Hello everybody,
In our seminar I have a Mikrotik RB1100AHx2 in use. The network I have divided into 16 VLANs. All clients access the Internet via a firewall (PFSENSE). The VLANs are installed in the RB and the DHCP server as well. For maintenance reasons I often have to go into the net. For this reason I opened OPENVPN on the PFSENSE. I start at home OVPN and go via Remotedesktop on my Admin computer (172.16.5.99) (VLAN-ID5) in the net. From here I can then see the router, all switches and VLANs.
All VLANs are located in the network 172.16.XXX.0 / 24. XXX = 5 - 200 (= VLAN IDs)
Ether1 = WAN port Direction PFsense, Ether2 = LAN - VlanTrunk.

Now my questions:
1. I now want the VLANs can not see each other (no intervlan routing) but can go to the Internet.
2. I would like to continue to be able to go remote to the seminar network and to all VLANs, Switch and the RB
3. If possible, only a few rules, such as
Chain = forward action = drop in interface = allvlan out-interface = allvlan ????

I would be happy about every tip!

Greetings VlanLearner

Excuse me for my bad english (google translation)

I've never used it myself so far, but in/out-interface=all-vlan does look like useful shortcut that could greatly simplify things. Depending on what's default action of your firewall, either block anything from all-vlan to all-vlan (for default allow), or allow anything from all-vlan to WAN (for default block). If you need an exception for your admin access, add another rule for your address. There shouldn't be any problem.

Hey, you can start with a rule such as this, though not the ideal way to handle your scenario:

/ip firewall filter add src-address=172.16.0.0/16 dst-address=172.16.0.0/16 action=drop chain=forward

Above this rule, manually add rules to allow what you want to permit

Thank you both for the answers!
Sorry for the late reply ..... I have a strong cold

@Sob and @yogender,
I want to enter my firewall rules in the RB1100AHx2. I have set up no NAT and no firewall rules (the actual firewall is the PFSENSE).
How do you keep these rules:
First rule:
/ Ip firewall filter action = allow chain = forward in-interface = admin-vlan5 out-interface = allvlan
OR
/ Ip firewall filter action = allow chain = forward in-interface = allvlan out-interface = admin-vlan5
OR BOTH?
-> so the admin has remote and local access to all vlans, router and switches?

Last rule:
/ Ip firewall filter action = drop chain = forward in-interface = allvlan out-interface = allvlan
-> the VLANs come to the Internet and NO intervlan routing is possible?

Greeetings vlanlearner
Excuse me for my bad english (google translation)

You allow only one direction (from admin vlan to others) and packets in other direction (replies) will be allowed by standard accept established & related rule, which should be at the beginning: About your last rule, that will block vlan <-> vlan access. Access to internet will be allowed by default, because you don't have unconditional drop/reject rule at the end. That's two basic ways how to create your firewall (you're now doing b):

a) Have uncoditional drop/reject rule as the last one. Only things you specifically allow will work.
b) Do not have this rule and use default action, which in RouterOS is accept. Everything will work by default, except things you specifically block.

@
thank you again!
By the cold I'm somewhat cumbersome ... This would be 100% the right entry in the microtics firewall:

1. /ip firewall filter
add action=accept chain=forward connection-state=established,related
2. /ip firewall filter
add action=allow chain=forward in-interface=admin-vlan5 out-interface=allvlan
3. / Ip firewall filter
action=drop chain=forward in-interface=allvlan out-interface=allvla

Correct??

Greetings VlanLearner

For new connections, this will:
- allow from admin-vlan5 to any other vlan
- block between any two vlans
- allow from anywhere else to anywhere else (or nothing, if you don't have other independent interfaces with IP config)

Thank YOU!!!