Hello,

I would like to ask is there an option to have separate firewall zones for each VLAN?

Currently I have such configuration that is visible on the screenshotr and I would like to have similar configuration like I have had previously in openWRT in a router that was in place of the Mikrotik.

openWRT configuration

OpenWrt Network:

root@OpenWrt:/etc/config# cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd7f10dd::/48'

config interface 'lan'
option proto 'static'
option ipaddr '150.10.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
option type 'bridge'
option ifname 'eth1.4'
option dns '150.10.0.110'

config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option peerdns '0'
option dns '150.10.0.110'

config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'none'
option auto '0'
option delegate '0'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1'

config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '0t 2'

config interface 'VLAN_TV'
option type 'bridge'
option proto 'static'
option ifname 'eth1.3'
option ipaddr '150.10.2.1'
option netmask '255.255.255.0'
option dns '150.10.0.110'

config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 3'

config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '0t 4'

config interface 'VLAN_VPN'
option type 'bridge'
option proto 'static'
option ipaddr '150.10.1.1'
option netmask '255.255.255.0'
option ifname 'eth1.1'
option dns '150.10.0.110'


OpenWrt Firewall:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'REJECT'
option forward 'REJECT'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-IPSec-AH'
option src 'wan'
option dest 'lan'
option proto 'ah'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option name 'Turn-off-internet LAN'
option src 'lan'
option stop_time '06:00:00'
option dest 'wan'
option start_time '00:00:00'
option proto 'tcp udp'

config rule
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option name 'Turn-off-internet VPN'
option src 'VPN'
option start_time '00:00:00'
option proto 'tcp udp'
option dest 'wan'
option stop_time '06:00:00'

config rule
option src 'TV'
option target 'REJECT'
option name 'Turn-off-internet TV'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option start_time '00:00:00'
option proto 'tcp udp'
option dest 'wan'
option stop_time '06:00:00'

config rule
option src 'TV'
option name 'TV DHCP and DNS'
option proto 'tcp udp'
option dest_port '53 67 68'
option target 'ACCEPT'

config rule
option src 'VPN'
option name 'VPN DHCP and DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
option proto 'tcp udp'

config include
option path '/etc/firewall.user'

config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'TV'
option network 'VLAN_TV'
option input 'REJECT'

config forwarding
option dest 'wan'
option src 'TV'

config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'VPN'
option network 'VLAN_VPN'
option forward 'ACCEPT'

config forwarding
option dest 'wan'
option src 'VPN'

config forwarding
option dest 'wan'
option src 'lan'

Mikrotik hAP ac^2 configuration

[adrian@MikroTik] /ip firewall address-list> print
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 support 150.10.0.0/24 apr/24/2022 13:52:12
1 ;;; Self-Identification [RFC 3330]
bogons 0.0.0.0/8 apr/24/2022 13:52:12
2 X ;;; Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it
bogons 10.0.0.0/8 apr/24/2022 13:52:12
3 ;;; Loopback [RFC 3330]
bogons 127.0.0.0/8 apr/24/2022 13:52:12
4 ;;; Link Local [RFC 3330]
bogons 169.254.0.0/16 apr/24/2022 13:52:12
5 X ;;; Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it
bogons 172.16.0.0/12 apr/24/2022 13:52:12
6 X ;;; Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it
bogons 192.168.0.0/16 apr/24/2022 13:52:12
7 ;;; Reserved - IANA - TestNet1
bogons 192.0.2.0/24 apr/24/2022 13:52:12
8 ;;; 6to4 Relay Anycast [RFC 3068]
bogons 192.88.99.0/24 apr/24/2022 13:52:13
9 ;;; NIDB Testing
bogons 198.18.0.0/15 apr/24/2022 13:52:13
10 ;;; Reserved - IANA - TestNet2
bogons 198.51.100.0/24 apr/24/2022 13:52:13
11 ;;; Reserved - IANA - TestNet3
bogons 203.0.113.0/24 apr/24/2022 13:52:13
12 X ;;; MC, Class D, IANA # Check if you need this subnet before enable it
bogons 224.0.0.0/4 apr/24/2022 13:52:13




