Community discussions

MikroTik App
 
t430
just joined
Topic Author
Posts: 6
Joined: Mon Apr 11, 2022 10:29 am

Router + dedicated AP = no VLAN isolation

Sun Jul 03, 2022 7:42 pm

Hello.

I'm trying to separate my home network into 3 VLANs with the IDs 30, 20, 10. I've set-up the Unifi AP to broadcast 3 SSIDs which also have VLAN IDs 30, 20, 10. That AP is connected on eth4 on my RB5009. Let's assume all devices on the VLANs will connect through the AP for now.

I can successfully connect wirelessly to each one of those SSIDs, get an IP address from DHCP and access the Internet.

The problem is that the firewall somehow fails to block cross-VLAN traffic (no VLAN isolation). For example:
While on device with the address 192.168.30.2 I ping 192.168.20.2 - and while I expected it to fail, the ping proceeds successfully. If I monitor the ping exchange in Torch and collect the VLAN Id while it goes on, there's no VLAN Id in the results row where the "Src: 192.168.30.2, Dst: 192.168.20.2" connection is shown. So perhaps that's a symptom.

I've also looked at the firewall rules and the key ones for isolation should be (taken from my .rsc at the bottom of this post):
add action=accept chain=forward comment="vlan to wan traffic" \
    connection-state=new in-interface-list=VLANS out-interface-list=WAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
The above should drop the 192.168.30.2 -> 192.168.20.2 ping but it doesn't. If I create a new forward firewall rule and ask it to drop in-interface=company-vlan out-interface=dev-vlan the ping is blocked as intended though. I feel as if it's possible to achieve the expected result without above extraneous rules, as VLAN filtering should "just work" without any extra specific per-vlan rules.

My problem looks very similar to what's described below this code block https://help.mikrotik.com/docs/display/ ... ter_198473 . I've read viewtopic.php?f=23&t=143620 (and respective .rsc files) and the Bridge VLAN Table manual but I haven't been able to apply the information from there to fix my problem.

Could somebody please share their thoughts on why this could be happening?
# jul/03/2022 18:21:16 by RouterOS 7.3.1
# software id = FZWK-5BAJ
#
# model = RB5009UG+S+
# serial number = HC907M8KM80
/interface bridge
add admin-mac=DC:2C:6E:DD:8B:A8 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
# disable unused ifaces
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether4 name=company-vlan vlan-id=30
add interface=ether4 name=dev-vlan vlan-id=20
add interface=bridge name=home-vlan vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-gcm pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=company ranges=192.168.30.2-192.168.30.254
add name=dev ranges=192.168.20.2-192.168.20.254
add name=home ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=company interface=company-vlan name=company-dhcp
add address-pool=dev interface=dev-vlan name=dev-dhcp
add address-pool=home interface=home-vlan name=home-dhcp
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=company-vlan list=VLANS
add interface=dev-vlan list=VLANS
add interface=home-vlan list=VLANS
add interface=company-vlan list=LAN
add interface=dev-vlan list=LAN
add interface=home-vlan list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.30.1/24 interface=company-vlan network=192.168.30.0
add address=192.168.20.1/24 interface=dev-vlan network=192.168.20.0
add address=192.168.10.1/24 interface=home-vlan network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.248 mac-address=E4:5F:01:6E:28:C2 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.88.1 gateway=192.168.10.1
add address=192.168.20.0/24 comment=me dns-server=192.168.88.1 gateway=\
    192.168.20.1
add address=192.168.30.0/24 comment=company dns-server=192.168.88.1 gateway=\
    192.168.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=443,80 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="vlan to wan traffic" \
    connection-state=new in-interface-list=VLANS out-interface-list=WAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 proposal=*1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Warsaw
/system routerboard settings
set cpu-frequency=1400MHz
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Router + dedicated AP = no VLAN isolation

Sun Jul 03, 2022 8:20 pm


The above should drop the 192.168.30.2 -> 192.168.20.2 ping but it doesn't.
What makes you think it should ?
Nowhere there is drop rule for forward on VLANS.

