Solved: Vlans are able to communicate with each other

bladermen · ‎02-08-2024

Hello, I have a small problem with my home net.

This is my example -> router (Mikrotik) -> switch(Cbs350)->Wired connection | Wifi Connection(TP-Link Deco M4 -> access points)

And now, on switch I have configured 3 Vlans 110, 120, 130 (Home, Guest, IoT), and what I want to do is separate WifI connection which is on port 14 and 16 (2 mesh devices). What I've done is switch port 14 and 16 are on access mode and with VLAN 130, and this work fine because my access points have IP like 10.10.130.X. But I have different problem because all 3 VLANs are able to communicate with each other and I don't know why. I can easily ping from device with IP 10.10.130.X device with IP 10.10.110.X

Why simple addressing on VLANs are not working properly as I think ?

Georg Pauwen · ‎02-11-2024

Hello,

I think this is how you do it:

To configure access lists on a MikroTik router to prevent VLANs from communicating with each other, you can use firewall rules.

Access the MikroTik Router: Log in to your MikroTik router using Winbox or Webfig interface.

Navigate to Firewall Configuration:

In Winbox, go to IP > Firewall.
In Webfig, go to IP > Firewall.
Create Firewall Filter Rules:

Click on the "+ Add New" button to create a new firewall rule.
Set the chain to "forward".
Set the source address to the VLAN subnet you want to block communication from.
Set the destination address to the VLAN subnet you want to block communication to.
Set the action to "drop" or "reject".
Click "OK" to add the rule.
Repeat for Each VLAN Pair: Repeat the above steps for each pair of VLANs that you want to prevent from communicating with each other.

Apply the Configuration: After creating the firewall rules for all VLAN pairs, make sure to apply the configuration changes.

Test Connectivity: Test the connectivity between VLANs to ensure that communication is blocked according to your configuration.

Here's an example of what a firewall rule might look like in the MikroTik firewall configuration:

/ip firewall filter
add chain=forward src-address=192.168.1.0/24 dst-address=192.168.2.0/24 action=drop

In this example, communication from VLAN 192.168.1.0/24 to VLAN 192.168.2.0/24 will be dropped.

View solution in original post

Georg Pauwen · ‎02-08-2024

Hello,

which device does the inter-Vlan routing, the CBS or the Mikrotik ? Either way, unless you specifically prohibit inter-Vlan access (by using access lists), all Vlans by default can communicate with each other...

bladermen · ‎02-08-2024

I think that Mikrotik do inter-Vlan routing because on switch port 1 I have trunk mode with all listed VLANs, but Im not sure, sorry Im newbie in this area.
Can you help me configure this ACL?
Previously I made some tests with extended ACLs but result is same as on begining, so I think that I made something wrong.

bladermen · ‎02-11-2024

Anyone know how to do this?

Georg Pauwen · ‎02-11-2024

Hello,

I think this is how you do it:

To configure access lists on a MikroTik router to prevent VLANs from communicating with each other, you can use firewall rules.

Access the MikroTik Router: Log in to your MikroTik router using Winbox or Webfig interface.

Navigate to Firewall Configuration:

In Winbox, go to IP > Firewall.
In Webfig, go to IP > Firewall.
Create Firewall Filter Rules:

Click on the "+ Add New" button to create a new firewall rule.
Set the chain to "forward".
Set the source address to the VLAN subnet you want to block communication from.
Set the destination address to the VLAN subnet you want to block communication to.
Set the action to "drop" or "reject".
Click "OK" to add the rule.
Repeat for Each VLAN Pair: Repeat the above steps for each pair of VLANs that you want to prevent from communicating with each other.

Apply the Configuration: After creating the firewall rules for all VLAN pairs, make sure to apply the configuration changes.

Test Connectivity: Test the connectivity between VLANs to ensure that communication is blocked according to your configuration.

Here's an example of what a firewall rule might look like in the MikroTik firewall configuration:

/ip firewall filter
add chain=forward src-address=192.168.1.0/24 dst-address=192.168.2.0/24 action=drop

In this example, communication from VLAN 192.168.1.0/24 to VLAN 192.168.2.0/24 will be dropped.

bladermen · ‎02-12-2024

Thanks for this informations. So from this what I have read, my setup is called "router on a stick" right? I thought that, everything to block any connection I must do in my switch, not router.

Right now on my Mikrotik, I have reject rules based on parameter like In interface and Out interface where in "In interface" I have vlan130 and in Out Interface my destination. Of course this what you wrote work exactly like my setup.

Thanks