Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

vlan isolation not working

Locked
 
1littlewisp
newbie
Topic Author
Posts: 36
Joined: Wed Jun 10, 2009 6:23 pm

vlan isolation not working

Wed Jul 18, 2012 12:48 am

Hello all!
I've set up some vlans which appear to all be functioning properly except for one thing: traffic is allowed to pass between them unhindered. Here's the config:

Gateway
Code: Select all
[user@MikroTik] > interface vlan print
Flags: X - disabled, R - running, S - slave 
 #    NAME                                                                   MTU ARP        VLAN-ID INTERFACE                                                                
 0 R  vlan100                                                               1500 enabled        100 ether6                                                                   
 1 R  vlan200                                                               1500 enabled        200 ether6                                                                   
 2 R  vlan300                                                               1500 enabled        300 ether6 

[user@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                            
LAN                                                                                                                                  
 0   10.13.31.254/24    10.13.31.0      vlan100                                                                                                                              
 1   10.13.32.254/24    10.13.32.0      vlan200                                                                                                                              
 2   10.13.33.254/24    10.13.33.0      vlan300 

DHCP server is configured to hand out the respective ranges.
AP
Code: Select all
[user@MikroTik] > /interface vlan print
Flags: X - disabled, R - running, S - slave 
 #    NAME                     MTU ARP        VLAN-ID INTERFACE                  
 0 R  vlan100                 1500 enabled        100 lan_bridge                 
 1 R  vlan200                 1500 enabled        200 lan_bridge                 
 2 R  vlan300                 1500 enabled        300 lan_bridge                 
[user@MikroTik] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE               BRIDGE               PRIORITY  PATH-COST    HORIZON
 0    ether1                  lan_bridge               0x80         10       none
 1 I  ether2                  lan_bridge               0x80         10       none
 2 I  ether3                  lan_bridge               0x80         10       none
 3 I  ether4                  lan_bridge               0x80         10       none
 4 I  ether5                  lan_bridge               0x80         10       none
 5    vlan100                 br-vlan1-Administ...     0x80         10       none
 6    wlan1                   br-vlan1-Administ...     0x80         10       none
 7    vlan200                 br-vlan2-Faculty       0x80         10       none
 8 I  wlan2                   br-vlan2-Faculty        0x80         10       none
 9    vlan300                 br-vlan3-Guest           0x80         10       none
10 I  wlan3                   br-vlan3-Guest           0x80         10       none
[user@MikroTik] > interface wireless print
Flags: X - disabled, R - running 
 0  R ;;;Administration
      name="wlan1" mtu=1500 mac-address=D4:CA:6D:21:2F:7A arp=enabled 
      interface-type=Atheros 11N mode=ap-bridge ssid="Administrative Access" 
      frequency=2412 band=2ghz-b/g/n channel-width=20mhz scan-list=default 
      wireless-protocol=802.11 antenna-mode=ant-a wds-mode=disabled 
      wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled 
      default-authentication=yes default-forwarding=no default-ap-tx-limit=0 
      default-client-tx-limit=0 hide-ssid=yes 
      security-profile=Administration WPA compression=no 

 1    ;;;Faculty
      name="wlan2" mtu=1500 mac-address=D6:CA:6D:21:2F:7B arp=enabled 
      interface-type=virtual-AP master-interface=wlan1 ssid="Faculty" 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=no 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=Faculty WPA 

 2    ;;;Guest
      name="wlan3" mtu=1500 mac-address=D6:CA:6D:21:2F:7B arp=enabled 
      interface-type=virtual-AP master-interface=wlan1 ssid="Guest" 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=no 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
When I connect to the SSIDs, I get the an IP address from the corresponding DHCP server and am able to get online just fine from each. The problem is that I can ping anything on each of the ranges from any other range. HOWEVER, when I get into the AP and use the ping tool, I can only ping the gateways (10.13.3x.254) when I specify the respective interface.

For example, I can only ping 10.13.31.254 if I specify to use br-vlan1-Administration vlan. Once I change it to br-vlan2-Faculty, pings start timing out. Isolation appears to be happening up to the AP. I suspect that the problem has something to do with the wireless or bridge configuration.
Top
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: vlan isolation not working

Wed Jul 18, 2012 4:58 am

What are your forwarding rules in /IP Firewall?
Top
 
1littlewisp
newbie
Topic Author
Posts: 36
Joined: Wed Jun 10, 2009 6:23 pm

Re: vlan isolation not working

Wed Jul 18, 2012 5:24 am

What are your forwarding rules in /IP Firewall?
Just masquerading the ranges at the Gateway.
Top
 
antkamidiv
just joined
Posts: 24
Joined: Fri Jun 22, 2012 12:22 pm
Contact:
Contact antkamidiv

Re: vlan isolation not working

Wed Jul 18, 2012 11:00 am

Hello!
I think vlan's settings cause the problem:
Code: Select all
[user@MikroTik] > /interface vlan print
Flags: X - disabled, R - running, S - slave 
 #    NAME                     MTU ARP        VLAN-ID INTERFACE                  
 0 R  vlan100                 1500 enabled        100 lan_bridge                 
 1 R  vlan200                 1500 enabled        200 lan_bridge                 
 2 R  vlan300                 1500 enabled        300 lan_bridge
You should change the lan_bridge in vlan's settings to the particular ethernet interface connected to the gateway.
More over You should expel this interface from all bridges!
Top
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: vlan isolation not working

Wed Jul 18, 2012 1:17 pm

What are your forwarding rules in /IP Firewall?
Just masquerading the ranges at the Gateway.
Always remember - RouterOS will route all attached IP subnets by default! Since each VLAN presents a virtual interface to RouterOS it will route them unless you block that in the forwarding rules. If you currently have no fowarding rules then all attached interfaces will be routed to each other including the virtual VLAN interfaces.
Top
 