Something like
add action=drop chain=forward comment="vlan kill" in-interface-list=VLANS out-interface-list=VLANS
right before
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
That should kill ALL inter-VLAN traffic, I think.
Make sure to use Safe Mode wisely :lol:
 
t430
just joined
Topic Author
Posts: 6
Joined: Mon Apr 11, 2022 10:29 am

Re: Router + dedicated AP = no VLAN isolation

Sun Jul 03, 2022 9:10 pm


The above should drop the 192.168.30.2 -> 192.168.20.2 ping but it doesn't.
What makes you think it should ?
I took that idea from here viewtopic.php?f=23&t=143620#p706998 where the attached .rsc file's firewall rules are pretty elegantly minimalist:
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"
... and I just realized that in my "drop invalid" rule I forgot to remove the connection-state="invalid", which is why it's not working as a catch-all drop.... . Though removing the connection-state makes me lose connection altogether, but I'll investigate that.
Something like
add action=drop chain=forward comment="vlan kill" in-interface-list=VLANS out-interface-list=VLANS
right before
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
That should kill ALL inter-VLAN traffic, I think.
Hey, this works. thanks. I'm surprised that pinging 192.168.30.2 from 192.168.30.3 works with this rule though. .3's interface is eg. home-vlan, which is in the VLANS list and .2's is in the VLANS list as well (even though that's the same VLAN), so I expected the rule you posted to drop the connection even between two devices in the same VLAN. Hmm...
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Router + dedicated AP = no VLAN isolation

Sun Jul 03, 2022 9:18 pm

If those devices are on the same network segment (simplest way to depict it: cables and dumb switch) without passing the router, they will respond to each other. Router will drop it but since they already saw each other, it doesn't help :lol:

If however they are on different segment with the router in between, you will not see any result.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router + dedicated AP = no VLAN isolation

Sun Jul 03, 2022 10:06 pm

Hmm I just answered this and it went poof!! ??
How annoying.

All to say one bridge, make your .88 lan also vlan11 I called it unk-purpose. YOu will need to change a few thinks like IP address etc, but its real quick.
I despise those who attempt to use bridge for lan subnets with vlans, just keep it all the same, simple apples to apples, okay so no two testicles are the same size but you know what I mean.........
Dont know whats connected to port 2,3 and assuming 4 is to the unifi which needs a hybrid port (expects managment vlan untagged and rest of data vlans tagged).
Assumed your home vlan is the home one.

thus
/interface bridge port
add bridge=bridge interface=ether4 pvid=10
/interface bridge vlans
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10

As far as firewall rules move the invalid rules up to second or third position on both chains
you are missing fastrack first rule on forward chain.

Why do you need 443 and 80 open on input chain? (isnt ipsec covered by 4500 ??)
Last rule on input chain is sub optimal.
better is
add chain=input action=accept in-interface-list=LAN
add chain=input action=drop

I actually prefer limiting input chain access further to only admin PC by src-address or src-address-list and then adding another rule before the drop rule dns services to in-interface-list=LAN both protocols.

Your VLANS list is redundant simply remove it, but be sure to change your internet forward chain rule to in-interface-list=LAN
For list members get rid of bridge to LAN and the VLAN LIST
only need identified vlans to LAN LIST.

Forward chain last rule sucks.
simply need
add chain=forward action=accept connection-nat-state=dstnat
add chain=forward action=drop
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Router + dedicated AP = no VLAN isolation

Sun Jul 03, 2022 10:11 pm

Yeah, for those in doubt, anav is back :lol:
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Router + dedicated AP = no VLAN isolation

Mon Jul 04, 2022 2:28 pm



What makes you think it should ?
I took that idea from here viewtopic.php?f=23&t=143620#p706998 where the attached .rsc file's firewall rules are pretty elegantly minimalist:

When tinkering with firewall rules, you have to (mentally) track packet through firewall rules from top to bottom (or any rule matching it). And you have to read and understand firewall rules verbatim, ROS doesn't have any kind of AI to interpret them the way one might intend but failed to express them that way. And (again): keep in mind that rules are matched against in sequence from top to bottom (the rules belonging to the right chain that is, hence it's good to de-interlace rules so that one chain is not disturbed by rules for another chain) and first matching rule executes, no further processing is done. Another thing to keep in mind: if packet passes whole chain, it's accepted. Which is why your forward chain (from first post) allows inter-VLAN traffic.

