Question about Firewall Rules for Inter-VLAN Communication

ZRF · Sat Jan 25, 2025 7:26 pm

Hello all, I am still very new to a lot of networking concepts. I am confused about using firewall rules for inter-VLAN communication between specific IPs.

I have been watching lots of videos on RouterOS configurations and have been reading documentation (the quality of the documentation is incredible, but things are still sinking in due to the learning curve).

I am trying to understand granting inter-VLAN access between specific IPs, and seem to be missing something. I want to allow my laptop (assigned 192.168.50.26) to access my switch configuration via WinBox (assigned 192.168.99.2)

Configuration Overview:
Router - CCR2004-1G-12S+2XS
Switch - CRS310-8G+2S+

The router is connected to the switch using a VLAN trunk port. The bridge VLANs in question here are:
- Infrastructure: PVID 99
- Trusted: PVID 50

Interface VLANs:
- Infrasstructure: PVID 99, DHCP Server assigns addresses in the range 192.168.99.1/24.
- Trusted: PVID 50, DHCP Server assigns addresses in the range 192.168.50.1/24.

The router is assigned the ip 192.168.99.1.

A bridge exists that has the VLANs above defined and they tag the bridge (IPs are given out to each interface-defined VLAN), and the port interface being used as an uplink to the switch. The bridge has 'vlan filtering' enabled.

Since the ports are all connected to the same bridge, my understanding is that they can communicate with each other by default since they are combined as a single 'bridge' interface.

The switch also has a bridge and bridge vlans defined. The vlans have the router uplink port interface tagged, as well as another vlan trunk port that connects to a wifi access point.

The switch is assigned the ip 192.168.99.2.

My router firewall is set up to have an input and forward drop catch-all at the bottom of the filter list.
I have a firewall rule to drop all inter-VLAN traffic:

add action=drop chain=forward comment="Drop all inter-VLAN traffic" \
    in-interface-list=ALL_VLANS log=yes log-prefix="Dropped by inter-vlan" \
    out-interface-list=ALL_VLANS

But right before that inter-VLAN drop all rule, I have this rule to specifically allow traffic between my laptop:

add action=accept chain=forward \
    dst-address=192.168.99.2 \
    src-address=192.168.50.26

When I try to connect to WinBox, I hang on the "Connecting to 192.168.99.2..." page, and it does not progress. When I look at the firewall filter rules tab in the router, I see that the ip-specific 'accept' rule defined above increases the Bytes/Packets numbers while this connection is trying to be made. The same thing happens when I run 'ping 192.168.99.2' from my laptop.

When I run 'tracepath 192.168.99.2' from my laptop, I get the following:

 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                              8.447ms 
 1:  _gateway                                              2.106ms 
 2:  no reply
 3:  no reply

My confusion is why is it 'accepted' traffic, but the connection is not established.

If anyone can give pointers or correct my incorrect assumptions, that would be great!
Please let me know if I can provide any additional information.
I will include the output from 'export file=FILENAME' below for both the router and switch.

--------------------------------------------------------------------------------------------------

Router Configuration Export:

