I am trying to create a firewall rule that will drop all traffic from one vlan101 to a list of multiple vlan100, vlan102, vlan103, vlan104
can i achieve this with a single firewall rule?
right now i have to create 8 rules, one for forward and one for input for all 4 vlans i want to block traffic to
can i do this in one single firewall rule? how about just 2 firewall rules forward/input?
thanks
-
-
uberwebguru
Member Candidate
- Posts: 173
- Joined:
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
Do you try to use address list? You can add list with destination IPs and it would be 1 rule.
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
Use interface list for dropping.
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
You can use interface list ... which will reduce number of rules. I'm not sure I understand which traffic you want to block though ... if you want to block traffic originating from vlan101 targeting other VLANs and router itself, then you need 5 rules without using either interface list or address list. If you're trying to block traffic originating from the rest of VLANs and targeting either vlan101 or router itself, then indeed you currently need 8 rules. Either way you'll need two rules when using lists (interface list or address list). Assuming you're trying to block connections originating from vlan101 the config might be something like this:
Beware that with stateful firewall blocking rules are "uni directional" ... which means that traffic originating in the opposite direction will be allowed. Firewall rules effectively work on initial packets, the rest are usually treated by generic "allow established,related" rules (yes, two ... the "normal" and the fasttrack rules).
Code: Select all
/interface list
add comment="should not connect to vlan101" name=not_from_vlan101
/interface list member
add list=not_from_vlan101 interface=vlan100
add list=not_from_vlan101 interface=vlan102
add list=not_from_vlan101 interface=vlan103
add list=not_from_vlan101 interface=vlan104
/ip firewall filter
# arrange the following rules to make sure that not wanted traffic is blocked while the rest of traffic is still allowed to pass
# you might want to create some rules allowing specific traffic and place them above these drop rules (e.g. allow DHCP from clients)
add action=drop chain=input in-interface=vlan101
add action=drop chain=forward in-interface=vlan101 out-interface-list=not_from_vlan101
Beware that with stateful firewall blocking rules are "uni directional" ... which means that traffic originating in the opposite direction will be allowed. Firewall rules effectively work on initial packets, the rest are usually treated by generic "allow established,related" rules (yes, two ... the "normal" and the fasttrack rules).
-
-
uberwebguru
Member Candidate
- Posts: 173
- Joined:
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
So essentially i need so many rules, then what is use of the interface list then?You can use interface list ... which will reduce number of rules. I'm not sure I understand which traffic you want to block though ... if you want to block traffic originating from vlan101 targeting other VLANs and router itself, then you need 5 rules without using either interface list or address list. If you're trying to block traffic originating from the rest of VLANs and targeting either vlan101 or router itself, then indeed you currently need 8 rules. Either way you'll need two rules when using lists (interface list or address list). Assuming you're trying to block connections originating from vlan101 the config might be something like this:
What i want is to block all traffic from vlan101 to the other vlans 100,102,103, 104
I do want to allow traffic from some of the vlans 100, 104 to vlan101
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
When using interface lists, it doesn't matter how many "forbidden" VLANs there are, you only add interface to interface list and the rest remains the same. Can even be dynamic (e.g. via scheduled script or whatever), the firewall remains exactly the same. I guess the firewall performance might be better with interface list than with multiple firewall rules involving individual interfaces.So essentially i need so many rules, then what is use of the interface list then?
However, if there are many of "this yes, that no, that yes" combinations, it still might make sense to use individual rules to keep things more readable.
As they say, there are many ways to skin a cat ...
-
-
uberwebguru
Member Candidate
- Posts: 173
- Joined:
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
is it possible to block ALL traffic from vlan 101 to vlan100When using interface lists, it doesn't matter how many "forbidden" VLANs there are, you only add interface to interface list and the rest remains the same. Can even be dynamic (e.g. via scheduled script or whatever), the firewall remains exactly the same. I guess the firewall performance might be better with interface list than with multiple firewall rules involving individual interfaces.So essentially i need so many rules, then what is use of the interface list then?
