Bridege, Vlans & Firewall

Philox · Thu Mar 11, 2021 7:06 pm

Hi guys,

i'm coming to expose a problem with my Firewall.
I have one bridge with all my vlans in it. I want to do some inter-vlan routing or make some vlan non reachebles.
But all my rules in the FW are not working. OK i know, vlans are L2 & the FW work at L3.
But, if i force the vlan to go through the FW, it's not working better. I'm a litte confuse with this now :/

I don't have my cfg now, i'll post it tomorrow. But can someone can explain to me a little :)

I also read this stuff: viewtopic.php?f=13&t=143620
But if i try the same configuration to separate Vlans, i don't have same results.

Thanks for your help :)

anav · Thu Mar 11, 2021 8:53 pm

The problem is not with your firewall, its with the person configuring the firewall, just to be accurate.

Please post your config.
/export hide-sensitive file=anynameyouwish

sindy · Thu Mar 11, 2021 11:11 pm

VLANs are used to partition a physical network, i.e. to prevent devices in different VLANs from talking directly to each other at L2.

The communication between devices in different VLANs is possible thanks to routing between subnets hosted in these VLANs. It is a best common practice, not a law of physics, to use a dedicated VLAN for each subnet.

To route between two subnets, there must be a router which has an IP address in each of the two subnets. L3 (IP) firewall rules on such router can be used to block some connections.

Setting use-ip-firewall-for-vlan to yes is a very bad idea unless you know exactly what you are doing and what is the price to pay.

I can't say anything more specific until you follow the constructive part of @anav's suggestion.

anav · Fri Mar 12, 2021 12:30 am

edit: posted in error.

Philox · Fri Mar 12, 2021 8:52 am

Thanks both of you :) Even for the sarcasm, but i guess you're right :)
The setting use-ip-firewall-for-vlan will make my cpu work crazy right ? And maybe add some delay.
What you're saying is using the subnets ip to do my fw's rules ?

