Community discussions

MikroTik App
 
mbghost
just joined
Topic Author
Posts: 14
Joined: Wed Dec 08, 2021 4:10 pm

Managment Vlan Isolation

Sun Aug 07, 2022 2:18 pm

I have Vlan for clients (192.168.80.0/24) and Management Vlan (192.168.55.0/27) I want to isolate traffic from client to manage vlan but manage vlan client have access to client vlan.
add action=drop chain=input dst-address=192.168.55.0/27 src-address=192.168.80.0/24
add action=accept chain=input dst-address=192.168.80.0/24 src-address=192.168.55.0/27
What am I doing wrong?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Managment Vlan Isolation

Sun Aug 07, 2022 2:24 pm

"Input" chain is for traffic coming to the router. Change it to "forward" as you want to manage "forwarding" between IP subnets.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Managment Vlan Isolation

Sun Aug 07, 2022 2:36 pm

Firewall chain input handles traffic to the router itself. To handle transit traffic (from one interface to another), you have to use chain forward.
Also have a look what a stateful firewall means. Your rules, if placed in the correct chain, would drop any packets from the client subnet to the management subnet, including responses to requests sent from the management subnet. What you actually need is to accept or drop the initial packet of each conversation (connection, session); if the initial packet gets dropped, the conversation never starts, if it gets accepted, the responses in that conversation must get accepted as well. This is what a stateful firewall will do for you.

The firewall rules in the default configuration of the SOHO models of Mikrotik are an example of a stateful firewall, all you need is to modify them to support multiple LANs and policy the traffic among them.
 
mbghost
just joined
Topic Author
Posts: 14
Joined: Wed Dec 08, 2021 4:10 pm

Re: Managment Vlan Isolation

Sun Aug 07, 2022 4:36 pm

"Input" chain is for traffic coming to the router. Change it to "forward" as you want to manage "forwarding" between IP subnets.
If I change to "forward" I lost connection from both site
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Managment Vlan Isolation

Sun Aug 07, 2022 5:32 pm

I think the accept rule is unnecessary as by default all inter VLAN traffic is allowed. But it depends on any other rules you have.
Instead of using IP ranges I prefer to use it like this (check the name of the interfaces you have used):
add action=drop chain=forward in-interface=CLIENT_VLAN out-interface=MGT_VLAN
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Managment Vlan Isolation  [SOLVED]

Sun Aug 07, 2022 6:22 pm

Haveing access to user subnet UIP=192.168.80.0/24 from MIP=192.168.55.0/27 with IP implies that any traffic originated from MIP to UIP should be allowed no matter what. On the other hand only related or established traffic from OIP should be accepted. Any new, invalid or untracked packets from UIP to MIP should be forbidden as they mean that someone from UIP wants to access devices on MIP.
So ... the idea is:
# Managemet -> users allowed - not strictly needed but you can watch counters if any traffic passes that direction
add action=accept chain=forward dst-address-list=UIP src-address-list=MIP
# allow all returning traffic started from MIP to OIP device
add action=accept chain=forward connection-state=established,related dst-address-list=MIP src-address-list=UIP
# any traffic different that returnig one (defined previously) is blocked
add action=drop chain=forward connection-state=!established,related dst-address-list=MIP src-address-list=UIP

The other method could be mangling to set connection mark on any traffic started from MIP and then rules should be based
on that mark to not allow to pass traffic from UIP to MIP without that mark instead of IP lists
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Managment Vlan Isolation

Mon Aug 08, 2022 2:09 am

Without seeing the full config, not able to provide any useful info.
/export hide-sensitive file=anynameyouwish just ensure you dont use real numbers for WANIP or WANIP IP gateway (public side info).
 
mbghost
just joined
Topic Author
Posts: 14
Joined: Wed Dec 08, 2021 4:10 pm

Re: Managment Vlan Isolation

Mon Aug 08, 2022 7:54 am

Haveing access to user subnet UIP=192.168.80.0/24 from MIP=192.168.55.0/27 with IP implies that any traffic originated from MIP to UIP should be allowed no matter what. On the other hand only related or established traffic from OIP should be accepted. Any new, invalid or untracked packets from UIP to MIP should be forbidden as they mean that someone from UIP wants to access devices on MIP.
So ... the idea is:
# Managemet -> users allowed - not strictly needed but you can watch counters if any traffic passes that direction
add action=accept chain=forward dst-address-list=UIP src-address-list=MIP
# allow all returning traffic started from MIP to OIP device
add action=accept chain=forward connection-state=established,related dst-address-list=MIP src-address-list=UIP
# any traffic different that returnig one (defined previously) is blocked
add action=drop chain=forward connection-state=!established,related dst-address-list=MIP src-address-list=UIP

The other method could be mangling to set connection mark on any traffic started from MIP and then rules should be based
on that mark to not allow to pass traffic from UIP to MIP without that mark instead of IP lists

This config helped to me, and it working correctly! Thank you so much))
I already tried by this way, but in my case, this is not working.
add action=drop chain=forward in-interface=CLIENT_VLAN out-interface=MGT_VLAN

Who is online

Users browsing this forum: archemist, tangent and 57 guests