Community discussions

MikroTik App
 
steve1
just joined
Topic Author
Posts: 5
Joined: Sat Jan 28, 2023 2:58 pm

Unable to stop Inter-VLAN traffic

Wed Feb 01, 2023 8:32 am

Hi

I am having issues blocking Inter-VLAN traffic. I created an interface list and placed the two VLANs that I have in that list. I then created a forward chain rule to block the VLANs, but I can still access the remote desktop of one VLAN from another using RDP. Both VLANs access the WAN via ether1.

Any idea where I'm going wrong? Thanks in advance.
# feb/01/2023 13:30:39 by RouterOS 7.2
# software id = V1RV-TAFU
# model = CCR2116-12G-4S+
/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name="Private (217)" vlan-id=217
add interface=bridge1 name="Servers (302)" vlan-id=302
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list
add name=VLANs
add name=WAN
add name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.20.30.2-10.20.31.254
add name=dhcp_pool1 ranges=172.16.20.2-172.16.20.30
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Private (217)" lease-time=1d name=\
    dhcp1
add address-pool=dhcp_pool1 interface="Servers (302)" lease-time=1d name=\
    dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=217
add bridge=bridge1 interface=ether3 pvid=217
add bridge=bridge1 interface=ether4 pvid=217
add bridge=bridge1 interface=ether5 pvid=217
add bridge=bridge1 interface=ether6 pvid=217
add bridge=bridge1 interface=ether7 pvid=217
add bridge=bridge1 interface=ether8 pvid=217
add bridge=bridge1 interface=ether9 pvid=302
add bridge=bridge1 interface=ether10 pvid=302
add bridge=bridge1 interface=ether11 pvid=302
add bridge=bridge1 interface=ether12 pvid=302
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=\
    ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=217
add bridge=bridge1 tagged=bridge1 untagged=ether9,ether10,ether11,ether12 \
    vlan-ids=302
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface="Private (217)" list=VLANs
add interface="Servers (302)" list=VLANs
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=MGMT
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether13 network=\
    192.168.88.0
add address=172.16.20.1/27 interface="Servers (302)" network=172.16.20.0
add address=10.20.30.1/23 interface="Private (217)" network=10.20.30.0
add address=xxx.xxx.xxx.108 interface=ether1 network=xxx.xxx.xxx.107
/ip dhcp-server lease
add address=10.20.31.254 client-id=X:XX:XX:XX:X:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=dhcp1
/ip dhcp-server network
add address=10.20.30.0/23 dns-server=1.1.1.1,1.0.0.1 gateway=10.20.30.1
add address=172.16.20.0/27 dns-server=1.1.1.1,1.0.0.1 gateway=172.16.20.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall filter
add action=drop chain=forward comment="drop all inter-VLAN traffic" \
    in-interface-list=VLANs out-interface-list=VLANs
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=drop chain=input
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 src-address=\
    10.20.30.0/23 to-addresses=xxx.xxx.xxx.108
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xxx.xxx.xxx.107 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=yes \
    target-scope=10
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
    dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
    jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
    "defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
    "defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
Last edited by steve1 on Wed Feb 01, 2023 11:04 am, edited 3 times in total.
 
dadaniel
Member Candidate
Member Candidate
Posts: 220
Joined: Fri May 14, 2010 11:51 pm

Re: Unable to stop Inter-VLAN traffic

Wed Feb 01, 2023 9:34 am

I think you have to use /interface bridge filter
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Unable to stop Inter-VLAN traffic

Wed Feb 01, 2023 9:41 am

Prefer to use a drop everything else on the end of the chain rules...so both input and forward have this drop rule.
Next, please post a complete export and remove the screenshots (as there is so much more info in the export) and use code tags for markup [ code]:

/export file=anynameyoulike

Make sure to remove serial and any other personal information (i.e. public IP address).