However, if there are many of "this yes, that no, that yes" combinations, it still might make sense to use individual rules to keep things more readable.
As they say, there are many ways to skin a cat ...
but allow ALL traffic from vlan100 to vlan101?
is this possible?. because i noticed when block traffic one way, it blocks traffic from other way also
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
Sure, is perfectly possible.
Post the rules you currently use.
Post the rules you currently use.
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
This is easy, first of all ignore all the previous advice.
You need one rule to start with at the end of the forward chain
add action=drop chain=forward.
Now ALL VLAN traffic anywhere is blocked, DONE!
You will need to add LAN to WAN traffic or any other traffic you wish to allow.
Interface lists are BEST for whole subnets (vlans are usually whole subnets so they are good candidates).
If you have to make rules for two or more subnets that are similar in nature then the idea is to group these into interface lists.
It is best to use Firewall address lists when you have one or more IPs in a subnet (but not a full subnet) or a mix of IPs in different subnets or a combination of the IPs AND whole subnets to describe a grouping that makes sense for rules.
For an individual subnet one can use xx.xx.xx.xx/24 or its interface name vlan12 etc...........
Now POST your config when you fix up your firewall rules and interface lists and we will have a look
/export hide-sensitive file=anynameyouwish
You need one rule to start with at the end of the forward chain
add action=drop chain=forward.
Now ALL VLAN traffic anywhere is blocked, DONE!
You will need to add LAN to WAN traffic or any other traffic you wish to allow.
Interface lists are BEST for whole subnets (vlans are usually whole subnets so they are good candidates).
If you have to make rules for two or more subnets that are similar in nature then the idea is to group these into interface lists.
It is best to use Firewall address lists when you have one or more IPs in a subnet (but not a full subnet) or a mix of IPs in different subnets or a combination of the IPs AND whole subnets to describe a grouping that makes sense for rules.
For an individual subnet one can use xx.xx.xx.xx/24 or its interface name vlan12 etc...........
Now POST your config when you fix up your firewall rules and interface lists and we will have a look
/export hide-sensitive file=anynameyouwish
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
Any reason not to just set this up in the Bridge with vlan-filtering=yes or via the Switch menu?What i want is to block all traffic from vlan101 to the other vlans 100,102,103, 104
I do want to allow traffic from some of the vlans 100, 104 to vlan101
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
is it possible to block ALL traffic from vlan 101 to vlan100
but allow ALL traffic from vlan100 to vlan101?
is this possible?. because i noticed when block traffic one way, it blocks traffic from other way also
It depends how exactly you block traffic between two vlans. Take, for example, these simple rules:
Code: Select all
/ip firewall filter
add chain=forward action=accept connection-state=established,related,untracked
add chain=forward action=accept in-interface=vlan101 out-interface=vlan100
add chain=forward action=drop
And think about how packets are treated depending on direction and connection tracking state.
Neither raw firewall nor bridge filters can deal with it with such ease.
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
Good I can use your avatar to shoot you,,,,,,,,, nonsense invoking the use of complex bridge filters when standard forward chain filters sufficeth........... I hope all your gunpowder gets wet. ;-P
-
-
uberwebguru
Member Candidate
- Posts: 173
- Joined:
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
How do i export my config by showing only active `/ip firewall filter` rules? when i exported i am seeing rules that are disabled but will be great to show only enabled commands in config
Now POST your config when you fix up your firewall rules and interface lists and we will have a look
/export hide-sensitive file=anynameyouwish
Re: firewall rule to drop all traffic from one vlan address to a list of vlan addresses
If you know where the issues are, then why are you here?
If we want to see the whole config the please post the whole config as many parts are interrelated.
If you feel naked about it, just ensure no public IPs or public gateways are shown (be they your ISP or your VPN provider etc....)
If we want to see the whole config the please post the whole config as many parts are interrelated.
If you feel naked about it, just ensure no public IPs or public gateways are shown (be they your ISP or your VPN provider etc....)