# mar/12/2021 07:30:22 by RouterOS 6.48.1
# software id = 412E-IMFY
#
# model = CCR1072-1G-8S+
# serial number = xxxxxxxxxxxxxx
/interface bridge
add admin-mac=11:11:11:11:11:11 auto-mac=no name=br-all-vlans priority=0x5000 \
    vlan-filtering=yes
/interface vlan
add interface=br-all-vlans name=vlan15 vlan-id=15
add interface=br-all-vlans name=vlan30 vlan-id=30
add interface=br-all-vlans name=vlan35 vlan-id=35
add interface=br-all-vlans name=vlan45 vlan-id=45
add interface=br-all-vlans name=vlan46 vlan-id=46
add interface=br-all-vlans name=vlan48 vlan-id=48
add interface=br-all-vlans name=vlan79 vlan-id=79
add interface=br-all-vlans loop-protect=off name=vlan138 vlan-id=138
add interface=br-all-vlans name=vlan175 vlan-id=175
add interface=br-all-vlans name=vlan200 vlan-id=200
/interface vrrp
add interface=vlan15 name=vrrp-15 vrid=15
add interface=vlan30 name=vrrp-30 vrid=30
add interface=vlan35 mtu=1576 name=vrrp-35 vrid=35
add interface=vlan45 name=vrrp-45 vrid=45
add interface=vlan46 name=vrrp-46 vrid=46
add interface=vlan48 name=vrrp-48 priority=200 vrid=48
add disabled=yes interface=vlan79 name=vrrp-79 vrid=79
add interface=vlan138 name=vrrp-138 vrid=138
add interface=vlan175 name=vrrp-175 vrid=175
add interface=vlan200 name=vrrp-200 vrid=200
/interface list
add name=WAN
add name=LAN
add name=VLANS
add name=VLAN_GUEST
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=242 name=Option242 value="'L2QVLAN=35'"
/ip dhcp-server option sets
add name=SetOption242 options=Option242
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,3des \
    hash-algorithm=sha256 name="default Profile" nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=ASIS
add dh-group=modp2048 enc-algorithm=3des hash-algorithm=sha256 lifetime=1h \
    name=TIMS
/ip ipsec peer
add address=xx.xx.xx.xx/32 name=ASIS profile=ASIS
add address=xx.xx.xx.xx/32 name=TIMS profile=TIMS
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=\
    Asis_Proposal pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=\
    Tims_Voix pfs-group=modp1536
/ip pool
add name=pool-legacy ranges=192.168.138.4-192.168.138.200
add name=pool-data ranges=10.0.14.4-10.0.15.254
add name=pool-voix ranges=10.0.30.4-10.0.30.254
add name=pool-wifi ranges=10.0.45.4-10.0.45.254
add name=pool-wifiguest ranges=10.0.46.4-10.0.47.254
add name=pool-serveur ranges=10.0.175.4-10.0.175.254
add name=pool-mgmt ranges=10.0.200.4-10.0.200.254
add name=pool-rucher ranges=10.0.79.2-10.0.79.239
add name=pool-voip-centrex ranges=10.0.35.4-10.0.35.254
add name=pool-wifiguest2 ranges=10.0.48.4-10.0.48.254
/ip dhcp-server
add address-pool=pool-data delay-threshold=10s dhcp-option-set=SetOption242 \
    disabled=no interface=vlan15 lease-time=8h name=dhcp-15
add address-pool=pool-voix delay-threshold=10s disabled=no interface=vlan30 \
    lease-time=8h name=dhcp-30
add address-pool=pool-serveur delay-threshold=10s disabled=no interface=\
    vlan175 lease-time=8h name=dhcp-175
add address-pool=pool-wifi delay-threshold=10s disabled=no interface=vlan45 \
    lease-time=8h name=dhcp-45
add address-pool=pool-wifiguest delay-threshold=10s disabled=no interface=\
    vlan46 lease-time=8h name=dhcp-46
add address-pool=pool-legacy delay-threshold=10s disabled=no interface=\
    vlan138 lease-time=8h name=dhcp-138
add address-pool=pool-mgmt delay-threshold=10s disabled=no interface=vlan200 \
    lease-time=8h name=dhcp-200
add address-pool=pool-rucher delay-threshold=10s disabled=no interface=vlan79 \
    name=dhcp-79
add address-pool=pool-wifiguest2 delay-threshold=10s disabled=no interface=\
    vlan48 name=dhcp-48
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
    up-port=1700
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
add name=ftp-dhcp policy="ftp,read,write,!local,!telnet,!ssh,!reboot,!policy,!\
    test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=br-all-vlans disabled=yes interface=sfp-sfpplus1
add bridge=br-all-vlans interface=sfp-sfpplus2 path-cost=5
add bridge=br-all-vlans interface=sfp-sfpplus3 path-cost=20
add bridge=br-all-vlans interface=sfp-sfpplus4
add bridge=br-all-vlans interface=sfp-sfpplus5
add bridge=br-all-vlans interface=sfp-sfpplus6
add bridge=br-all-vlans interface=sfp-sfpplus7
add bridge=br-all-vlans interface=ether1 pvid=15
add bridge=br-all-vlans interface=sfp-sfpplus8 path-cost=30
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus2,sfp-sfpplus3,sfp-sfp\