# 2025-01-25 16:29:04 by RouterOS 7.17
# software id = SOFTWARE_ID
#
# model = CCR2004-1G-12S+2XS
# serial number = SERIAL_NUMBER
/interface bridge
add name="bridge[LAN]" vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[INFRA]"
set [ find default-name=sfp-sfpplus1 ] name="sfp-sfpplus1[WAN]"
set [ find default-name=sfp-sfpplus11 ] name="sfp-sfpplus11[UPLINK_TRUENAS]"
set [ find default-name=sfp-sfpplus12 ] name=\
    "sfp-sfpplus12[UPLINK_SWITCH_2.5G]"
/interface vlan
add interface="bridge[LAN]" name=Guest vlan-id=98
add interface="bridge[LAN]" name=Infrastructure vlan-id=99
add interface="bridge[LAN]" name=IoT vlan-id=30
add interface="bridge[LAN]" name=Security vlan-id=101
add interface="bridge[LAN]" name=Servers vlan-id=100
add interface="bridge[LAN]" name=Trusted vlan-id=50
add interface="bridge[LAN]" name=Work vlan-id=20
add interface="sfp-sfpplus1[WAN]" name=pppoe-vlan vlan-id=201
/interface pppoe-client
add add-default-route=yes disabled=no interface=pppoe-vlan name=\
    "pppoe-out1[CL]" use-peer-dns=yes user=PPPOE_USERNAME_HERE
/interface list
add name=WAN
add name=ALL_VLANS
/ip pool
add name=dhcp_pool_infra ranges=192.168.99.100-192.168.99.254
add name=dhcp_pool_guest ranges=192.168.98.2-192.168.98.254
add name=dhcp_pool_trusted ranges=192.168.50.100-192.168.50.254
add name=dhcp_pool_servers ranges=192.168.100.100-192.168.100.254
add name=dhcp_pool_security ranges=192.168.101.100-192.168.101.254
/ip dhcp-server
add address-pool=dhcp_pool_infra interface=Infrastructure lease-time=8h name=\
    "dhcp[INFRA]"
add address-pool=dhcp_pool_guest interface=Guest name="dhcp[GUEST]"
add address-pool=dhcp_pool_trusted interface=Trusted lease-time=1h name=\
    "dhcp[TRUSTED]"
add address-pool=dhcp_pool_servers interface=Servers lease-time=8h name=\
    "dhcp[SERVERS]"
add address-pool=dhcp_pool_security interface=Security lease-time=4h name=\
    "dhcp[SECURITY]"
/port
set 0 name=serial0
/interface bridge port
add bridge="bridge[LAN]" interface="ether1[INFRA]" pvid=99
add bridge="bridge[LAN]" interface="sfp-sfpplus12[UPLINK_SWITCH_2.5G]"
add bridge="bridge[LAN]" interface="sfp-sfpplus11[UPLINK_TRUENAS]"
/ip settings
set rp-filter=strict
/interface bridge vlan
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]" untagged="ether1[INFRA]" \
    vlan-ids=99
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]" vlan-ids=20
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]" vlan-ids=30
add bridge="bridge[LAN]" tagged="bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]\
    ,sfp-sfpplus11[UPLINK_TRUENAS]" vlan-ids=50
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]" vlan-ids=98
add bridge="bridge[LAN]" tagged="bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]\
    ,sfp-sfpplus11[UPLINK_TRUENAS]" vlan-ids=100
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]" vlan-ids=101
/interface list member
add interface="pppoe-out1[CL]" list=WAN
add interface=Infrastructure list=ALL_VLANS
add interface=Trusted list=ALL_VLANS
add interface=Servers list=ALL_VLANS
add interface=Security list=ALL_VLANS
add interface=IoT list=ALL_VLANS
add interface=Work list=ALL_VLANS
add interface=Guest list=ALL_VLANS
/ip address
add address=192.168.99.1/24 interface=Infrastructure network=192.168.99.0
add address=192.168.20.1/24 interface=Work network=192.168.20.0
add address=192.168.30.1/24 interface=IoT network=192.168.30.0
add address=192.168.50.1/24 interface=Trusted network=192.168.50.0
add address=192.168.98.1/24 interface=Guest network=192.168.98.0
add address=192.168.100.1/24 interface=Servers network=192.168.100.0
add address=192.168.101.1/24 interface=Security network=192.168.101.0
/ip dhcp-server lease
add address=192.168.101.2 mac-address=MAC_ADDRESS server=\
    "dhcp[SECURITY]"
add address=192.168.101.3 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[SECURITY]"
add address=192.168.99.50 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[INFRA]"
add address=192.168.50.2 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[TRUSTED]"
add address=192.168.50.26 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[TRUSTED]"
add address=192.168.50.4 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[TRUSTED]"
add address=192.168.99.26 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[INFRA]"
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.98.0/24 gateway=192.168.98.1
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.100.0/24 gateway=192.168.100.1
add address=192.168.101.0/24 gateway=192.168.101.1
/ip firewall address-list
add address=192.168.100.99 list=MGMT_Servers
add address=192.168.50.2 list=MGMT_Trusted
add address=192.168.99.0/24 list=MGMT_IPs
add address=192.168.50.26 list=MGMT_IPs
add address=192.168.101.2 list=IPs_SimpliSafe
add address=192.168.101.3 list=IPs_Nest
add address=192.168.50.4 list=IPs_NordVPN
add address=192.168.50.3 list=IPs_NordVPN
add address=192.168.99.0/24 list=IPs_Infrastructure
add address=192.168.99.26 list=MGMT_IPs
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid log=yes log-prefix=\
    "Invalid input:"
add action=accept chain=input in-interface="!pppoe-out1[CL]" protocol=icmp
add action=drop chain=input in-interface="pppoe-out1[CL]" log=yes log-prefix=\
    "Dropped by input from WAN catch-all"
add action=fasttrack-connection chain=forward comment=Forward \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid log=yes log-prefix=\
    "Invalid forward:"
add action=accept chain=forward dst-port=443,53,123 out-interface-list=WAN \
    protocol=udp
add action=accept chain=forward dst-port=80,443,8080,53,853 \
    out-interface-list=WAN protocol=tcp
add action=accept chain=forward dst-port=1723 out-interface-list=WAN \
    protocol=tcp src-address-list=IPs_NordVPN
add action=accept chain=forward dst-port=500,1194,4500,51820 \
    out-interface-list=WAN protocol=udp src-address-list=IPs_NordVPN
add action=accept chain=forward dst-port=8890,8899 out-interface-list=WAN \
    protocol=tcp src-address-list=IPs_SimpliSafe
add action=accept chain=forward dst-port=11095 out-interface-list=WAN \
    protocol=tcp src-address-list=IPs_Nest
add action=accept chain=forward connection-state="" out-interface-list=WAN \
    protocol=icmp
add action=accept chain=forward dst-address=192.168.99.2 src-address=\
    192.168.50.241
add action=accept chain=forward comment="Allow MGMT IPs to access everything" \
    out-interface-list=ALL_VLANS src-address-list=MGMT_IPs
add action=drop chain=forward comment="Drop all inter-VLAN traffic" \
    in-interface-list=ALL_VLANS log=yes log-prefix="Dropped by inter-vlan" \
    out-interface-list=ALL_VLANS
add action=drop chain=forward connection-state=new in-interface=\
    "pppoe-out1[CL]"
add action=drop chain=forward comment="Forward Drop Catch-All" log=yes \
    log-prefix="Dropped by forward catch-all"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="pppoe-out1[CL]"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=WilderRouter
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

--------------------------------------------------------------------------------------------------

Switch Configuration Export:

