MikroTik

Hi all,

I have multiple devices on my LAN and I am segregating them for security purposes into 3 groups using 3 VLANs (2 tagged, one untagged). All the devices are connected to a managed VLAN aware switch.

Now, I want to connect those devices to the Internet via a MTK router (I'm currently playing with a RB750Gr2). I would like to have different firewall and routing rules for each VLAN.

I could connect each VLAN to a separate port of the router and it looks that there is enough flexibility for the purpose, however, the more elegant way is to use a trunk port for all the VLANs together. It is there that I am stumped with the following issues:

1. I cannot make a filter condition based on VLAN id. There is no such field in the filters. Also I cannot use the VLAN interface as a condition, as the firewall complains that it is a slave I/F (I'm bridging the Eth I/F with the VLAN I/F's) . I obviously cannot use the source IP address also since an intruder can choose any IP address for the device.
2. I do not see how I disable the inter-VLAN routing.
3. I thought of using the DHCP server of RouterOS instead of a server, for one less point of failure. I don't see how I can use different address pools for each VLAN.

Please advise.

Thanks in advance.

i'm using a VLAN on an ethernet interface (i don't know much about bridges). then the rules i made are based on the interface in and interface out based on the VLAN.

for example if the network 192.168.99.0/24 are for "servers", then block the guest wifi from access to it.. this is the rule i put in.

Code: Select all

/ip firewall filter
add action=reject chain=forward comment=">>>>> BLOCK VLAN-GWIFI fr SERVERS" \
    dst-address=192.168.99.0/24 in-interface=VLAN-GWIFI

VLAN-GWIFI is from..

Code: Select all

/interface vlan
add interface=ether3 name=VLAN-GWIFI vlan-id=44