    plus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" vlan-ids=15
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus2,sfp-sfpplus3,sfp-sfp\
    plus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" vlan-ids=30
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus2,sfp-sfpplus3,sfp-sfp\
    plus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" vlan-ids=175
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus2,sfp-sfpplus3,sfp-sfp\
    plus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" vlan-ids=138
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus2,sfp-sfpplus3,sfp-sfp\
    plus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" vlan-ids=200
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus2,sfp-sfpplus3,sfp-sfp\
    plus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" vlan-ids=45
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus2,sfp-sfpplus3,sfp-sfp\
    plus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" vlan-ids=46
add bridge=br-all-vlans tagged=\
    sfp-sfpplus3,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus8,br-all-vlans \
    vlan-ids=79
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus2,sfp-sfpplus3,sfp-sfp\
    plus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" vlan-ids=35
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus3,sfp-sfpplus4,sfp-sfp\
    plus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus2" vlan-ids=48
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=br-all-vlans list=LAN
add interface=vlan15 list=VLANS
add interface=vlan30 list=VLANS
add interface=vlan35 list=VLANS
add interface=vlan45 list=VLANS
add disabled=yes interface=vlan46 list=VLANS
add disabled=yes interface=vlan48 list=VLANS
add interface=vlan79 list=VLANS
add interface=vlan138 list=VLANS
add interface=vlan175 list=VLANS
add interface=vlan48 list=VLAN_GUEST
add interface=vlan46 list=VLAN_GUEST
/ip address
add address=192.168.138.3/24 comment=legacy interface=vlan138 network=\
    192.168.138.0
add address=10.0.175.3/24 interface=vlan175 network=10.0.175.0
add address=10.0.45.3/24 interface=vlan45 network=10.0.45.0
add address=10.0.46.3/23 interface=vlan46 network=10.0.46.0
add address=10.0.30.3/24 interface=vlan30 network=10.0.30.0
add address=10.0.200.3/24 interface=vlan200 network=10.0.200.0
add address=10.0.14.3/23 interface=vlan15 network=10.0.14.0
add address=192.168.138.1 comment=VRRP-VLAN-LEGACY interface=vrrp-138 \
    network=192.168.138.0
add address=10.0.175.1 comment=VRRP-VLAN-SERVER interface=vrrp-175 network=\
    10.0.175.0
add address=10.0.30.1 comment=VRRP-VLAN-VOIX interface=vrrp-30 network=\
    10.0.30.0
add address=10.0.200.1 comment=VRRP-VLAN-MGMT interface=vrrp-200 network=\
    10.0.200.0
add address=10.0.14.1 comment=VRRP-VLAN-DATA interface=vrrp-15 network=\
    10.0.14.0
add address=10.0.45.1/24 comment=VRRP-VLAN-WIFI interface=vrrp-45 network=\
    10.0.45.0
add address=10.0.46.1 comment=VRRP-VLAN-WIFIGUEST interface=vrrp-46 network=\
    10.0.46.0
add address=10.0.79.254 comment=VRRP-VLAN-RUCHER interface=vrrp-79 network=\
    10.0.64.0
add address=10.0.35.3/24 interface=vlan35 network=10.0.35.0
add address=10.0.35.1 comment=VRRP-VLAN-VOIX-TIMS interface=vrrp-35 network=\
    10.0.176.0
add address=xx.xx.xx.xx/29 interface=sfp-sfpplus1 network=185.146.77.136
add address=192.168.0.202/30 comment="Trunk InterRouter" interface=\
    sfp-sfpplus8 network=192.168.0.200
add address=10.0.79.252/20 interface=vlan79 network=10.0.64.0
add address=10.0.48.3/24 interface=vlan48 network=10.0.48.0
add address=10.0.48.1/24 interface=vrrp-48 network=10.0.48.0
/ip dhcp-relay
add dhcp-server=10.0.176.1 disabled=no interface=vlan35 local-address=\
    10.0.35.2 name=Tims-Relay
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=10000 \
    max-concurrent-tcp-sessions=500 servers=\
    8.8.8.8,192.168.138.250,10.0.175.30
/ip firewall address-list
add address=xxxxxxxxxxxxxx list=IP_PROCEAU
add address=xxxxxxxxxxxxxx list=IP_LBO
add address=xxxxxxxxxxxxxx list=LBO_VPN
add address=xxxxxxxxxxxxxx list=CombinedListName
add address=xxxxxxxxxxxxxx list=CombinedListName
add address=xxxxxxxxxxxxxx list=CombinedListName
add address=xxxxxxxxxxxxxx list=IP_ALARME
add address=svi-1.cpoomau2fuaz.eu-west-3.rds.amazonaws.com list=\
    CombinedListName
add address=192.168.0.201 list=Admin
add address=192.168.0.202 list=Admin
add address=192.168.0.200/30 list=Admin
add address=xxxxxxxxxxxxxx list=Admin


