Community discussions

MikroTik App
  4. RouterOS
  5. General

vlan isolation

Post Reply
 
agnostic
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 21, 2014 8:23 pm

vlan isolation

Thu Oct 20, 2016 12:10 pm

hello
i am looking for an approach on how to effectively isolate vlans and different dhcp interfaces. by default when making a vlan (or creating a hotspot) on an interface i can access and ping main (with default configuration) network subnet BUT NOT the opposite (from main to hotspot or vlan). this is unwanted because i want to isolate ALL vlans and dhcp server interfaces from accessing each other. i have achived this by adding firewall and routing rules but i believe that there must be a simpler way to make the opposite and add firewall rules to allow communication istead of dropping it.
any ideas i havent thought already???
i think maybe unchecking ip forward and adding manually firewall rules for routing to wan???
Top
 
th0massin0
Member Candidate
Member Candidate
Posts: 156
Joined: Sun May 11, 2014 4:16 am
Location: Poland

Re: vlan isolation

Thu Oct 20, 2016 12:35 pm

Your right. It's all about firewall. I don't know which routerboard are you using, but you should start building your custom firewall rules set from deleting all rules and try:
Code: Select all
/ip firewall
add action=fasttrack-connection chain=forward comment="START ALLOW FASTTRACK: established related" connection-state=established,related
add chain=forward comment="START ALLOW established related" connection-state=established,related
add chain=input comment="START ALLOW established related" connection-state=established,related
add action=drop chain=forward comment="START DROP invalid FWD" connection-state=invalid
add action=drop chain=input comment="START DROP invalid IN" connection-state=invalid
# YOUR FUTURE RULES
add chain=input comment="ENDING: ALLOW WinBox" dst-port=8291 in-interface=bridge-local protocol=tcp
add action=drop chain=input comment="ENDING: POLICY IN DROP "
add action=drop chain=forward comment="ENDING POLICY FWD DROP
Now you have blocked everything but Winbox that can be reached from bridge-local and enabled connections related to established before, to improve overall performance. This is good point to make backup, belive me you will be using it a lot ;) . All your future (allowing traffic) rules should be placed between "START" and "ENDING" rules.
Top
 
agnostic
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 21, 2014 8:23 pm

Re: vlan isolation

Thu Oct 20, 2016 12:43 pm

thank you.
i will try that on my rb750 (i believe the same applies to other mipsbe l4 boards)
Top
 
th0massin0
Member Candidate
Member Candidate
Posts: 156
Joined: Sun May 11, 2014 4:16 am
Location: Poland

Re: vlan isolation

Thu Oct 20, 2016 12:48 pm

RB750 is ethernet only device (without wifi), so remember to replace bridge-local with master lan port (probably eth2).
Top
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: vlan isolation

Fri Nov 25, 2016 12:15 am

Hi.
My simplest solution:
Code: Select all
/ip firewall filter add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
Best regards: CsXen
Top
 
bennn
just joined
Posts: 12
Joined: Mon Oct 03, 2016 7:20 pm

Re: vlan isolation

Fri Nov 25, 2016 1:07 am

Hi.
My simplest solution:
Code: Select all
/ip firewall filter add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
Best regards: CsXen
[emoji106]


Sent from my iPhone using Tapatalk Pro
Top
Post Reply
  4. RouterOS
  5. General