Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

VLANs seems not to isolate each other  [SOLVED]

Post Reply
 
3eff
just joined
Topic Author
Posts: 6
Joined: Tue Mar 26, 2024 6:52 pm

VLANs seems not to isolate each other

Tue Apr 02, 2024 12:24 am

Hi everyone,
I've followed (or i believe I've followed) the guide at viewtopic.php?t=143620 (section "Router-Switch-AP (all in one)") and also played with different options in order to get 2 VLNAS (10, 11) working "isolated on from the other", but seems not to get it. The closer I've achieved is with these configuration but I can ping and get access from VLAN 10 to 11 Can yo help me?

Code: Select all
/interface bridge
add ingress-filtering=yes name=aBridge protocol-mode=none pvid=11 vlan-filtering=yes
/interface vlan
add interface=aBridge name=VLAN100 vlan-id=10
add interface=aBridge name=VLAN101 vlan-id=11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=**** supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=**** supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=argentina disabled=no frequency=auto installation=indoor mode=\
    ap-bridge security-profile=**** ssid=2.4 vlan-id=10 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=argentina disabled=no installation=indoor mode=ap-bridge \
    security-profile=**** ssid=5.0 vlan-id=11 wireless-protocol=802.11
/ip pool
add name=VLAN10_POOL ranges=192.168.10.100-192.168.10.200
add name=VLAN11_POOL ranges=192.168.11.100-192.168.11.200
/ip dhcp-server
add address-pool=VLAN10_POOL disabled=no interface=VLAN10 name=VLAN10_DHCP
add address-pool=VLAN11_POOL disabled=no interface=VLAN11 name=VLAN11_DHCP
/interface bridge port
add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=10
add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=11
add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=11
add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=11
/interface bridge vlan
add bridge=aBridge tagged=aBridge vlan-ids=11
add bridge=aBridge tagged=aBridge vlan-ids=10
/interface list member
add interface=ether1 list=WAN
add interface=VLAN10 list=LAN
add interface=VLAN11 list=LAN
/ip address
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.11.1/24 interface=VLAN11 network=192.168.11.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="Allow established and related" connection-state=established,related
add action=accept chain=forward connection-state=new in-interface-list=LAN out-interface-list=WAN
Last edited by tangent on Tue Apr 02, 2024 7:51 am, edited 1 time in total.
Reason: wrapped config in "code" block
Top
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 105
Joined: Thu Dec 21, 2023 6:45 pm

Re: VLANs seems not to isolate each other  [SOLVED]

Tue Apr 02, 2024 8:05 am

Your firewall filter table has no "drop" rules. So of course nothing will be blocked. Please first study:

https://help.mikrotik.com/docs/display/ ... d+Firewall

and build filter rules from there, or apply the firewall configuration from the default configuration provided by MikroTik:

Code: Select all
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall {
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
/ipv6 firewall {
address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
}

THEN add an additional interface list named VLAN for instance, and add the two VLAN interfaces to it

Code: Select all
/interface list
add name=VLAN
/interface list member
add interface=VLAN10 list=VLAN
add interface=VLAN11 list=VLAN

afterwards, you can add another rule to the firewall fitler table to block access from the VLAN list to the LAN list:

Code: Select all
/ip firewall filter
add action=drop chain=forward comment="block vlan to lan" in-interface-list=VLAN out-interface-list=LAN
/ipv6 firewall filter
add action=drop chain=forward comment="block vlan to lan" in-interface-list=VLAN out-interface-list=LAN

Currently, after you've configured the VLANs, they are only isolated at the Layer 2 level. The router still routes traffic on Layer 3 unless you have drop rules in your firewall like above.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11744
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANs seems not to isolate each other

Tue Apr 02, 2024 9:06 am

... but I can ping and get access from VLAN 10 to 11 ...
In addition to what @CGGXANNX wrote also note that due to how firewall works, router will respond to pings regardless which of its IP address is being targeted (e.g. pinging router's address in VLAN 11 from a client inside VLAN 10). It is possible to block this kind of operations, but it's really only cosmetics and IMO not worth bothering with it. But one has to keep this in mind when assessing whether VLAN separation works or not.
Top
 
3eff
just joined
Topic Author
Posts: 6
Joined: Tue Mar 26, 2024 6:52 pm

Re: VLANs seems not to isolate each other

Tue Apr 02, 2024 3:17 pm

Wow! Thank you @CGGXANNX,
really appreciate your time for explaining and giving material to read: seems I've got some missunderstanding from the guide believing that just building the VLAN interfaces I would gete isolation. The last comment on OSI layer, besides understanding the basics, really make me understand what was happening. Also @mkx addition was good: I have all the information (a lot) but badly managed!

I will be reading all the material and testing all for my enviroment but your answers got me in the right direction.
Thank you! Have a nice week!
Juan Ignacio.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 22 guests
  4. RouterOS
  5. Beginner Basics