The firewall filter rules from the config you're mentioning as being inspiration, are simple:
  1. accept all packets, belonging to already established connections. That includes return packets as well.
  2. accept packets with connection tracking state NEW from VLANs towards WAN
  3. drop everything else. This includes both packets that are invalid (even if they are heading from VLANs towards WAN) or are NEW but traveling in different direction (in this simple example from WAN towards VLANs).

Your configuration example, OTOH, is
  1. accept all packets, belonging to already established connections. That includes return packets as well. Accept also packets which are exempt from connection tracking.
  2. accept packets with connection tracking state NEW from VLANs towards WAN
  3. drop packets coming from WAN with connection tracking state NEW that are not DST-NATed
  4. drop packets which don't have valid connection tracking state (source network and destination network don't matter)
Initial packets between different VLANs don't match any of your rules, so they are allowed (as I mentioned, accept is default action), following packets fall into "established" category, handled by first rule.

While the VLAN tutorial is great resource to learn how to properly configure things on L2, it's very basic when it comes to L3 (IP and firewall). You'd be much better off if you kept the default firewall and only added interface list (which you already did) and added the rule @sindy mentioned as penultimate rule in forward chain (just above the rule #3 you have). Alas, as @anav mentioned, having multiple local subnets (VLANs) is a tad more complex use case than the default firewall rule set handles with grace and you might be better off by removing the last rule (in default config) and replacing it with
add chain=forward action=accept connection-nat-state=dstnat in-interface-list=WAN
#spacer
add chain=forward action=drop
which would actually already deal with your initial request (blocking traffic between different VLANs) while the default rule doesn't.
If you then wanted to allow some connection from VLANa to VLANb but not the opposite, you'd then include a simple rule instead of #spacer
add chain=forward action=accept in-interface=VLANa out-interface=VLANb
 
t430
just joined
Topic Author
Posts: 6
Joined: Mon Apr 11, 2022 10:29 am

Re: Router + dedicated AP = no VLAN isolation

Fri Jul 08, 2022 5:15 pm

Thank you for your input. From your posts, I understood that - at least for now - I should give up with the subnets and stick to the VLANs.

Currently my problem is that the Unifi AP can't access the DHCP server, thus making the SSID broadcasting shut down (though if I manage to connect to the SSIDs before they shut down, the connected devices can't obtain an IP either). I assume the DHCP server is in a different vlan than the devices connected to the AP? I also tried to change the DHCP and it's address to the vlan11 interface (not present in attached config, since I couldn't get it to stop disconnecting me from the router)

My latest configuration is attached, but I've had to roll back to the default config due to numerous "forgot to use Safe Mode" incidents. Thus the firewall rules are default for now. I've changed the names of the eth interfaces so you know what's connected to what. bridge is kept in LAN list for backwards (non-VLAN) compatibility (for now)
# jul/08/2022 16:08:41 by RouterOS 7.3.1
# software id = FZWK-5BAJ
#
# model = RB5009UG+S+
# serial number = HC907M8KM80
/interface bridge
add admin-mac=DC:2C:6E:DD:8B:A8 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_wan
set [ find default-name=ether2 ] name=\
    ether2_raspberrypi_with_unifi_controller
set [ find default-name=ether3 ] name=ether3_admin_pc
set [ find default-name=ether4 ] name=ether4_unifi_ap
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=\
    ether2_raspberrypi_with_unifi_controller
add bridge=bridge comment=defconf interface=ether3_admin_pc
add bridge=bridge comment=defconf interface=ether4_unifi_ap pvid=10
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4_unifi_ap vlan-ids=10
add bridge=bridge tagged=bridge,ether4_unifi_ap vlan-ids=20
add bridge=bridge tagged=bridge,ether4_unifi_ap vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_wan list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1_wan
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Router + dedicated AP = no VLAN isolation

Fri Jul 08, 2022 5:48 pm

Let's only talk about VLAN 10 (others should be handled similarly):
  • L2 setup (bridge, port membership, vlan settings) seems fine
  • L3 setup lacks just everything
    interface vlan10 needs IP address
    DHCP server with appropriate config (address pool, DHCP network) has to be bound to vlan10

Same for vlan20 and vlan30.
 
t430
just joined
Topic Author
Posts: 6
Joined: Mon Apr 11, 2022 10:29 am

Re: Router + dedicated AP = no VLAN isolation

Fri Jul 08, 2022 6:59 pm

I despise those who attempt to use bridge for lan subnets with vlans, just keep it all the same, simple apples to apples, okay so no two testicles are the same size but you know what I mean.........
Given anav's post quoted above, won't I end up just where I was ("attempt to use bridge for lan subnets with vlans") in my first OP post by setting the L3 params you're mentioning? Or do you mean that I should set up the L3 settings so that as much L3 entities as possible are shared to still avoid the subnetting?