# 1970-01-10 01:14:35 by RouterOS 7.17
# software id = SOFTWARE_ID
#
# model = CRS310-8G+2S+
# serial number = SERIAL_NUMBER
/interface bridge
add admin-mac=MAC_ADDRESS auto-mac=no comment=defconf name=\
    "bridge[LAN]" vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[INFRA]"
set [ find default-name=ether2 ] name="ether2[AP_BASEMENT]"
set [ find default-name=ether3 ] name="ether3[UPLINK_STUDY]"
set [ find default-name=ether5 ] name="ether5[TRUSTED_VLAN_TEMP]"
set [ find default-name=ether7 ] name="ether7[SERVER_VLAN_TEMP]"
set [ find default-name=ether8 ] name="ether8[TRUENAS_SERVER]"
set [ find default-name=sfp-sfpplus2 ] name="sfp-sfpplus2[UPLINK_ROUTER]"
/interface vlan
add interface="bridge[LAN]" name=Infrastructure vlan-id=99
/interface list
add name=LAN
/interface bridge port
add bridge="bridge[LAN]" comment=defconf interface="ether1[INFRA]" pvid=99
add bridge="bridge[LAN]" comment=defconf interface="ether2[AP_BASEMENT]"
add bridge="bridge[LAN]" comment=defconf interface="ether3[UPLINK_STUDY]" \
    pvid=50
add bridge="bridge[LAN]" comment=defconf interface=ether4
add bridge="bridge[LAN]" comment=defconf interface=\
    "ether5[TRUSTED_VLAN_TEMP]" pvid=50
add bridge="bridge[LAN]" comment=defconf interface=ether6
add bridge="bridge[LAN]" comment=defconf interface="ether7[SERVER_VLAN_TEMP]" \
    pvid=100
add bridge="bridge[LAN]" comment=defconf interface="ether8[TRUENAS_SERVER]" \
    pvid=100
add bridge="bridge[LAN]" comment=defconf interface=sfp-sfpplus1
add bridge="bridge[LAN]" comment=defconf interface=\
    "sfp-sfpplus2[UPLINK_ROUTER]"
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus2[UPLINK_ROUTER],ether2[AP_BASEMENT]" untagged=\
    "ether1[INFRA]" vlan-ids=99
add bridge="bridge[LAN]" tagged=\
    "sfp-sfpplus2[UPLINK_ROUTER],ether2[AP_BASEMENT]" vlan-ids=98
add bridge="bridge[LAN]" tagged="sfp-sfpplus2[UPLINK_ROUTER]" vlan-ids=20
add bridge="bridge[LAN]" tagged="sfp-sfpplus2[UPLINK_ROUTER]" vlan-ids=30
add bridge="bridge[LAN]" tagged=\
    "sfp-sfpplus2[UPLINK_ROUTER],ether2[AP_BASEMENT]" untagged=\
    "ether3[UPLINK_STUDY],ether5[TRUSTED_VLAN_TEMP]" vlan-ids=50
add bridge="bridge[LAN]" tagged="sfp-sfpplus2[UPLINK_ROUTER]" untagged=\
    "ether8[TRUENAS_SERVER],ether7[SERVER_VLAN_TEMP]" vlan-ids=100
add bridge="bridge[LAN]" tagged=\
    "sfp-sfpplus2[UPLINK_ROUTER],ether2[AP_BASEMENT]" vlan-ids=101
/interface list member
add interface="bridge[LAN]" list=LAN
add interface=Infrastructure list=LAN
/interface ovpn-server server
add mac-address=MAC_ADDRESS name=ovpn-server1
/ip address
add address=192.168.99.2/24 interface=Infrastructure network=192.168.99.0
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=WilderSwitch2.5G
/system note
set show-at-login=no

sid5632 · Sun Jan 26, 2025 1:16 am

Ask yourself this question:
What does my switch do with a packet addressed to 192.168.50.26 when it tries to reply to something incoming from that address?

anav · Sun Jan 26, 2025 4:32 am

Why do you have seven vlans and only 5 pools? You are missing an IOT vlan and the work vlan.
If you have a trusted network, why is an infrastructure IP identified as Management IP
why are you using a management single 1gig port for infrastructure vlan ???
Changing this to 10gig port and keeping the ethernet port for off bridge access and safe spot to configure router from.
why would you put two IPs in the trusted network and attach them to a third party VPN?? illogical and not a secure practice.
If you want to do something like that make users that need to access nord vpn a different vlan....... much easier to config as well this way.
(heck the easiest way is to use a WLAN for that purpose and only give the password to those that need it......... they choose when to use that pathway!! )
(however, the use of nordvpn is not normal, it should be handled by the router.......... )

It is not clear what you are trying to accomplish in the forward chain. Its not the place for port forwarding rules for example.
Perhaps you are taking the unique step of only allowing certain ports...........never seen it done before but looks cool.

Due to lack of clarity I have probably made some wrong assumptions, so consider it a discussion.
Also I might add, your use of quotation marks for names only leads to unnecessary errors when configuring.

ROUTER:
.......

