Hi all,
I have multiple devices on my LAN and I am segregating them for security purposes into 3 groups using 3 VLANs (2 tagged, one untagged). All the devices are connected to a managed VLAN aware switch.
Now, I want to connect those devices to the Internet via a MTK router (I'm currently playing with a RB750Gr2). I would like to have different firewall and routing rules for each VLAN.
I could connect each VLAN to a separate port of the router and it looks that there is enough flexibility for the purpose, however, the more elegant way is to use a trunk port for all the VLANs together. It is there that I am stumped with the following issues:
1. I cannot make a filter condition based on VLAN id. There is no such field in the filters. Also I cannot use the VLAN interface as a condition, as the firewall complains that it is a slave I/F (I'm bridging the Eth I/F with the VLAN I/F's) . I obviously cannot use the source IP address also since an intruder can choose any IP address for the device.
2. I do not see how I disable the inter-VLAN routing.
3. I thought of using the DHCP server of RouterOS instead of a server, for one less point of failure. I don't see how I can use different address pools for each VLAN.
Please advise.
Thanks in advance.
-
-
tholderbaum
newbie
- Posts: 38
- Joined:
- Location: Tampa, Florida
- Contact:
Re: Security & VLAN
I resolved this by using bridges. Create a bridge for each VLAN. Then add each VLAN into the respective bridge as a port. From there, assign the IP address to the bridge for each VLAN.Hi all,
I have multiple devices on my LAN and I am segregating them for security purposes into 3 groups using 3 VLANs (2 tagged, one untagged). All the devices are connected to a managed VLAN aware switch.
Now, I want to connect those devices to the Internet via a MTK router (I'm currently playing with a RB750Gr2). I would like to have different firewall and routing rules for each VLAN.
I could connect each VLAN to a separate port of the router and it looks that there is enough flexibility for the purpose, however, the more elegant way is to use a trunk port for all the VLANs together. It is there that I am stumped with the following issues:
1. I cannot make a filter condition based on VLAN id. There is no such field in the filters. Also I cannot use the VLAN interface as a condition, as the firewall complains that it is a slave I/F (I'm bridging the Eth I/F with the VLAN I/F's) . I obviously cannot use the source IP address also since an intruder can choose any IP address for the device.
2. I do not see how I disable the inter-VLAN routing.
3. I thought of using the DHCP server of RouterOS instead of a server, for one less point of failure. I don't see how I can use different address pools for each VLAN.
Please advise.
Thanks in advance.
By segregating each VLAN with a unique IP address, you can then use IP Firewall filters to control inter VLAN routing.
What I do is create an Approved Address list for each VLAN,
Then I create three filter rules for each VLAN:
Rule Number 1: All traffic From VLAN1-Adddress-List to talk to VLAN1-Addresss-List
Rule number 2: Allow traffic from VLAN1-Address-List to talk to The Internet Interface
Rule Number 3: Drop all traffic from VLAN1/Bridge1 that is !VLAN1/Bridge1
Re: Security & VLAN
Thanks for the detailed answer !
Can you please clarify the following points :
Will the bridge ports include the physical ethernet port or have only one entry, i.e. the VLAN. If only the VLAN, why the bridge at all ? Else, if the ethernet is included, can I drop untagged frames at the bridge ?
In general I saw the VLAN bridge examples and I did not understand the need for a bridge - in my tests I can attach an IP address to the VLAN interface itself, and I could ping that.
Is there any definition to be made at the switch level ?
Thanks again
Can you please clarify the following points :
Will the bridge ports include the physical ethernet port or have only one entry, i.e. the VLAN. If only the VLAN, why the bridge at all ? Else, if the ethernet is included, can I drop untagged frames at the bridge ?
In general I saw the VLAN bridge examples and I did not understand the need for a bridge - in my tests I can attach an IP address to the VLAN interface itself, and I could ping that.
Is there any definition to be made at the switch level ?
Thanks again
Re: Security & VLAN
This is very clear. I thought I tested that and failed. Will check again. Thanksi'm using a VLAN on an ethernet interface (i don't know much about bridges). then the rules i made are based on the interface in and interface out based on the VLAN.
for example if the network 192.168.99.0/24 are for "servers", then block the guest wifi from access to it.. this is the rule i put in.
Code: Select all/ip firewall filter add action=reject chain=forward comment=">>>>> BLOCK VLAN-GWIFI fr SERVERS" \ dst-address=192.168.99.0/24 in-interface=VLAN-GWIFI
VLAN-GWIFI is from..
Code: Select all/interface vlan add interface=ether3 name=VLAN-GWIFI vlan-id=44
Sent from my Mi A1 using Tapatalk