Page 1 of 1

Block traffic between VLAN

Posted: Wed Mar 27, 2019 6:08 pm
by beginer0504
Hi guys,

I have problems when configuring vlan on mikrotik router.
I have 10 VLAN: 10 -> 20
I want to block traffic between vlans
But, I write too many rules but it doesn't work

Please help me
Tks,


/ip firewall filter


add action=drop chain=forward comment="Cam truy cam giua VLAN 11 va VLAN khac" \
dst-address-list=VLAN12 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN13 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN14 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN14 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN17 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN11
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN11
add action=drop chain=forward comment="Cam truy cam giua VLAN 12 va VLAN khac" \
dst-address-list=VLAN13 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN14 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN15 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN16 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN17 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN12
add action=drop chain=forward comment="Cam truy cam giua VLAN 13 va VLAN khac" \
dst-address-list=VLAN14 src-address-list=VLAN13
add action=drop chain=forward dst-address-list=VLAN15 src-address-list=VLAN13
add action=drop chain=forward dst-address-list=VLAN16 src-address-list=VLAN13
add action=drop chain=forward dst-address-list=VLAN17 src-address-list=VLAN13
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN12
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN13
add action=drop chain=forward comment="Cam truy cam giua VLAN 14 va VLAN khac" \
dst-address-list=VLAN15 src-address-list=VLAN14
add action=drop chain=forward dst-address-list=VLAN16 src-address-list=VLAN14
add action=drop chain=forward dst-address-list=VLAN17 src-address-list=VLAN14
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN14
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN14
add action=drop chain=forward comment="Cam truy cam giua VLAN 15 va VLAN khac" \
dst-address-list=VLAN16 src-address-list=VLAN15
add action=drop chain=forward dst-address-list=VLAN17 src-address-list=VLAN15
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN15
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN15
add action=drop chain=forward comment="Cam truy cam giua VLAN 16 va VLAN khac" \
dst-address-list=VLAN17 src-address-list=VLAN16
add action=drop chain=forward dst-address-list=VLAN18 src-address-list=VLAN16
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN16
add action=drop chain=forward comment="Cam truy cam giua VLAN 17 va VLAN khac" \
dst-address-list=VLAN18 src-address-list=VLAN17
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN17
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN18

Re: Block traffic between VLAN

Posted: Wed Mar 27, 2019 6:27 pm
by k6ccc
Instead of explicitly blocking each VLAN, Block everything with a not interface command (note the explanation point before the interface name):
add action=drop chain=forward comment=\
    "Block all interfaces except internet from VLAN 10" out-interface=\
    !E1-p10_DSL_Internet in-interface=VLAN_10
You would obviously need whatever filtering in front of this, but this would prevent anything from VLAN 10 from getting to any other LAN except the internet. You still need a similar rule for each VLAN, but it's only one per VLAN rather than a dozen (or whatever) per VLAN.

Someone else may come up with something cleaner....

Re: Block traffic between VLAN

Posted: Wed Mar 27, 2019 6:34 pm
by anav
Clean way.
/ip firewall filter
{input chain}
allow established related
block invalid
allow icmp
allow admin to router
allow lan requests for DNS tcp/udp
drop all else
{forward chain}
fastrack allow established related
allow established related
+++++++++++++++++++++++++
drop all else.

With this setup you have no traffic to the internet or between Lans at layer 3. Layer 2 is blocked by virtue of traffic being separated by vlans.
Where the +++++++++++++++++++++++++++ is located is where you want to put what is allowed as everything is blocked by the last rule.

examples
allow port forwarding
allow homelan to WAN
allow VLANS to WAN
(for a group rule easier to create an interface list for all the vlans) and then apply the rule using the interface list)
add action=accept chain=forward in-interface-list=vlan_list out-interface=eth1-wan

The drop rule looks like
add action=drop chain=forward (very simple)

Re: Block traffic between VLAN

Posted: Wed Apr 03, 2019 11:17 am
by user8FJHFKFG8
I am wondering a similar thing. I really like the clean way as things getting complicated has really been bugging me. I have noticed my VLAN wants to talk to itself a lot, where I have a rule accept forward VLAN18 in and VLAN18 out. No idea why.

as far as
allow homelan to WAN
allow VLANS to WAN
That would be as simple as allow forward WAN (interface group) I guess, with an in interface if I want to restrict it to specific VLANs..

to allow port forwards, I can just edit the last rule to add ! dstnat correct?

Thinking about how to communicate from my trusted VLAN to the untrusted VLAN, say if I had a printer on the untrusted VLAN. I guess the best way is just 2 separate /24 networks connected by the router, only thing is I wouldnt be able to broadcast to the untrusted domain (?)

Re: Block traffic between VLAN

Posted: Wed Apr 03, 2019 12:30 pm
by solar77
I think this will block traffic between any IP that is assigned to a local interface, except within the same bridge
/ip firewall filter
add chain=forward src-address-type=local dst-address-type=local action=drop

Re: Block traffic between VLAN

Posted: Wed Apr 03, 2019 6:03 pm
by Sob
@solar77: The src-address-type=local means addresses assigned directly to router. So it will stop router talking to itself, but not traffic bettween vlans.

If "allow what I want and block the rest" (as presented by anav) is not good for someone for any reason, there's also in/out-interface=all-vlan, so you can have:
/ip firewall filter
add chain=forward in-interface=all-vlan out-interface=all-vlan action=drop
And all not previously allowed traffic between vlans will be blocked.

Re: Block traffic between VLAN

Posted: Wed Apr 03, 2019 6:25 pm
by solar77
@Sob, thanks for the correction.

if each subnet / vlan is masqueraded behind the IP of it's interface. would this rule block traffic between them?

Re: Block traffic between VLAN

Posted: Wed Apr 03, 2019 9:11 pm
by Sob
If you mean yours, then no, because forward chain is before srcnat. And there the destination is non-local address (either what client wanted, or where dstnat sent it) and source is non-local address too.

Re: Block traffic between VLAN

Posted: Wed Apr 03, 2019 9:18 pm
by solar77
thanks Sob for further explaination . Much appreciated!