# 2025-01-25 16:29:04 by RouterOS 7.17
# software id = SOFTWARE_ID
#
# model = CCR2004-1G-12S+2XS
# serial number = SERIAL_NUMBER
/interface bridge
add name="bridge[LAN]" vlan-filtering=yes
/interface ethernet
set [find default-name=ether1] name=OffBridge1
set [ find default-name=sfp-sfpplus2 ] name="sfp-sfpplus2[INFRA]"
set [ find default-name=sfp-sfpplus1 ] name="sfp-sfpplus1[WAN]"
set [ find default-name=sfp-sfpplus11 ] name="sfp-sfpplus11[UPLINK_TRUENAS]"
set [ find default-name=sfp-sfpplus12 ] name="sfp-sfpplus12[UPLINK_SWITCH_2.5G]"
/interface vlan
add interface="bridge[LAN]" name=Guest vlan-id=98
add interface="bridge[LAN]" name=Infrastructure vlan-id=99
add interface="bridge[LAN]" name=IoT vlan-id=30
add interface="bridge[LAN]" name=Security vlan-id=101
add interface="bridge[LAN]" name=Servers vlan-id=100
add interface="bridge[LAN]" name=Trusted vlan-id=50
add interface="bridge[LAN]" name=Work vlan-id=20
add interface="sfp-sfpplus1[WAN]" name=pppoe-vlan vlan-id=201
/interface pppoe-client
add add-default-route=yes disabled=no interface=pppoe-vlan name=\
    "pppoe-out1[CL]" use-peer-dns=yes user=PPPOE_USERNAME_HERE
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/ip pool
add name=dhcp_pool_infra ranges=192.168.99.100-192.168.99.254
add name=dhcp_pool_guest ranges=192.168.98.2-192.168.98.254
add name=dhcp_pool_trusted ranges=192.168.50.100-192.168.50.254
add name=dhcp_pool_servers ranges=192.168.100.100-192.168.100.254
add name=dhcp_pool_security ranges=192.168.101.100-192.168.101.254
add name=dhcp_pool_work ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool_iot ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool_infra interface=Infrastructure lease-time=8h name=\
    "dhcp[INFRA]"
add address-pool=dhcp_pool_guest interface=Guest name="dhcp[GUEST]"
add address-pool=dhcp_pool_trusted interface=Trusted lease-time=1h name=\
    "dhcp[TRUSTED]"
add address-pool=dhcp_pool_servers interface=Servers lease-time=8h name=\
    "dhcp[SERVERS]"
add address-pool=dhcp_pool_security interface=Security lease-time=4h name=\
    "dhcp[SECURITY]"
add address-pool=dhcp_pool_work interface=Work lease-time=8h name=\
    "dhcp[WORK]"
add address-pool=dhcp_pool_iot interface=IoT lease-time=4h name=\
    "dhcp[IoT]"
/port
set 0 name=serial0
/interface bridge port
add bridge="bridge[LAN]" ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface="sfp-sfpplus2[INFRA]" pvid=99
add bridge="bridge[LAN]" ingress-filtering=yes frame-types=admit-only-vlan-tagged interface="sfp-sfpplus12[UPLINK_SWITCH_2.5G]"
add bridge="bridge[LAN]"  ingress-filtering=yes frame-types=admit-only-vlan-tagged interface="sfp-sfpplus11[UPLINK_TRUENAS]"
/ip settings
set rp-filter=loose
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge="bridge[LAN]" tagged="bridge[LAN]","sfp-sfpplus12[UPLINK_SWITCH_2.5G]" untagged="sfp-sfpplus2[INFRA]" \
    vlan-ids=99
add bridge="bridge[LAN]" tagged="bridge[LAN]","sfp-sfpplus12[UPLINK_SWITCH_2.5G]" vlan-ids=20,30,98,101
add bridge="bridge[LAN]" tagged="bridge[LAN]","sfp-sfpplus12[UPLINK_SWITCH_2.5G]","sfp-sfpplus11[UPLINK_TRUENAS]" \
    vlan-ids=50,100
/interface list member
add interface="pppoe-out1[CL]" list=WAN
add interface=Infrastructure list=LAN
add interface=Trusted list=LAN
add interface=Servers list=LAN
add interface=Security list=LAN
add interface=IoT list=LAN
add interface=Work list=LAN
add interface=Guest list=LAN
add interface=Trusted list=TRUSTED
add interface=OffBridge1 list=TRUSTED
/ip address
add address=192.168.99.1/24 interface=Infrastructure network=192.168.99.0
add address=192.168.20.1/24 interface=Work network=192.168.20.0
add address=192.168.30.1/24 interface=IoT network=192.168.30.0
add address=192.168.50.1/24 interface=Trusted network=192.168.50.0
add address=192.168.98.1/24 interface=Guest network=192.168.98.0
add address=192.168.100.1/24 interface=Servers network=192.168.100.0
add address=192.168.101.1/24 interface=Security network=192.168.101.0
add address=192.168.55.1/30 interface=OffBridge1 network=192.168.55.0
/ip dhcp-server lease
add address=192.168.101.2 mac-address=MAC_ADDRESS server=\
    "dhcp[SECURITY]"
add address=192.168.101.3 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[SECURITY]"
add address=192.168.99.50 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[INFRA]"
add address=192.168.50.2 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[TRUSTED]"
add address=192.168.50.26 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[TRUSTED]"
add address=192.168.50.4 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[TRUSTED]"
add address=192.168.99.26 client-id=CLIENT_ID mac-address=\
    MAC_ADDRESS server="dhcp[INFRA]"
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.50.1
add address=192.168.98.0/24 gateway=192.168.98.1 dns-server=192.168.98.1
add address=192.168.99.0/24 gateway=192.168.99.1 dns-server=192.168.99.1
add address=192.168.100.0/24 gateway=192.168.100.1 dns-server=192.168.100.1
add address=192.168.101.0/24 gateway=192.168.101.1 dns-server=192.168.101.1
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.30.1
/ip firewall address-list
add address=192.168.100.99 list=MGMT_Servers
add address=192.168.99.0/24 list=MGMT_IPs
add address=192.168.101.2 list=IPs_SimpliSafe
add address=192.168.101.3 list=IPs_Nest
add address=192.168.50.4 list=IPs_NordVPN
add address=192.168.50.3 list=IPs_NordVPN
add address=192.168.99.0/24 list=IPs_Infrastructure
add address=192.168.99.26 list=MGMT_IPs
add address=192.168.50.2 list=Authorized
add address=192.168.50.26 list=Authorized
add address=192.168.55.2 list=Authorized
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid log=yes log-prefix=\
    "Invalid input:"
add action=accept chain=input in-interface=protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address=list=Authorized
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else"   { insert this rule last }
add action=fasttrack-connection chain=forward comment=Forward \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid log=yes log-prefix=\
    "Invalid forward:"
add action=accept chain=forward in-interface-list=LAN  out-interface-list=WAN dst-port=443 protocol=udp
add action=accept chain=forward in-interface-list=LAN  out-interface-list=WAN dst-port=80,443,8080,853 protocol=tcp
add action=accept chain=forward in-interface=Trusted src-address-list=IPs_NordVPN out-interface-list=WAN dst-port=1723 protocol=tcp
add action=accept chain=forward in-interface=Trusted src-address-list=IPs_NordVPN out-interface-list=WAN dst-port=500,1194,4500,51820 protocol=udp
add action=accept chain=forward in-interface=Security src-address-list=IPs_SimpliSafe out-interface-list=WAN dst-port=8890,8899 protocol=tcp
add action=accept chain=forward in-interface=Security src-address-list=IPs_Nest out-interface-list=WAN dst-port=11095 protocol=tcp
add action=accept chain=forward in-interface=Trusted src-address=192.168.50.241 dst-address=192.168.99.2 
add action=accept chain=forward in-interface-list=TRUSTED src-address-list=Authorized out-interface-list=LAN comment="admin to all vlans"
add action=drop chain=forward comment="Drop all else" 
/ip firewall nat
add action=masquerade chain=srcnat out-interface="pppoe-out1[CL]"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/system identity
set name=WilderRouter
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address={ a pool near you }
add address={ another pool near you }

.......