[adrian@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

2 ;;; established and related input
chain=input action=accept connection-state=established,related

3 X ;;; allow snmp
chain=input action=accept protocol=udp dst-port=161

4 X ;;; allow vpn
chain=input action=accept protocol=udp dst-port=1701,500,4500

5 X ;;; allow vpn
chain=input action=accept protocol=ipsec-esp

6 X ;;; allow winbox from management
chain=input action=accept protocol=tcp src-address-list=management dst-port=8291 log=no log-prefix=""

7 X ;;; allow ntp
chain=input action=accept protocol=tcp dst-port=123

8 ;;; allow icmp
chain=input action=accept protocol=icmp

9 ;;; allow all input from lan
chain=input action=accept in-interface=bridge1

10 ;;; drop all input !=management
chain=input action=drop src-address-list=!management

11 ;;; Add Syn Flood IP to the list
chain=input action=add-src-to-address-list tcp-flags=syn connection-limit=30,32 protocol=tcp address-list=Syn_Flooder address-list-timeout=30m

12 ;;; Drop to syn flood list
chain=input action=drop src-address-list=Syn_Flooder

13 ;;; Port Scanner Detect
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w

14 ;;; Drop to port scan list
chain=input action=drop src-address-list=Port_Scanner

15 ;;; Jump for icmp input flow
chain=input action=jump jump-target=ICMP protocol=icmp

16 X ;;; Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST
chain=input action=drop protocol=tcp src-address-list=!support dst-port=8291

17 ;;; Jump for icmp forward flow
chain=forward action=jump jump-target=ICMP protocol=icmp

18 ;;; Drop to bogon list
chain=forward action=drop dst-address-list=bogons

19 ;;; Add Spammers to the list for 3 hours
chain=forward action=add-src-to-address-list connection-limit=30,32 protocol=tcp address-list=spammers address-list-timeout=3h dst-port=25,587 limit=30/1m,0

20 ;;; Avoid spammers action
chain=forward action=drop protocol=tcp src-address-list=spammers dst-port=25,587

21 ;;; Accept DNS - UDP
chain=input action=accept protocol=udp port=53

22 ;;; Accept DNS - TCP
chain=input action=accept protocol=tcp port=53

23 ;;; Accept to established connections
chain=input action=accept connection-state=established

24 ;;; Accept to related connections
chain=input action=accept connection-state=related

25 ;;; Full access to SUPPORT address list
chain=input action=accept src-address-list=support

26 X ;;; Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED
chain=input action=drop

27 ;;; Echo request - Avoiding Ping Flood, adjust the limit as needed
chain=ICMP action=accept protocol=icmp icmp-options=8:0 limit=2,5

28 ;;; Echo reply
chain=ICMP action=accept protocol=icmp icmp-options=0:0

29 ;;; Time Exceeded
chain=ICMP action=accept protocol=icmp icmp-options=11:0

30 ;;; Destination unreachable
chain=ICMP action=accept protocol=icmp icmp-options=3:0-1

31 ;;; PMTUD
chain=ICMP action=accept protocol=icmp icmp-options=3:4

32 ;;; Drop to the other ICMPs
chain=ICMP action=drop protocol=icmp

33 ;;; Jump for icmp output
chain=output action=jump jump-target=ICMP protocol=icmp

You can create interface lists to group interfaces

And
Address lists to group adresses or address ranges

Forward chain - across the router ( WAN to LAN, LAN to WAN, LAN to LAN)
Input chain - to the router (services the router provides)

Control of traffic is accomplished at layer two by use of etherports, subnets, bridges and vlans
Control of traffic at layer3 is accomplished by firewall filter rules (the chains above).

Read Section B for some firewall ideas - viewtopic.php?t=182373

Thanks. I accomplished this task. When I will have a time I will provide a complete list of settings from the Mikrotik. I had to learn few things to make it work.