Community discussions

MikroTik App
 
bablur
just joined
Topic Author
Posts: 12
Joined: Wed Aug 31, 2022 4:42 pm

Required Vlan Isolation in Bridge

Sat Sep 17, 2022 9:30 pm

Dear Support,

I have configured a bridge "LAN" and member multiple vlan into bridge "LAN", Each vlan has different gateway configured but each gateway reaching from every gateway in last mile system.

Please see the below configuration

/interface vlan
add interface=ether4-LAN name=Ajay_Kumar_Saha_2418 vlan-id=2418
add interface=ether4-LAN name=Baishali_Cable_1073 vlan-id=1073
add interface=ether4-LAN name=CSN_Monoranjan_Shimurali_1356 vlan-id=1356
add interface=ether4-LAN name=Santanu_Chakraborty_1896 vlan-id=1896
add interface=ether4-LAN name=Test-Zone-1947 vlan-id=1947
/ip address
add address=10.10.128.1/24 interface=Test-Zone-1947 network=10.10.128.0
add address=172.22.188.1/24 interface=Ajay_Kumar_Saha_2418 network=172.22.188.0
add address=10.9.93.1/24 interface=CSN_Monoranjan_Shimurali_1356 network=10.9.93.0
add address=10.8.29.1/24 interface=Baishali_Cable_1073 network=10.8.29.0
add address=172.21.59.1/24 interface=Santanu_Chakraborty_1896 network=172.21.59.0
/interface bridge
add name=LAN protocol-mode=none
/interface bridge port
add bridge=LAN frame-types=admit-only-vlan-tagged interface=Test-Zone-1947 pvid=1947
add bridge=LAN frame-types=admit-only-vlan-tagged interface=Baishali_Cable_1073 pvid=1073
add bridge=LAN frame-types=admit-only-vlan-tagged interface=CSN_Monoranjan_Shimurali_1356 pvid=1356
add bridge=LAN frame-types=admit-only-vlan-tagged interface=Ajay_Kumar_Saha_2418 pvid=2418
add bridge=LAN frame-types=admit-only-vlan-tagged interface=Santanu_Chakraborty_1896 pvid=1896



Please guide me how to isolate reachability from one vlan to other vlan gateway.
.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Required Vlan Isolation in Bridge

Sat Sep 17, 2022 9:41 pm

 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Required Vlan Isolation in Bridge

Sat Sep 17, 2022 9:51 pm

Dear Support
Just to clarify, this is a forum of fellow users, not an interface to Mikrotik support team.

Please guide me how to isolate reachability from one vlan to other vlan gateway.
All the "vlan gateways" you mention are IP addresses of the same device, and that device has a routing capability. It means that to prevent devices in a subnet hosted in one VLAN to communicate with devices in another subnet in another VLAN, you have to use IP firewall rules. There is not much point in preventing devices in one subnet from reaching own IP addresses of the router in the other subnets, but if you insist, you can use IP firewall for that too.

For a better answer, follow @anav's advice on how to post a better question.
 
bablur
just joined
Topic Author
Posts: 12
Joined: Wed Aug 31, 2022 4:42 pm

Re: Required Vlan Isolation in Bridge

Sun Sep 18, 2022 7:33 am

Hi,

Would you please give a example of ip firewall for isolation of vlan gateway.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Required Vlan Isolation in Bridge

Sun Sep 18, 2022 11:11 am

A simple example, one way of doing it. While it should ge working I advise against blindly pasting it into your device, better use it as "thought seed" for your own sollution.
/interface list
add name=LocalVlans
/interface list member
add interface=Ajay_Kumar_Saha_2418 list=LocalVlans
add interface=Baishali_Cable_1073 list=LocalVlans
add interface=CSN_Monoranjan_Shimurali_1356 list=LocalVlans
add interface=Santanu_Chakraborty_1896 list=LocalVlans
add interface=Test-Zone-1947 list=LocalVlans
/ip firewall filter
add chain=forward action=drop in-interface-list=LocalVlans out-interface-list=LocalVlans
If you have any firewall filters already present, then you have to place the rule presented above to appropriate pkace within the forward chain to make sure it's effective.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Required Vlan Isolation in Bridge

Sun Sep 18, 2022 11:45 am

Would you please give a example of ip firewall for isolation of vlan gateway.
The example given by @mkx is in step with my understanding of what you really need, i.e. to prevent hosts in different VLANs from talking to each other.

To do exactly what you ask for here, i.e. to prevent hosts in each given subnet (VLAN) from reaching the own addresses of the router in all the subnets but their own one, you'd need a more complicated setup, like

/ip firewall filter
add chain=input src-address=10.10.128.0/24 dst-address=!10.10.128.1 action=drop
add chain=input src-address=172.22.188.0/24 dst-address=!172.22.188.1 action=drop
add chain=input src-address=10.9.93.0/24 dst-address=!10.9.93.1 action=drop
add chain=input src-address=10.8.29.0/24 dst-address=!10.8.29.1 action=drop
add chain=input src-address=172.21.59.0/24 dst-address=!172.21.59.1 action=drop


Like all firewall rules, also these work in accord with the other ones, so they need to be placed to a proper position in chain input to do what they are intended for.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Required Vlan Isolation in Bridge

Sun Sep 18, 2022 2:37 pm

Your whole config is whacked............. Not sure what advice you were following but it was not good advice!!


(1) Simple clean.
at end of forward chain add rule.
add chain=forward action=drop comment="drop all else"

Then all vlans are blocked from each other at L3. DONE, one rule!
If you need any traffic between vlans such as for a shared printer, then you will have to add a rule to allow such traffic.

(2) First fix your config as you are confused, you are either using ether4 for vlans or the bridge but the config tries to do both.............

SO recommend you modify your vlan definitions to THIS:
/interface vlan
add interface=bridge-LAN name=Ajay_Kumar_Saha_2418 vlan-id=2418
add interface=bridge-LAN name=Baishali_Cable_1073 vlan-id=1073
add interface=bridge-LAN name=CSN_Monoranjan_Shimurali_1356 vlan-id=1356
add interface=bridge-LAN name=Santanu_Chakraborty_1896 vlan-id=1896
add interface=bridge-LAN name=Test-Zone-1947 vlan-id=1947

(3) Yes naming your bridge "LAN", is just asking for trouble and confusing to most readers hence its bridge-LAN in my example!

(4) At some point on your bridge settings you will need to set vlan-filtering to YES.

(5) The /interface bridge port settings are incorrect. You have identified the vlans, you need to identify ETHERPORTS, and wlans if applicable (wifi router).
Thus it should look like, since we only know about ether4

/interface bridge port
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4

and
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether4 vlan-ids=1073,1356,1896,1947,2418

Who is online

Users browsing this forum: adrianmartin16, almdandi, Amazon [Bot], marekm, pants6000 and 66 guests