For example, given 3 VLANS 10,20,30, the L3 ROS entities could be:
1. 3 DHCP servers (impossible to share, each vlan interface needs its own server)
2. one shared network (DHCP Server > Networks), 192.168.88.0/24
3. one shared IP pool (or 3 pools of ~30 addresses each to split the network? in the spirit of "pool != network")
3. three separate IP addresses for the interfaces within the 192.168.88.0/24 network (eg. 192.168.88.10, .20, .30)

Is this misguided? I feel as I'm interpreting "don't do subnets with vlans" too literally.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router + dedicated AP = no VLAN isolation

Fri Jul 08, 2022 8:01 pm

Not at all, what mkx is saying is provide a properly thought out complete configuration as you are missing bits and pieces.
I have over 10 vlans on my home network, one bridge, basic firewall rules and I have all the isolation required.
Nothing fancy.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Router + dedicated AP = no VLAN isolation

Fri Jul 08, 2022 8:20 pm

3 vlans means:
  1. Use of 3 distinct IP subnets, one per vlan interface - e.g. 192.168.10.0/24, 192.168.20.0/24 and 192.168.30.0/24
  2. Each interface needs separate DHCP server with settings appropriate for corresponding interface
  3. Appropriate firewall rules (either raw or filter) to control traffic between different IP subnets

As @anav writes: carefully think about what you actually want to achieve. Keep in mind that certain functionality doesn't work nicely between routed subnets (e.g. bonjour discovery of printers et.al., some broadcasts-bound discovery such as dLNA, etc.), so don't over-do the subnetting.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Router + dedicated AP = no VLAN isolation

Fri Jul 08, 2022 10:00 pm

As @anav writes: carefully think about what you actually want to achieve. Keep in mind that certain functionality doesn't work nicely between routed subnets (e.g. bonjour discovery of printers et.al., some broadcasts-bound discovery such as dLNA, etc.), so don't over-do the subnetting.
Here's a cartoon that shows a similar situation. xkcd sandboxing cycle
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Router + dedicated AP = no VLAN isolation

Fri Jul 08, 2022 10:28 pm

When I am working on a new config in a lab, where I am using multiple vlans (each with own dhcp server and ip subnet) and wanting a firewall to control inter-vlan communication, I always start by getting vlans to work without the firewall blocking inter-vlan traffic.

Then when the vlans are working, and inter-vlan traffic is being routed, then I start to apply the firewall filtering. It is much easier to solve a single problem at a time.

BTW, it is easy to know whether packets are being routed vs switched by looking at the TTL in ping responses, since each router "hop" will decrement the TTL.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router + dedicated AP = no VLAN isolation

Fri Jul 08, 2022 11:11 pm

You dont have to guess buckeye if you trust your config skills.
This is dirt simple.
I dont normally expect or want vlan to vlan traffic.
A simple block all rule at the end of the forward chain takes care of L3 connectivity and the fact that they are vlans handles l2
The only thing needed would be to allow specific traffic between vlans (perhaps to a common printer).
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Router + dedicated AP = no VLAN isolation

Fri Jul 08, 2022 11:19 pm

The only thing needed would be to allow specific traffic between vlans (perhaps to a common printer).
Pretty much what I did.
No intervlan access except for 1 device ( my laptop :lol: ).
Access to printer for trusted wifi ( not guest nor iot)
Access to iperf server from all ( otherwise it is difficult to test some things).

And that's it. All the rest needs to stay within their vlan.
 
t430
just joined
Topic Author
Posts: 6
Joined: Mon Apr 11, 2022 10:29 am

Re: Router + dedicated AP = no VLAN isolation

Sat Jul 09, 2022 1:21 am

Ok, I've had to basically go full circle to my OP post to - based on your posts - realize that the VLAN interfaces and the L3 ROS entities are actually necessary. Thanks to your help I was able to get the VLAN isolation I was looking for in the OP. It's actually a very tiny improvement over my OP - perhaps I should've done that first instead of tearing down the L3 ROS entities. I still don't understand what would the subnet-less approach look like though. If someone could please write "remove this [quoted code] and replace it with this and that", as I really have no clue.