SWITCH:
The trusted subnet is vlan50 not 99.
why did you leave out ether4 on ethernet.............
If not being used will use for same offbridge access

.....

# 1970-01-10 01:14:35 by RouterOS 7.17
# software id = SOFTWARE_ID
#
# model = CRS310-8G+2S+
# serial number = SERIAL_NUMBER
/interface bridge
add admin-mac=MAC_ADDRESS auto-mac=no comment=defconf name=\
    "bridge[LAN]" vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[INFRA]"
set [ find default-name=ether2 ] name="ether2[AP_BASEMENT]"
set [ find default-name=ether3 ] name="ether3[UPLINK_STUDY]"
set [ find default-name=ether4 ] name=OffBridge4
set [ find default-name=ether5 ] name="ether5[TRUSTED_VLAN_TEMP]"
set [ find default-name=ether7 ] name="ether7[SERVER_VLAN_TEMP]"
set [ find default-name=ether8 ] name="ether8[TRUENAS_SERVER]"
set [ find default-name=sfp-sfpplus2 ] name="sfp-sfpplus2[UPLINK_ROUTER]"
/interface vlan
add interface="bridge[LAN]" name=Trusted vlan-id=50
/interface list
add name=TRUSTED
/interface bridge port
add bridge="bridge[LAN]" ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface="ether1[INFRA]" pvid=99
add bridge="bridge[LAN]" ingress-filtering=yes frame-type=admit-only-vlan-tagged  interface="ether2[AP_BASEMENT]"
add bridge="bridge[LAN]" ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface="ether3[UPLINK_STUDY]" pvid=50
add bridge="bridge[LAN]" ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface="ether5[TRUSTED_VLAN_TEMP]" pvid=50
add bridge="bridge[LAN]" ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface="ether7[SERVER_VLAN_TEMP]" pvid=100
add bridge="bridge[LAN]" ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface="ether8[TRUENAS_SERVER]" pvid=100
add bridge="bridge[LAN]" ingress-filtering=yes frame-type=admit-only-vlan-tagged  interface="sfp-sfpplus2[UPLINK_ROUTER]"
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge="bridge[LAN]" tagged="sfp-sfpplus2[UPLINK_ROUTER]","ether2[AP_BASEMENT]" untagged="ether1[INFRA]" vlan-ids=99
add bridge="bridge[LAN]" tagged="sfp-sfpplus2[UPLINK_ROUTER]","ether2[AP_BASEMENT]" vlan-ids=98,101
add bridge="bridge[LAN]" tagged="sfp-sfpplus2[UPLINK_ROUTER]" vlan-ids=20,30
add bridge="bridge[LAN]" tagged="bridge[LAN]","sfp-sfpplus2[UPLINK_ROUTER]","ether2[AP_BASEMENT]" untagged="ether3[UPLINK_STUDY]","ether5[TRUSTED_VLAN_TEMP]" vlan-ids=50
add bridge="bridge[LAN]" tagged="sfp-sfpplus2[UPLINK_ROUTER]" untagged="ether8[TRUENAS_SERVER]","ether7[SERVER_VLAN_TEMP]" vlan-ids=100
/interface list member
add interface=Trusted list=TRUSTED
add interface=OffBridge4 list=TRUSTED 
/ip address
add address=192.168.50.X/24 interface=Trusted network=192.168.50.0
/ip dns
set server=192.168.50.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.50.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.50.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=WilderSwitch2.5G
/system note
set show-at-login=no

ZRF · Sun Jan 26, 2025 10:36 pm

Ask yourself this question:
What does my switch do with a packet addressed to 192.168.50.26 when it tries to reply to something incoming from that address?

Thank you, I will look at the switch side more closely! My assumption was that the switch just VLAN tagged all packets and funneled them through it to the router, and then the router decided what to do with the packet.

ZRF · Sun Jan 26, 2025 10:55 pm

Thank you for your response and questions!

Why do you have seven vlans and only 5 pools? You are missing an IOT vlan and the work vlan.

I have not fully set up the IoT and Work VLANs yet. Just the other ones.

If you have a trusted network, why is an infrastructure IP identified as Management IP
why are you using a management single 1gig port for infrastructure vlan ???
Changing this to 10gig port and keeping the ethernet port for off bridge access and safe spot to configure router from.

I should definitely change the "management" IP so it is identified as "Infrastructure". Lots of tinkering so far with different names for things, and I forgot to change this one.
I will switch that 1gig MGMT port back to being off bridge for configuration.

why would you put two IPs in the trusted network and attach them to a third party VPN?? illogical and not a secure practice.
If you want to do something like that make users that need to access nord vpn a different vlan....... much easier to config as well this way.
(heck the easiest way is to use a WLAN for that purpose and only give the password to those that need it......... they choose when to use that pathway!! )
(however, the use of nordvpn is not normal, it should be handled by the router.......... )

That is a great question! My end goal is to handle a VPN connection for devices using the router. At the moment, those two devices have a NordVPN client running on them, and I didn't want to disrupt that until I was ready to set it up at the router level.

It is not clear what you are trying to accomplish in the forward chain. Its not the place for port forwarding rules for example.
Perhaps you are taking the unique step of only allowing certain ports...........never seen it done before but looks cool.

As a networking newbie, I feel uncomfortable having "accept" as the default action taken if traffic does not match a firewall rule. After adding the catch all drop, I added those port forwarding rules to the forward chain to allow traffic from my essential devices. Such as typical traffic (tcp 80, 443, 8080, 53, 853, etc), and ports called out by NordVPN and SimpliSafe knowledge base articles to allow their services to function. If that is not typical, I would love insight into how it is usually done!

Also I might add, your use of quotation marks for names only leads to unnecessary errors when configuring.

The quotation marks in the pasted configs in the original post were taken directly from the file output of "export file=FILE_NAME".

I will look through your config code blocks in more detail shortly.

Again, thank you!

anav · Sun Jan 26, 2025 11:25 pm

Okay understood all.
Lets get consistent about nomenclature --> TRUSTED = Admin and IT control and every smart device gets an IP in this subnet.