/ip firewall filter
add action=reject chain=input dst-port=8728,8729,21,22,23,8291,80 log=yes protocol=tcp reject-with=icmp-port-unreachable src-address-list=!Admin
add action=add-src-to-address-list address-list=Admin address-list-timeout=1d chain=input packet-size=151 protocol=icmp src-address-list=!Admin
add action=drop chain=input comment="Drop outside DNS udp" dst-port=53 in-interface=sfp-sfpplus1 protocol=udp
add action=drop chain=input comment="Drop outside DNS tcp" dst-port=53 in-interface=sfp-sfpplus1 protocol=tcp
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="ALLOW VLANS" in-interface-list=VLANS
add action=drop chain=input comment=DROP disabled=yes
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add chain=forward action=accept connection-state=new in-interface-list=VLAN_GUEST out-interface-list=WAN comment="VLAN_GUEST Internet Access only"
add action=drop chain=forward disabled=yes


/ip firewall nat
add action=dst-nat chain=dstnat comment="OpenVPNServer 2" dst-port=10194 \
    protocol=udp to-addresses=10.0.175.248 to-ports=10194
add action=dst-nat chain=dstnat comment=OpenVPNServer dst-port=1193 protocol=\
    udp to-addresses=10.0.175.251 to-ports=1193
add action=dst-nat chain=dstnat comment="SFTP PREPROD CHRONO" dst-port=10222 \
    protocol=tcp to-addresses=10.0.15.252 to-ports=22
add action=dst-nat chain=dstnat comment=OpenVPNServer dst-port=1194 protocol=\
    tcp to-addresses=10.0.175.251 to-ports=1194
add action=accept chain=srcnat dst-address=185.12.96.197 src-address=\
    xxxxxxxxxxxxxx
add action=accept chain=dstnat dst-address=182.12.96.197 src-address=\
    xxxxxxxxxxxxxx
add action=dst-nat chain=dstnat comment="MAGISTOR PROD FTP DATA (PASSIVE)" \
    dst-port=64500-64535 protocol=tcp to-addresses=10.0.175.221 to-ports=\
    64500-64535
add action=dst-nat chain=dstnat comment=\
    "MAGISTOR PREPROD FTP DATA  (PASSIVE)" dst-port=65500-65535 protocol=tcp \
    to-addresses=10.0.175.220 to-ports=65500-65535
add action=dst-nat chain=dstnat comment="MAGISTOR FTP PROD" dst-port=221 \
    protocol=tcp src-address=xxxxxxxxxxxxxx/24 to-addresses=10.0.175.221 \
    to-ports=21
add action=dst-nat chain=dstnat comment="MAGISTOR FTP PREPROD" dst-port=321 \
    protocol=tcp src-address=xxxxxxxxxxxxxx/24 to-addresses=10.0.175.220 \
    to-ports=21
add action=dst-nat chain=dstnat comment="PRE-PROD FTP" dst-port=421 protocol=\
    tcp src-port="" to-addresses=10.0.175.216 to-ports=21
add action=dst-nat chain=dstnat comment="PRE-PROD FTP (PASSIVE)" dst-port=\
    62500-62535 protocol=tcp src-port="" to-addresses=10.0.175.216 to-ports=\
    62500-62535
add action=accept chain=srcnat dst-address=10.10.100.159 src-address=\
    192.168.138.0/24
add action=accept chain=srcnat dst-address=10.10.100.159 src-address=\
    10.0.175.0/24
add action=dst-nat chain=dstnat comment=JENKINS dst-port=8080 protocol=tcp \
    src-address-list=IP_PROCEAU to-addresses=10.0.175.7 to-ports=8080
add action=accept chain=dstnat dst-address=xxxxxxxxxxxxxx dst-port=6666 \
    protocol=tcp src-address=10.0.175.6 src-port=6666
add action=accept chain=dstnat dst-address=xxxxxxxxxxxxxx dst-port=6666 \
    protocol=tcp src-address=10.0.175.6 src-port=6666