Thanks for bearing with me :)

As for the config - there's still some stuff here for "backwards compatibility" for VLANID=1 devices, the firewall rules should be cleaner now aswell:
# jul/09/2022 00:14:29 by RouterOS 7.3.1
# software id = FZWK-5BAJ
#
# model = RB5009UG+S+
# serial number = HC907M8KM80
/interface bridge
add admin-mac=DC:2C:6E:DD:8B:A8 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan1 vlan-id=10
add interface=bridge name=vlan2 vlan-id=20
add interface=bridge name=vlan3 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool1 ranges=192.168.10.2-192.168.10.254
add name=pool2 ranges=192.168.20.2-192.168.20.254
add name=pool3 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool1 interface=vlan1 name=server1
add address-pool=pool2 interface=vlan2 name=server2
add address-pool=pool3 interface=vlan3 name=server3
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan2 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.88.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.88.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.88.1 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=dstnat \
    connection-state=""
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router + dedicated AP = no VLAN isolation

Sat Jul 09, 2022 2:39 am

I will have a thorough look tomorrow, getting late for me now........... long day.
 
kevinds
Long time Member
Long time Member
Posts: 638
Joined: Wed Jan 14, 2015 8:41 am

Re: Router + dedicated AP = no VLAN isolation

Sat Jul 23, 2022 11:25 am

Thank you for your input. From your posts, I understood that - at least for now - I should give up with the subnets and stick to the VLANs.
That won't work though..

A VLAN will need at least one subnet to work. If you use the same subnet on multiple VLANs, you are in for a world of hurt.. But multiple subnets on one VLAN is no problem.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router + dedicated AP = no VLAN isolation

Sat Jul 23, 2022 11:03 pm

Upgrade firmware to 7.4.........

Okay, the following is provided, you have four vlans, the server vlans you need for SSIDs, vlan1, vlan2, vlan3 (10,20,30).
I added name=vlanBase vlan11 which is basically your trusted home lan.

The only tricky part was ether4 due to the fact that you are feeding a unifi AP, which normally expects the management vlan as untagged by default and all the data vlans tagged.

Thus your ether 4 would have to be a hybrid port and the unifi should get an IP address from vlanBase ( personally I set those statically).
If this is not the case then the config would not be quite right yet.
Check each line you will see differences!!

+++++++++++++++++++++++
/interface bridge
add admin-mac=DC:2C:6E:DD:8B:A8 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlanBase  vlan-id=11
add interface=bridge name=vlan1 vlan-id=10
add interface=bridge name=vlan2 vlan-id=20
add interface=bridge name=vlan3 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool1 ranges=192.168.10.2-192.168.10.254
add name=pool2 ranges=192.168.20.2-192.168.20.254
add name=pool3 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=vlanBase name=homelan
add address-pool=pool1 interface=vlan1 name=server1
add address-pool=pool2 interface=vlan2 name=server2
add address-pool=pool3 interface=vlan3 name=server3
/interface bridge port
add bridge=bridge comment=defconf interface=ether2  pvid=11  ingress-filtering=yes frame-type=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether3  pvid=11 ingress-filtering=yes frame-type=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether4 pvid=11
add bridge=bridge comment=defconf interface=ether5 pvid=11 ingress-filtering=yes frame-type=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether6 pvid=11  ingress-filtering=yes frame-type=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether7  pvid=11 ingress-filtering=yes frame-type=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether8 pvid=11  ingress-filtering=yes frame-type=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=sfp-sfpplus1 pvid=11  ingress-filtering=yes frame-type=admit-priority-and-untagged
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4  vlan-ids=10,20,30
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1  vlan-ids=11
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlanBase list=LAN
add interface=vlanBase List=MANAGE
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlanBase network=\
    192.168.88.0
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan2 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.88.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.88.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.88.1 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MANAGE
add action=accept chain=input in-interface-list=LAN  dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN  dst-port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=allow dst-nat \
    connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

Who is online

Users browsing this forum: Amazon [Bot], Google [Bot] and 61 guests