Management should be considered VIPs, head of company or departments that may or may not need special access to something or just simply on their own subnet but require NO admin access for example.

If the ports applied are mostly for the nordvpn, it will be gone soon anyway as we will use the router to make the connection.
I do recommend using wifi and a separate VLAN and SSID/password for any users with the permission to access nordvpn, once connecting to it from the router. That way they are not linked to any working vlan at the same time.

For any company, though, access to nordvpn sounds weird. What is the purpose?
In other words, why bother. Rent a VPS at $7 a month buy a CHR license and put a Mikrotik RoS device in the geographic location desired.
This will allow much more capability
a. Folks that legitimately need access NOT out of local WAN ----> covered
b. Folks that legimately need access to local LAN devices/servers etc.., while away from work --> covered
c. ADMIN IT folks can remotely access all smart devices for config purposes ---> covered.

ZRF · Mon Jan 27, 2025 9:45 pm

Thank you for the response!

A couple initial clarifications:
This setup is for a home network, not one for a business. I picked up the Mikrotik router and switch to learn more about networking as a whole. Thank you for your patience with the inconsistent nomenclature.

Lets get consistent about nomenclature --> TRUSTED = Admin and IT control and every smart device gets an IP in this subnet.

Great note, I have changed this VLAN name from 'Trusted' to 'Main'. My goal with this VLAN is it is the main one that we connect our devices to (typically through an Access Point over an SSID called 'NETWORK_NAME_HERE_Main'). My hope with having 'Main' in the SSID name is to remind others in the house to not connect IoT or other risky devices to it. There are dedicated SSIDs (with VLANs) for those devices.

For any company, though, access to nordvpn sounds weird. What is the purpose?
In other words, why bother. Rent a VPS at $7 a month buy a CHR license and put a Mikrotik RoS device in the geographic location desired.
This will allow much more capability
a. Folks that legitimately need access NOT out of local WAN ----> covered
b. Folks that legimately need access to local LAN devices/servers etc.., while away from work --> covered
c. ADMIN IT folks can remotely access all smart devices for config purposes ---> covered.

Thank you for these tips!

ZRF · Mon Jan 27, 2025 10:10 pm

I looked through anav's config snippets and read through this forum post about configuring VLANs using a "Switch with a separate router (RoaS)": viewtopic.php?f=13&t=143620&sid=8e93ad3 ... 71#p706997

Note: The Infrastructure contains the IPs I give out to my router, switch, and access point.

A few things I updated from my last config post:
- Updated the vlan named 'Trusted' to 'Main'.
- Changed trunk ports to use bridge port VLAN frame types 'admit only VLAN tagged'.
- Changed access ports to use bridge port VLAN frame types 'admit only untagged and priority tagged'.
- On the router, I set the Neighbor List Discovery Settings to only use the Interface tied to the Infrastructure VLAN.
- On the switch, I also set the Neighbor List Discovery Settings to only use the Interface tied to the Infrastructure VLAN.
- On the switch, the router's IP (192.168.99.1) was set as the gateway for the default Dst. Address.

My scenario:
I have a device connected to the router on the Infrastructure VLAN (192.168.99.26), and am trying to ping a PC connected to the switch on the Main VLAN (192.168.50.239). The packets are hitting my firewall rule:

add action=accept chain=forward connection-state="" dst-address=\
192.168.50.239 src-address=192.168.99.26

But no response is allowed. The switch seems to eat the response.

Based on the responses from anav and sid5632, i feel like I am missing something while thinking through how my switch handles a packet in response to a request.

Any insights, docs, or forum posts on this issue would be very helpful.

Thank you!

Updated configs (sorry about any strange config formatting, it is the output directly from exporting from the WinBox GUI):

Router:

# 2025-01-27 13:32:56 by RouterOS 7.17
# software id = SOFTWARE_ID
#
# model = CCR2004-1G-12S+2XS
# serial number = SERIAL_NUMBER
/interface bridge
add name="bridge[LAN]" vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[INFRA]"
set [ find default-name=sfp-sfpplus1 ] name="sfp-sfpplus1[WAN]"
set [ find default-name=sfp-sfpplus11 ] name="sfp-sfpplus11[UPLINK_TRUENAS]"
set [ find default-name=sfp-sfpplus12 ] name=\
    "sfp-sfpplus12[UPLINK_SWITCH_2.5G]"
/interface vlan
add interface="bridge[LAN]" name=Guest vlan-id=98
add interface="bridge[LAN]" name=Infrastructure vlan-id=99
add interface="bridge[LAN]" name=IoT vlan-id=30
add interface="bridge[LAN]" name=Main vlan-id=50
add interface="bridge[LAN]" name=Security vlan-id=101
add interface="bridge[LAN]" name=Servers vlan-id=100
add interface="bridge[LAN]" name=Work vlan-id=20
add interface="sfp-sfpplus1[WAN]" name=pppoe-vlan vlan-id=201
/interface pppoe-client
add add-default-route=yes disabled=no interface=pppoe-vlan name=\
    "pppoe-out1[CL]" use-peer-dns=yes user=PPPOE_USERNAME
/interface list
add name=WAN
add name=ALL_VLANS
add name=Infra
/ip pool
add name=dhcp_pool_infra ranges=192.168.99.100-192.168.99.254
add name=dhcp_pool_guest ranges=192.168.98.2-192.168.98.254
add name=dhcp_pool_main ranges=192.168.50.100-192.168.50.254
add name=dhcp_pool_servers ranges=192.168.100.100-192.168.100.254
add name=dhcp_pool_security ranges=192.168.101.100-192.168.101.254
/ip dhcp-server
add address-pool=dhcp_pool_infra interface=Infrastructure lease-time=8h name=\
    "dhcp[INFRA]"
add address-pool=dhcp_pool_guest interface=Guest name="dhcp[GUEST]"
add address-pool=dhcp_pool_main interface=Main lease-time=1h name=\
    "dhcp[MAIN]"
add address-pool=dhcp_pool_servers interface=Servers lease-time=8h name=\
    "dhcp[SERVERS]"
add address-pool=dhcp_pool_security interface=Security lease-time=4h name=\
    "dhcp[SECURITY]"
/port
set 0 name=serial0
/interface bridge port
add bridge="bridge[LAN]" interface="ether1[INFRA]" pvid=99
add bridge="bridge[LAN]" frame-types=admit-only-vlan-tagged interface=\
    "sfp-sfpplus12[UPLINK_SWITCH_2.5G]"
add bridge="bridge[LAN]" interface="sfp-sfpplus11[UPLINK_TRUENAS]"
/ip neighbor discovery-settings
set discover-interface-list=Infra
/ip settings
set rp-filter=strict
/interface bridge vlan
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]" untagged="ether1[INFRA]" \
    vlan-ids=99
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]" vlan-ids=20
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]" vlan-ids=30
add bridge="bridge[LAN]" tagged="bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]\
    ,sfp-sfpplus11[UPLINK_TRUENAS]" vlan-ids=50
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]" vlan-ids=98
add bridge="bridge[LAN]" tagged="bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]\
    ,sfp-sfpplus11[UPLINK_TRUENAS]" vlan-ids=100
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus12[UPLINK_SWITCH_2.5G]" vlan-ids=101
/interface list member
add interface="pppoe-out1[CL]" list=WAN
add interface=Infrastructure list=ALL_VLANS
add interface=Main list=ALL_VLANS
add interface=Servers list=ALL_VLANS
add interface=Security list=ALL_VLANS
add interface=IoT list=ALL_VLANS
add interface=Work list=ALL_VLANS
add interface=Guest list=ALL_VLANS
add interface=Infrastructure list=Infra
/ip address
add address=192.168.99.1/24 interface=Infrastructure network=192.168.99.0
add address=192.168.20.1/24 interface=Work network=192.168.20.0
add address=192.168.30.1/24 interface=IoT network=192.168.30.0
add address=192.168.50.1/24 interface=Main network=192.168.50.0
add address=192.168.98.1/24 interface=Guest network=192.168.98.0
add address=192.168.100.1/24 interface=Servers network=192.168.100.0
add address=192.168.101.1/24 interface=Security network=192.168.101.0
/ip dhcp-server lease
add address=192.168.101.2 mac-address=MAC_ADDRESS_HERE server=\
    "dhcp[SECURITY]"
add address=192.168.101.3 client-id=CLIENT_ID_HERE mac-address=\
    MAC_ADDRESS_HERE server="dhcp[SECURITY]"
add address=192.168.99.50 client-id=CLIENT_ID_HERE mac-address=\
    MAC_ADDRESS_HERE server="dhcp[INFRA]"
add address=192.168.50.2 client-id=CLIENT_ID_HERE mac-address=\
    MAC_ADDRESS_HERE server="dhcp[MAIN]"
add address=192.168.50.26 client-id=CLIENT_ID_HERE mac-address=\
    MAC_ADDRESS_HERE server="dhcp[MAIN]"
add address=192.168.50.4 client-id=CLIENT_ID_HERE mac-address=\
    MAC_ADDRESS_HERE server="dhcp[MAIN]"
add address=192.168.99.26 client-id=1CLIENT_ID_HERE mac-address=\
    MAC_ADDRESS_HERE server="dhcp[INFRA]"
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.98.0/24 gateway=192.168.98.1
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.100.0/24 gateway=192.168.100.1
add address=192.168.101.0/24 gateway=192.168.101.1
/ip firewall address-list
add address=192.168.100.99 list=IPs_Servers
add address=192.168.101.2 list=IPs_SimpliSafe
add address=192.168.101.3 list=IPs_Nest
add address=192.168.50.4 list=IPs_NordVPN
add address=192.168.50.3 list=IPs_NordVPN
add address=192.168.99.0/24 list=IPs_Infrastructure
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid log=yes log-prefix=\
    "Invalid input:"
add action=accept chain=input in-interface="!pppoe-out1[CL]" protocol=icmp
add action=drop chain=input in-interface="pppoe-out1[CL]" log=yes log-prefix=\
    "Dropped by input from WAN catch-all"
add action=fasttrack-connection chain=forward comment=Forward \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid log=yes log-prefix=\
    "Invalid forward:"
add action=accept chain=forward connection-state="" dst-address=\
    192.168.50.239 src-address=192.168.99.26
add action=accept chain=forward comment="VLAN Internet Access Only" \
    connection-state=new in-interface-list=ALL_VLANS out-interface-list=WAN
add action=drop chain=forward comment="Drop all inter-VLAN traffic" disabled=\
    yes in-interface-list=ALL_VLANS log=yes log-prefix=\
    "Dropped by inter-vlan" out-interface-list=ALL_VLANS
add action=drop chain=forward connection-state=new in-interface=\
    "pppoe-out1[CL]"
add action=drop chain=forward comment="Forward Drop Catch-All" log=yes \
    log-prefix="Dropped by forward catch-all"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="pppoe-out1[CL]"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=WilderRouter
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=Infra
/tool mac-server mac-winbox
set allowed-interface-list=Infra

Switch:

# 1970-01-12 03:32:20 by RouterOS 7.17
# software id = SOFTWARE_ID
#
# model = CRS310-8G+2S+
# serial number = SERIAL_NUMBER
/interface bridge
add admin-mac=MAC_ADDRESS_HERE auto-mac=no comment=defconf name=\
    "bridge[LAN]" vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[INFRA]"
set [ find default-name=ether2 ] name="ether2[AP_BASEMENT]"
set [ find default-name=ether3 ] name="ether3[UPLINK_STUDY]"
set [ find default-name=ether5 ] name="ether5[MAIN_VLAN_TEMP]"
set [ find default-name=ether7 ] name="ether7[SERVER_VLAN_TEMP]"
set [ find default-name=ether8 ] name="ether8[TRUENAS_SERVER]"
set [ find default-name=sfp-sfpplus2 ] name="sfp-sfpplus2[UPLINK_ROUTER]"
/interface vlan
add interface="bridge[LAN]" name=Infrastructure vlan-id=99
/interface list
add name=LAN
add name=Infra
/interface bridge port
add bridge="bridge[LAN]" comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface="ether1[INFRA]" pvid=99
add bridge="bridge[LAN]" comment=defconf interface="ether2[AP_BASEMENT]"
add bridge="bridge[LAN]" comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface="ether3[UPLINK_STUDY]" \
    pvid=50
add bridge="bridge[LAN]" comment=defconf interface=ether4
add bridge="bridge[LAN]" comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=\
    "ether5[MAIN_VLAN_TEMP]" pvid=50
add bridge="bridge[LAN]" comment=defconf interface=ether6
add bridge="bridge[LAN]" comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=\
    "ether7[SERVER_VLAN_TEMP]" pvid=100
add bridge="bridge[LAN]" comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=\
    "ether8[TRUENAS_SERVER]" pvid=100
add bridge="bridge[LAN]" comment=defconf interface=sfp-sfpplus1
add bridge="bridge[LAN]" comment=defconf frame-types=admit-only-vlan-tagged \
    interface="sfp-sfpplus2[UPLINK_ROUTER]"
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=Infra
/interface bridge vlan
add bridge="bridge[LAN]" tagged=\
    "bridge[LAN],sfp-sfpplus2[UPLINK_ROUTER],ether2[AP_BASEMENT]" untagged=\
    "ether1[INFRA]" vlan-ids=99
add bridge="bridge[LAN]" tagged=\
    "sfp-sfpplus2[UPLINK_ROUTER],ether2[AP_BASEMENT]" vlan-ids=98
add bridge="bridge[LAN]" tagged="sfp-sfpplus2[UPLINK_ROUTER]" vlan-ids=20
add bridge="bridge[LAN]" tagged="sfp-sfpplus2[UPLINK_ROUTER]" vlan-ids=30
add bridge="bridge[LAN]" tagged=\
    "sfp-sfpplus2[UPLINK_ROUTER],ether2[AP_BASEMENT]" untagged=\
    "ether3[UPLINK_STUDY],ether5[MAIN_VLAN_TEMP]" vlan-ids=50
add bridge="bridge[LAN]" tagged="sfp-sfpplus2[UPLINK_ROUTER]" untagged=\
    "ether8[TRUENAS_SERVER],ether7[SERVER_VLAN_TEMP]" vlan-ids=100
add bridge="bridge[LAN]" tagged=\
    "sfp-sfpplus2[UPLINK_ROUTER],ether2[AP_BASEMENT]" vlan-ids=101
/interface list member
add interface="bridge[LAN]" list=LAN
add interface=Infrastructure list=LAN
add interface=Infrastructure list=Infra
/interface ovpn-server server
add mac-address=MAC_ADDRESS_HERE name=ovpn-server1
/ip address
add address=192.168.99.2/24 interface=Infrastructure network=192.168.99.0
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add distance=1 gateway=192.168.99.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=WilderSwitch2.5G
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=Infra
/tool mac-server mac-winbox
set allowed-interface-list=Infra

sid5632 · Tue Jan 28, 2025 2:15 am

I thought you were trying to get from .50.26 to .99.2 ? Now you don't mention that.
You've moved the goalposts and are trying to get from .99.26 to .50.239, neither of which you mentioned before.
You don't say what the source device is, nor what the destination "PC" is, or what OS's they are running, or how they're configured network-wise.
Are you sure that any response isn't filtered there? It is by default if it's a "Windows PC".
You do seem to be over-complicating things for someone who is "very new to a lot of networking concepts".

NA9D · Tue Jan 28, 2025 2:16 am

I just did a whole write up on Inter-VLAN routing using the Mikrotik routers. It works like a charm. My article is available in the section for useful user submitted articles.

ZRF · Tue Jan 28, 2025 3:35 am

I thought you were trying to get from .50.26 to .99.2 ? Now you don't mention that.
You've moved the goalposts and are trying to get from .99.26 to .50.239, neither of which you mentioned before.

Those are good points. I did move the goal posts and thought it would be simpler to test a Windows PC also connected to my switch instead of the switch device itself. I switched back to testing the switch device (192.168.99.2) from my laptop IP (192.168.50.26), and everything is working now.

You don't say what the source device is, nor what the destination "PC" is, or what OS's they are running, or how they're configured network-wise.
Are you sure that any response isn't filtered there? It is by default if it's a "Windows PC".

Since I can now successfully ping the switch IP, I am guessing it is filtering the response (like you said).

You do seem to be over-complicating things for someone who is "very new to a lot of networking concepts".

That is a fair observation.

ZRF · Tue Jan 28, 2025 3:47 am

I just did a whole write up on Inter-VLAN routing using the Mikrotik routers. It works like a charm. My article is available in the section for useful user submitted articles.

Thanks, I will take a look!

anav · Tue Jan 28, 2025 5:22 am

When you decide to get rid of quote marks around interface names and port names etc, I will look at the config again.
Also why no pool for two of the vlans?

Ddram · Sat Feb 01, 2025 11:11 pm

As mentioned in second post by sid, you have one rule that allows packets from sender to receiver, but the returning packets get catched by your vlan-to-vlan block rule, because there is no allow rule for this case.

anav · Sun Feb 02, 2025 5:21 pm

@Ddram, that is now how RoS firewall rules work.

If I have two vlans A and B.
And I want users in Vlan to be able to access a device in VlANB all I need is:
add chain=forward action=accept in-interface=VLANA dst-address=vlanB-DeviceIP

All traffic from vlanA to the device will be permitted.
All return traffic from device to vlanA will be permitted.

What is not permitted by the drop rule at the end or vlan to vlan block rule is
device ORIGINATING new traffic to VLANA.

Question about Firewall Rules for Inter-VLAN Communication [SOLVED]

Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication

Re: Question about Firewall Rules for Inter-VLAN Communication