Bridge VLAN filtering and VLAN isolation

palii · Mon Jun 18, 2018 8:23 pm

Hi Guys,

I'm struggling with vlan filtering and vlan isolation with the new bridge.

My rb750gr3 config:

ether1: pppoe wan port

ether2-5 are bridged together

ether2-5 are trunk ports that can carry VLANS to the managed switch

PVID1 is untagged for bridge, ether2-5

all other vlan ids are tagged for bridge, ether2-5

vlan filtering is switched on

My question is:

Shouldn't this setup isolate VLANs automatically without any firewall rules?

My understanding is that VLAN filtering keeps VLAN tags intact.

Currently I can ping devices in other VLANS

___________________________________________________________________

My config:

/interface bridge
add admin-mac=*:*:*:*:*:* auto-mac=no name=bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=*********** service-name=**** use-peer-dns=yes user=***********
/interface vlan
add interface=bridge name=VLAN110 vlan-id=110
add interface=bridge name=VLAN111 vlan-id=111
add interface=bridge name=VLAN112 vlan-id=112
add interface=bridge name=VLAN113 vlan-id=113
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=pool-root ranges=10.1.7.100-10.1.7.254
add name=pool0-security ranges=10.1.0.100-10.1.0.254
add name=pool1-primary ranges=10.1.1.100-10.1.1.254
add name=pool2-secondary ranges=10.1.2.100-10.1.2.254
add name=pool3-guest ranges=10.1.3.100-10.1.3.254
/ip dhcp-server
add address-pool=pool-root disabled=no interface=bridge name=dhcp
add address-pool=pool0-security disabled=no interface=VLAN110 name=dhcp0
add address-pool=pool1-primary disabled=no interface=VLAN111 name=dhcp1
add address-pool=pool2-secondary disabled=no interface=VLAN112 name=dhcp2
add address-pool=pool3-guest disabled=no interface=VLAN113 name=dhcp3
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/interface bridge vlan
add bridge=bridge comment=Root untagged=bridge,ether2,ether3,ether4,ether5 \
    vlan-ids=1
add bridge=bridge comment=Security tagged=bridge,ether2,ether3,ether4,ether5 \
    vlan-ids=110
add bridge=bridge comment=Primary tagged=bridge,ether2,ether3,ether4,ether5 \
    vlan-ids=111
add bridge=bridge comment=Secondary tagged=bridge,ether2,ether3,ether4,ether5 \
    vlan-ids=112
add bridge=bridge comment=Guest tagged=bridge,ether2,ether3,ether4,ether5 \
    vlan-ids=113
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
add interface=VLAN110 list=LAN
add interface=VLAN111 list=LAN
add interface=VLAN112 list=LAN
add interface=VLAN113 list=LAN
/ip address
add address=10.1.7.1/24 interface=bridge network=10.1.7.0
add address=10.1.0.1/24 interface=VLAN110 network=10.1.0.0
add address=10.1.1.1/24 interface=VLAN111 network=10.1.1.0
add address=10.1.2.1/24 interface=VLAN112 network=10.1.2.0
add address=10.1.3.1/24 interface=VLAN113 network=10.1.3.0
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=10.1.0.1 domain=secure.mynetwork.net gateway=\
    10.1.0.1
add address=10.1.1.0/24 dns-server=10.1.1.1 domain=primary.mynetwork.net gateway=\
    10.1.1.1
add address=10.1.2.0/24 dns-server=10.1.2.1 domain=secondary.mynetwork.net \
    gateway=10.1.2.1
add address=10.1.3.0/24 dns-server=10.1.3.1 domain=guest.mynetwork.net gateway=\
    10.1.3.1
add address=10.1.7.0/24 dns-server=10.1.7.1 domain=mynetwork.net gateway=10.1.7.1 \
    netmask=24
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="[INVALID]"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="[INVALID]"
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix="[!NAT]"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

anav · Mon Jun 18, 2018 8:40 pm

My understanding is that VLAN is a layer2 construct whereas the FW rules are needed to prevent the router from routing between the vlans at layer 3.
However I could be mistaken but that is my impression.

Mon Jun 18, 2018 8:45 pm

My understanding is that VLAN is a layer2 construct whereas the FW rules are needed to prevent the router from routing between the vlans at layer 3.
However I could be mistaken but that is my impression.

i agree

also you can use firewall rules in bridge enabling that option in bridge general settings

palii · Mon Jun 18, 2018 8:59 pm

Alright. Then if I use firewall rules to isolate VLANs, do I need VLAN filtering at all?

All my VLANS pass through one or more trunk port(s) to the managed switch.

Bridge VLAN filtering and VLAN isolation

Bridge VLAN filtering and VLAN isolation

Re: Bridge VLAN filtering and VLAN isolation

Re: Bridge VLAN filtering and VLAN isolation

Re: Bridge VLAN filtering and VLAN isolation

Who is online