4-smarthome,cfg6-guest
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether4 pvid=10
add bridge=BR1 ingress-filtering=no interface=ether6 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether2 pvid=10
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether6,ether3,ether4 vlan-ids=20
add bridge=BR1 tagged=BR1,ether6 vlan-ids=30
add bridge=BR1 tagged=BR1,ether6 vlan-ids=40
add bridge=BR1 tagged=BR1,ether6 untagged=ether5 vlan-ids=50
add bridge=BR1 tagged=BR1,ether6 vlan-ids=60
add bridge=BR1 tagged=BR1,ether6 vlan-ids=90
/interface list member
add interface=ether1 list=WAN
add interface=VLAN20_mobiles list=VLAN
add interface=VLAN50_entertain list=VLAN
add interface=VLAN30_iot list=VLAN
add interface=VLAN40_smarthome list=VLAN
add interface=VLAN10_admin list=VLAN
add interface=VLAN90_pis list=VLAN
add interface=VLAN60_guest list=VLAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.98.2/32 interface=wireguard1 public-key="xxx"
add allowed-address=192.168.99.2/32 interface=wireguard2 public-key="xxx"
add allowed-address=192.168.99.3/32 interface=wireguard2 public-key="xxx"
add allowed-address=192.168.99.4/32 interface=wireguard2 public-key="xxx"
add allowed-address=192.168.99.5/32 interface=wireguard2 public-key="xxx"
add allowed-address=192.168.99.6/32 interface=wireguard2 public-key="xxx"
/interface wireless cap
set caps-man-addresses=192.168.1.1
/ip address
add address=192.168.98.1/24 interface=wireguard1 network=192.168.98.0
add address=192.168.99.1/24 interface=wireguard2 network=192.168.99.0
add address=192.168.1.1/24 interface=BR1 network=192.168.1.0
add address=192.168.10.1/24 interface=VLAN10_admin network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20_mobiles network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30_iot network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40_smarthome network=192.168.40.0
add address=192.168.50.1/24 interface=VLAN50_entertain network=192.168.50.0
add address=192.168.90.1/24 interface=VLAN90_pis network=192.168.90.0
add address=192.168.60.1/24 interface=VLAN60_guest network=192.168.60.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.1.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.1.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.1.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.1.1 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=192.168.1.1 gateway=192.168.60.1
add address=192.168.90.0/24 dns-server=192.168.1.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="allow ICMP" in-interface=ether1 in-interface-list=WAN protocol=icmp
add action=accept chain=input comment=wireguard1 dst-port=13231 protocol=udp
add action=accept chain=input comment=wireguard2 dst-port=13232 protocol=udp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward disabled=yes in-interface=VLAN20_mobiles out-interface=VLAN90_pis
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip service
Blank diagram-2.png
Thanks
You do not have the required permissions to view the files attached to this post.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Inter-VLAN allowed?

Thu May 12, 2022 2:07 pm

Please have a look at this great topic:
viewtopic.php?f=23&t=143620

Inter vlan traffic is enabled by default, by adding a block rule on the forward chain it can be blocked,

Who is online

Users browsing this forum: cmmike, Google [Bot], lmeira, rjuho and 31 guests