I am used to Ubiquiti more, and on there I had LAN_LOCAL rules that prevented VLAN20 from talking to VLAN100, but the opposite worked.
This is useful to me as I need VLAN100 to be able to manage all VLANs and ssh them across.
Is it possible on Mikrotik? I tried some basic drop rules for VLAN20 to VLAN100 but it blocks traffic both ways, I only want it blocked one way.
Even tried with L3 blocking 10.10.10.0/24 from 10.1.1.0/24 but it blocks both directions.
TLDR - Can we block intervlan one direction but not the other?
-
-
archerious
Member Candidate
- Posts: 155
- Joined:
- Location:USA
- Contact:
-
-
jvanhambelgium
Forum Veteran
- Posts: 934
- Joined:
- Location:Belgium
Re: Block Intervlan one direction but not other?[SOLVED]
Perhaps you should specify more criteria in your firewall-rule ? Why don't you include some src-interface and select "vlan 20" or something ? I don't use VLAN's but I guess these "interfaces" show up in the list no ? In Webfig I have a "all vlan" "interface" next to the pppoe, eth1... etc so if you create vlan-interfaces (L3) I guess they show up ?I am used to Ubiquiti more, and on there I had LAN_LOCAL rules that prevented VLAN20 from talking to VLAN100, but the opposite worked.
This is useful to me as I need VLAN100 to be able to manage all VLANs and ssh them across.
Is it possible on Mikrotik? I tried some basic drop rules for VLAN20 to VLAN100 but it blocks traffic both ways, I only want it blocked one way.
Even tried with L3 blocking 10.10.10.0/24 from 10.1.1.0/24 but it blocks both directions.
TLDR - Can we block intervlan one direction but not the other?
If you move the VLAN100 allow rule to the top that should allow at least your management.
-
-
archerious
Member Candidate
- Posts: 155
- Joined:
- Location:USA
- Contact:
Re: Block Intervlan one direction but not other?
Omg I feel so dumb, you're right. On the Ubnt I had an allow local rule for VLAN100 out above the block intervlan rules.Perhaps you should specify more criteria in your firewall-rule ? Why don't you include some src-interface and select "vlan 20" or something ? I don't use VLAN's but I guess these "interfaces" show up in the list no ? In Webfig I have a "all vlan" "interface" next to the pppoe, eth1... etc so if you create vlan-interfaces (L3) I guess they show up ?I am used to Ubiquiti more, and on there I had LAN_LOCAL rules that prevented VLAN20 from talking to VLAN100, but the opposite worked.
This is useful to me as I need VLAN100 to be able to manage all VLANs and ssh them across.
Is it possible on Mikrotik? I tried some basic drop rules for VLAN20 to VLAN100 but it blocks traffic both ways, I only want it blocked one way.
Even tried with L3 blocking 10.10.10.0/24 from 10.1.1.0/24 but it blocks both directions.
TLDR - Can we block intervlan one direction but not the other?
If you move the VLAN100 allow rule to the top that should allow at least your management.
I just added an accept forward rule for VLAN100 out, put it above block VLAN20 rule, and it works. I can send packets to vlan 20, but vlan 20 can't send back to VLAN100.
我觉得很愚蠢的lol。非常感谢同志!
Re: Block Intervlan one direction but not other?
To make it even better why not clean up many of your rules.
Put the last rule in the forward chain as
chain=forward action=drop comment="drop all else"
Then all you need in the forward chain is to identify all the traffic flow that is authorized, the rest will be dropped by the last rule!!
Put the last rule in the forward chain as
chain=forward action=drop comment="drop all else"
Then all you need in the forward chain is to identify all the traffic flow that is authorized, the rest will be dropped by the last rule!!
Who is online
Users browsing this forum: No registered users and 7 guests