1littlewisp
newbie
Topic Author
Posts: 36
Joined: Wed Jun 10, 2009 6:23 pm

Re: vlan isolation not working

Wed Jul 18, 2012 1:54 pm

Hello!
I think vlan's settings cause the problem:
Code: Select all
[user@MikroTik] > /interface vlan print
Flags: X - disabled, R - running, S - slave 
 #    NAME                     MTU ARP        VLAN-ID INTERFACE                  
 0 R  vlan100                 1500 enabled        100 lan_bridge                 
 1 R  vlan200                 1500 enabled        200 lan_bridge                 
 2 R  vlan300                 1500 enabled        300 lan_bridge
You should change the lan_bridge in vlan's settings to the particular ethernet interface connected to the gateway.
More over You should expel this interface from all bridges!
Thanks for the reply. The same happens when I use ether1 as the parent interface. For that reason, I opted to bridge the ethernet ports together because I need wired hosts to talk through them without being on a vlan.
Top
 
1littlewisp
newbie
Topic Author
Posts: 36
Joined: Wed Jun 10, 2009 6:23 pm

Re: vlan isolation not working

Wed Jul 18, 2012 2:00 pm

What are your forwarding rules in /IP Firewall?
Just masquerading the ranges at the Gateway.
Always remember - RouterOS will route all attached IP subnets by default! Since each VLAN presents a virtual interface to RouterOS it will route them unless you block that in the forwarding rules. If you currently have no fowarding rules then all attached interfaces will be routed to each other including the virtual VLAN interfaces.
I had considered ways that I could prevent this behavior with firewalling but my gut told me that it shouldn't even be happening. I thought that the 802.1Q tag would stop the inter-vlan communication no matter what since it works on layer2. As long as there isn't a better way to design it, I'll proceed with that then. Thanks.
Top
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: vlan isolation not working

Wed Jul 18, 2012 2:20 pm


I had considered ways that I could prevent this behavior with firewalling but my gut told me that it shouldn't even be happening. I thought that the 802.1Q tag would stop the inter-vlan communication no matter what since it works on layer2. As long as there isn't a better way to design it, I'll proceed with that then. Thanks.
The router will route the IP layer at level 3 - it doesn't care about multiple VLANs being multiplexed on a physical layer - as far as it is concerned it has a bunch of (VLAN) interfaces assigned IPs at level 3 and it routes them unless told otherwise.

In the broad sense the device is a router - it only becomes a firewall if the correct rules are applied.
Top
 
1littlewisp
newbie
Topic Author
Posts: 36
Joined: Wed Jun 10, 2009 6:23 pm

Re: vlan isolation not working

Wed Jul 18, 2012 6:14 pm


I had considered ways that I could prevent this behavior with firewalling but my gut told me that it shouldn't even be happening. I thought that the 802.1Q tag would stop the inter-vlan communication no matter what since it works on layer2. As long as there isn't a better way to design it, I'll proceed with that then. Thanks.
The router will route the IP layer at level 3 - it doesn't care about multiple VLANs being multiplexed on a physical layer - as far as it is concerned it has a bunch of (VLAN) interfaces assigned IPs at level 3 and it routes them unless told otherwise.

In the broad sense the device is a router - it only becomes a firewall if the correct rules are applied.
Thanks for the help!
Top
 
scampbell
Trainer
Trainer
Posts: 487
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:
Contact scampbell

Re: vlan isolation not working

Fri Jul 20, 2012 7:29 am

Could you not set all of the VLAN Horiizon's=1 in the Bridge Port settings to isolate these ?

My understanding is traffic is not passed between ports with the same Horizon setting in the bridge.

If any VLAN in the bridge is to be shared/accessed by the others set it to Horizon=0 (for example).
Top
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: vlan isolation not working

Fri Jul 20, 2012 12:26 pm

The horizon feature is for avoiding bridging loops.

If you want to avoiding certain IP routes at level 3 the correct thing to do is adjust the forwarding rules accordingly.
Top
 
estlin
just joined
Posts: 6
Joined: Sat Jun 23, 2012 11:04 pm

Re: vlan isolation not working

Fri Jul 20, 2012 10:21 pm

Hello,

Here is what I did to isolate my VLAN. I put in three firewall filter rules.

This first rule will keep your vlan and private lan from seeing eachother
Chain=forward
SrcAddress=192.168.2.0/24 --this is my vlan
Dst.Address=192.168.1.0/24 -- this is my private lan
Action=drop

The second rule will block your vlan from being able to access 192.168.1.1 which is my router IP address. I wanted to make sure no one on the vlan could get to the router's configuration.
Chain=input
SrcAddress=192.168.2.0/24 --this is the vlan
DstAddress=192.168.1.1 --this is my router IP address
Action=drop

The third rule let's my private Lan see and access all traffic on the VLAN but does not let the VLAN access the private LAN.
Chain=forward
SrcAddress=192.168.2.0/24 --this is my VLAN
DstAddress=192.168.1.0/24 --this is my Private LAN
ConnectionState=established
action=accept

I'm not an expert at this, but these three rules worked for me.
Top
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: vlan isolation not working

Sat Jul 21, 2012 3:30 am


I'm not an expert at this, but these three rules worked for me.
You are on the right path but should really adopt a different approach. Why? Because the approach that you showed is based on explicit rules to drop disallowed traffic which is generally not the best approach.

Try reframing the rules but first create a completely unqualified forwarding rule to drop everything and place at the bottom of your forwarding rules.

Now, above that "drop all" rule place the rules explicitly "allowing" the traffic that you want to allow.

This is a safer approach!
Top
Locked
  4. RouterOS
  5. Beginner Basics