At last, if you turn on logging on a rule you can see if it is hit.
 
steve1
just joined
Topic Author
Posts: 5
Joined: Sat Jan 28, 2023 2:58 pm

Re: Unable to stop Inter-VLAN traffic

Wed Feb 01, 2023 10:59 am

I think you have to use /interface bridge filter

Interesting, I checked under that menu and found no rules, so it's clear that I've not tried it. Is there a way to copy rules from the main firewall and move them to this section?

Prefer to use a drop everything else on the end of the chain rules...so both input and forward have this drop rule.
Next, please post a complete export and remove the screenshots (as there is so much more info in the export) and use code tags for markup [ code]:

/export file=anynameyoulike

Make sure to remove serial and any other personal information (i.e. public IP address).

At last, if you turn on logging on a rule you can see if it is hit.

The original post was edited, and screenshots were removed. I added a forward drop-all rule at the end and lost internet access; I'm probably missing something to allow access to the gateway.

Is there a way to turn logging on for all rules at once, or should I do it for specific rules? Thanks for your help
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Unable to stop Inter-VLAN traffic

Wed Feb 01, 2023 2:26 pm

A few things:
  1. are you sure that the passing connection is over IPv4? You don't have a matching drop rule for IPv6
  2. try to disable l3-hw-offloading under /interface ethernet switch while debugging things. L3HW offloading is a fairly new functionality and it might still contain some minor bugs
  3. make sure that you actually try to establish a new connection when changing firewall rules. Most of rules don't break existing connections, specially if those are fasttrack-ed or L3HW offloaded.
  4. sometimes it's necessary to cold boot device for changes to actually make effect (specially with HW configuration, such as VLAN filtering, switch ACLs or L3HW offload). In principle a reboot should do the trick, but sometimes it doesn't.
    Yeah, in principle simply chaning configuration should do the trick, but experience goes that in some cases it doesn't.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Unable to stop Inter-VLAN traffic

Wed Feb 01, 2023 9:27 pm

I added a forward drop-all rule at the end and lost internet access; I'm probably missing something to allow access to the gateway.
The general concept is to create rules to allow what you want, and then at the end of the chain, drop everything else. So for example (concepts, not syntax of rules):
Allow Established and Related packets
Allow VLAN 10 to internet
Allow VLAN 20 to internet
Allow VLAN 10 to VLAN 20
Drop everything

That would allow VLAN 10 and VLAN 20 access to the internet, and VLAN 10 could access resources on VLAN 20, but not the other way around. The last rule drops anything not specifically allowed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to stop Inter-VLAN traffic

Thu Feb 02, 2023 3:04 pm

Interface lists are perfect for 2 or more subnets requiring a firewall rule.

/interface list
add name=INTERNET

/interface list member
add interface=vlan10 list=INTERNET
add interface=vlan20 list=INTERNET

/ip filter rule
add chain=forward action=accept in-interface-list=INTERNET out-interface-list=WAN
 
steve1
just joined
Topic Author
Posts: 5
Joined: Sat Jan 28, 2023 2:58 pm

Re: Unable to stop Inter-VLAN traffic

Fri Oct 20, 2023 3:29 pm

Hi, I'm sorry to reply to this almost a year late. I got caught up with life and forgot I had this thread here.

The fix was drop all rules at the end of the input and forward chains, and then forward accept rules, allowing each vlan/subnet access to the WAN.

I have come a long way since, thanks to all of you, and notably anav for his wireguard guide: viewtopic.php?t=182340

I have a CHR running wireguard on Oracle cloud, and I'm successfully tunnelling internet-bound traffic (IPv4 & IPv6) for my 5G WAN failover behind CGNAT.
Also, a DHCP to DNS script to have home.arpa domain names for my local devices and for Pi-Hole device names, and it works remotely over wireguard.

Buying the Mikrotik has been a positive learning experience.

Who is online

Users browsing this forum: Bing [Bot], lurker888 and 41 guests