MikroTik

Hi,

I'm newbe in mikrotik. Connected 2 computer on HP procurve 2626 switch with configured vlans.
One pc belongs to vlan2 another to vlan4. Both have access to internet and both see each other. Please advice how to isolate computers?
My config:

HP port 2 vlan2 untagged
HP port 4 vlan4 untagged
HP port26 vlan2,4 tagged connected to mikrotik ether2

ether1 connected to internet.

[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1 ether 1500
1 R ether2 ether 1500
2 R vlan2 vlan 1500
3 R vlan4 vlan 1500

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.3.171/24 192.168.3.0 ether1
1 192.168.2.1/24 192.168.2.0 vlan2
2 192.168.4.1/24 192.168.4.0 vlan4

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.3.254 1
1 ADC 192.168.2.0/24 192.168.2.1 vlan2 0
2 ADC 192.168.3.0/24 192.168.3.171 ether1 0
3 ADC 192.168.4.0/24 192.168.4.1 vlan4 0


[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=192.168.3.171
src-address=192.168.2.0/24

1 chain=srcnat action=src-nat to-addresses=192.168.3.171
src-address=192.168.4.0/24

This will isolate them.

Ip firewall filter

chain=forward action=drop src=192.168.2.0/24 dst=192.168.4.0/24

chain=forward action=drop src=192.168.4.0/24 dst=192.168.2.0/24

Thx,

But if I have more than 2 vlans, do I have to isolate them in such way? There will be a lot of rules, each network isolate from others.

The chain may need to be input instead of forward.

But, yes you will need alot of rules.

Thx,

But if I have more than 2 vlans, do I have to isolate them in such way? There will be a lot of rules, each network isolate from others.

I fixed it with one rule per vLan:

chain=forward action=drop in-interface=vLan7 dst=192.168.7.0/16

Internet access still works.

It sounds as if you do not have a drop all default rule in your forward chain. Maybe that is OK if you have a firewall upstream. Is there?

If not, you would be better to:

1) Allow forwarding when the out interface is your WAN connection.
2) Allow forwarding for Established and Related connections.
3) Drop everything else in the forward chain.

You could also replace a couple of SCR NAT entries with a single masquerade entry when the out interface is the WAN connection.

Hi, i also had the same issue my VLANs were forwarding and also everything seems to be accepted by default, is there a default recommended setup to only allow associated connections etc?

Many thanks

Typically everything *is* accepted by default unless one of the quick set selections has been made. If one has a routerboard with both LAN and internet connections then in most cases there should be a drop all rule at the end of the rules in the input and forward chains otherwise it is hardly a firewall!

A drop all rule in the forward chain will isolate the VLANs. It will also stop various other forms or potentially desirable routing so in addition to the drop all rule you will need appropriate accept rules in the forward chain higher up the priority list than the drop all rule.

Thanks CelticComms, really good info in a couple of paragraphs!

I didnt read that in the getting started guide, would be good if it were there.

Any other rules (such as preventing non-routable destination addresses come in from the WAN), flood attack prevention etc?

Basically any other rules/settings to get the box up and running as a firewall.

Cheers

Have a look at:

http://wiki.mikrotik.com/wiki/Firewall

For a firwall where clients are to be allowed to initiate connections to WAN destinations the essential forward chain control method is:

Allow LAN clients to initiate New Connections to the WAN
Allow the WAN to reply on Established Connections and Related Connections
Drop the rest

By controlling who can create New Connections the typical asymmetric behaviour of a firewall is created.

If the forward chain does not drop unwanted traffic then the firwall may appear to work as soon as a masquerade rule is set but the "firewall" is not secure. If somebody knows the private address range on the LAN and has access to the WAN interface they could still send traffic to your LAN!

Thread mining i know..

But just for anyone else looking to block intervlan routing.
If your vlans are well layed out eg.
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24

An you want to stop routing between them this worked for me pretty well. Just implement on the router that is doing the NATing.

/ip firewall filter
add action=drop chain=forward dst-address=192.168.0.0/16 src-address=192.168.0.0/16