add action=accept chain=dstnat dst-address=xxxxxxxxxxxxxx dst-port=6666 \
    protocol=tcp src-address=10.0.175.10 src-port=6666
add action=accept chain=dstnat dst-address=xxxxxxxxxxxxxx dst-port=6666 \
    protocol=tcp src-address=10.0.175.10 src-port=6666
add action=dst-nat chain=dstnat comment="LBOBI ---> PROCEAU" protocol=tcp \
    src-address-list=CombinedListName to-addresses=10.0.175.14 to-ports=3306
add action=dst-nat chain=dstnat dst-address=xxxxxxxxxxxxxx dst-port=3306 \
    protocol=tcp to-addresses=10.0.175.14 to-ports=3306
add action=dst-nat chain=dstnat comment=WIREGUARD dst-port=51820 protocol=udp \
    to-addresses=10.0.175.32 to-ports=51820
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall service-port
set sip ports=5060,5061,5062
/ip ipsec identity
add peer=ASIS
add peer=TIMS
/ip ipsec policy
set 0 disabled=yes
add dst-address=xxxxxxxxxxxxxx/32 peer=ASIS proposal=Asis_Proposal \
    sa-dst-address=xxxxxxxxxxxxxx sa-src-address=xxxxxxxxxxxxxx src-address=\
    192.168.138.0/24 tunnel=yes
add dst-address=10.10.100.159/32 peer=ASIS proposal=Asis_Proposal \
    sa-dst-address=xxxxxxxxxxxxxx sa-src-address=xxxxxxxxxxxxxx src-address=\
    10.0.175.0/24 tunnel=yes
add dst-address=10.0.176.0/25 peer=TIMS proposal=Tims_Voix sa-dst-address=\
    xxxxxxxxxxxxxx sa-src-address=xxxxxxxxxxxxxx src-address=10.0.35.0/24 \
    tunnel=yes
add dst-address=10.0.176.0/25 peer=TIMS proposal=Tims_Voix sa-dst-address=\
    xxxxxxxxxxxxxx sa-src-address=xxxxxxxxxxxxxx src-address=10.0.14.0/24 \
    tunnel=yes
add dst-address=10.0.176.0/25 peer=TIMS proposal=Tims_Voix sa-dst-address=\
    xxxxxxxxxxxxxx sa-src-address=xxxxxxxxxxxxxx src-address=10.0.45.0/24 \
    tunnel=yes
add dst-address=10.0.176.0/25 peer=TIMS proposal=Tims_Voix sa-dst-address=\
    xxxxxxxxxxxxxx sa-src-address=xxxxxxxxxxxxxx src-address=10.0.175.0/24 \
    tunnel=yes
add dst-address=10.0.176.0/25 peer=TIMS proposal=Tims_Voix sa-dst-address=\
    xxxxxxxxxxxxxx sa-src-address=xxxxxxxxxxxxxx src-address=10.1.192.0/20 \
    tunnel=yes
add dst-address=10.0.176.0/25 peer=TIMS proposal=Tims_Voix sa-dst-address=\
    xxxxxxxxxxxxxx sa-src-address=xxxxxxxxxxxxxx src-address=10.1.224.0/20 \
    tunnel=yes
/ip route
add distance=1 gateway=xxxxxxxxxxxxxx
add distance=1 gateway=xxxxxxxxxxxxxx
add distance=1 dst-address=10.0.14.0/24 gateway=vrrp-15 pref-src=10.0.176.1
add distance=1 dst-address=10.0.14.0/24 gateway=vlan15 pref-src=10.0.176.1
add distance=1 dst-address=10.0.14.108/32 gateway=vrrp-15
add check-gateway=ping distance=1 dst-address=10.0.14.251/32 gateway=vlan15 \
    pref-src=10.0.14.3
add distance=1 dst-address=10.0.30.5/32 gateway=vrrp-30
add disabled=yes distance=1 dst-address=10.0.30.250/32 gateway=vrrp-30
add distance=1 dst-address=10.0.175.3/32 gateway=vrrp-175 pref-src=10.0.175.1
add distance=1 dst-address=10.0.175.6/32 gateway=vrrp-175
add comment=REDMINE distance=1 dst-address=10.0.175.9/32 gateway=vlan175
add comment=LBOPPAS01 distance=1 dst-address=10.0.175.220/32 gateway=vrrp-175 \
    pref-src=10.0.175.1
add distance=1 dst-address=10.0.175.220/32 gateway=vlan200
add distance=1 dst-address=10.0.175.221/32 gateway=vrrp-175
add distance=1 dst-address=10.0.175.223/32 gateway=vlan175
add distance=1 dst-address=10.0.175.224/32 gateway=vrrp-175
add distance=1 dst-address=10.0.175.250/32 gateway=vrrp-175
add distance=1 dst-address=10.0.175.251/32 gateway=vlan175 pref-src=\
    10.0.175.2
add comment=":::OPEN VPN:::" distance=1 dst-address=10.0.175.251/32 gateway=\
    vrrp-175 pref-src=10.0.175.1
add distance=1 dst-address=10.0.175.252/32 gateway=vrrp-175
add distance=1 dst-address=10.0.176.0/25 gateway=vrrp-15,vrrp-175
add distance=1 dst-address=10.0.176.1/32 gateway=vlan35 pref-src=10.0.35.2
add distance=1 dst-address=10.0.176.15/32 gateway=\
    vlan15,vrrp-175,vlan35,vlan45
add distance=1 dst-address=10.0.200.10/32 gateway=vrrp-200
add distance=1 dst-address=10.1.192.0/20 gateway=10.0.175.251
add distance=1 dst-address=xxxxxxxxxxxxxx gateway=10.0.175.251
add distance=1 dst-address=xxxxxxxxxxxxxx gateway=vlan175 pref-src=10.0.175.1
add distance=1 dst-address=xxxxxxxxxxxxxx/32 gateway=sfp-sfpplus1
add comment=LBOPRFS01 distance=1 dst-address=192.168.138.212/32 gateway=\
    vlan138
add comment=LBOPRAS01 distance=1 dst-address=192.168.138.221/32 gateway=\
    vrrp-138 pref-src=192.168.138.1
add comment=SRV-BOUTIQUEOFF distance=1 dst-address=192.168.138.250/32 \
    gateway=vrrp-138 pref-src=192.168.138.1
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=LBO_CORE2
/system package update
set channel=long-term
/system scheduler
add interval=10m name=ftp-dhcp on-event="if ([:len [/file find name=leases.rsc\
    ]]>0) do={/file remove leases.rsc}\r\
    \n/tool fetch mode=ftp address=192.168.0.201 src-path=leases.rsc user=ftp \
    password=LBO69\r\
    \nif ([:len [/file find name=leases.rsc]]>0) do={\r\
    \nforeach i in=[/ip dhcp-server lease find ] do={\r\
    \n/ip dhcp-server lease remove \$i\r\
    \n};\r\
    \nimport leases.rsc;\r\
    \n}" policy=ftp,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/tool romon
set enabled=yes
/tool user-manager database
set db-path=user-manager

anav · Fri Mar 12, 2021 3:57 pm

I am actually as ascerbic llama, so its second nature!!

As for FW rules, Yes.
However with the very good last rule of drop all in your forward chain you effectively stop all vlan to vlan layer 3 traffic cold.
All you need to do is add some allow rules when for example as admin you want to be able to access all vlans.
OR, you want vlan users from one vlan to be able to access a shared printer in another vlan.

In general I tend to use vlans or groups of vlans (make necessary interface group lists and members) for FW rules.
I use address lists when I have a few users from a vlan, or a mix of users from different vlans etc........... something less than an entire subnet.

Philox · Mon Mar 15, 2021 11:39 am

I saw that :)
It's what i had, an interface list. But if i use just the vlans interfaces, it's not working. To make it work, i added the vrrps in the same list.
Since that, the results are better :)

Thanks for your advice. Now I'll work on my rules :)

Bridege, Vlans & Firewall [SOLVED]

Bridege, Vlans & Firewall

Re: Bridege, Vlans & Firewall

Re: Bridege, Vlans & Firewall

Re: Bridege, Vlans & Firewall

Re: Bridege, Vlans & Firewall

Re: Bridege, Vlans & Firewall [SOLVED]

Re: Bridege, Vlans & Firewall