嗨,vlan之间和我有一些问题tion. I have vlan with id 10 and 20. I want vlan 10 to have acces to vlan 20, but vlan 20 cannot have acces to vlan 10. I can block all traffic between these two via Firewall or Routing rules but I cant disable the traffic as I described above, that is:
vlan 10 -> can acces vlan 20 and Internet
vlan 20 -> cannot access vlan 10 and can access the Internet

You would have to write a rule accepting all new traffic from vlan 10, and another rule allowing all established, and all related traffic. Then below that put a rule that drops all new traffic in interface vlan 20 and out interface vlan 10.

I have wrote something like this:but it blocks all the traffic between them. When I send ICMP packets they get the message but can't replay to each other. Did I mess up or something?

I think that should be

add chain=forward src-address-list=vlan10<-- here you need all, not only new connections
add chain=forward connection-state=established,related src-address-list=vlan20
add action=drop chain=forward in-interface=interf_vlan20 out-interface=interf_vlan10

When doing established and related do not put an interface, do all established and related.


If you accept all new connections then you will allow all connections.


The rules posted above should work

Thanks guys for your efforts. I used whatdocmariuswrote and it looks fine. It works exactly as I wanted

I have a similar problem, that I could not overcome with posted solution.

I have 5 vlans:
vlan100 - this vlan should be able to access all others + internet
vlan10 and vlan20 - these ones should only access vlan100 and internet (not 30 and 40)
vlan30 and vlan40 - these should only access internet

Any help would be greatly appreciated!

Edit://Figured it out

Hi All,
I a newbie on networking, yet I'm handling mikrotik now.

I have similar problem here.


I have 2 network connected to ether 1 and ether 2
I need network on ether 1 can connect to internet , butcannot连接到网络醚2
The Network on ether 2 can connect to internet and also Network 1

Edit :
Solved by tryin on method above, but only using interface
add chain=forward in-interface=eth2
add chain=forward connection-state=established,related in-interface=eth1
add action=drop chain=forward in-interface=eth1 out-interface=eth2

In the same way that sebastian001, How can I give access to a printer in vlan 10 to users in vlan 20?

Hello Every One i Have Tried all the methods here it works in a RB751 mipsbe but then i tried to block on a RB3011 Arm these rules block the icmp but for example the access to a web of any thing to the other side can be view so what could be the issue

i already make a Router Os Upgrade to 6.37.3 and also firmware upgrade to 3.35 any help would be nice!

Thanks!

My vlan2 is for wifi guests. But they should be able to see the public NATed ports, so I blocked routing but allow NAT between the 2 networks
add chain=forward action=drop comment="Block guest to LAN" connection-nat-state=!srcnat,dstnat dst-address=192.168.0.0/24 src-address=10.1.102.0/24

I think that should be

add chain=forward src-address-list=vlan10<-- here you need all, not only new connections
add chain=forward connection-state=established,related src-address-list=vlan20
add action=drop chain=forward in-interface=interf_vlan20 out-interface=interf_vlan10

Hi,

I have Mikrotik RB951 as gateway Router and DHCP Server then a trunk to Catalyst 2960 Series Switch... set 6 VLANS (100-600) and servers are in VLAN -100. I have followed what Docmarius wrote and added something like here in red "add action=accept chain=forward comment=2>1dst-address-list=100src-address-list=200" (i have added a destination address since it was not working with source address only). I have managed to filter traffic between VLANs, all the VLANs are able to reach VLAN-100 and access internet but they are unable to see each other as per my expectations.

Please see below configs and advise if there is any redundancy .

/ip firewall address-list
add address=10.5.51.0/24 list=100
add address=10.5.53.0/24 list=300
add address=10.5.54.0/24 list=400
add address=10.5.55.0/24 list=500
add address=10.5.52.0/24 list=200
add address=10.5.56.0/24 list=600

/ip firewall filter
add action=accept chain=forward comment="Accept traffic from VLAN subnets to WAN" out-interface=ether4-Gateway
add action=accept chain=forward comment=2>1dst-address-list=100src-address-list=200
add action=accept chain=forward comment=2<>1 connection-state=established,related src-address-list=100
add action=accept chain=forward comment=3>1 dst-address-list=100 src-address-list=300
add action=accept chain=forward comment=3<>1 connection-state=established,related src-address-list=100
add action=accept chain=forward comment=4>1 dst-address-list=100 src-address-list=400
add action=accept chain=forward comment=4<>1 connection-state=established,related src-address-list=100
add action=accept chain=forward comment=5>1 dst-address-list=100 src-address-list=500
add action=accept chain=forward comment=5<>1 connection-state=established,related src-address-list=100
add action=accept chain=forward comment=6>1 dst-address-list=100 src-address-list=600
add action=accept chain=forward comment=6<>1 connection-state=established,related src-address-list=100
add action=drop chain=forward dst-address=10.5.54.0/24 src-address=10.5.52.0/24
add action=reject chain=forward comment="Block Communication between all VLAN subnets" reject-with=icmp-net-prohibited src-address=10.5.52.1-10.5.255.255

You have 6 identical rules for accepting established and related traffic with src-address-list=100 ... only comments are different. All but first one (with comment 2<>1) won't receive any hit.

Ruleadd action=drop chain=forward dst-address=10.5.54.0/24 src-address=10.5.52.0/24allows connections from VLAN200 to VLAN400 (but is formulated differently than the rest of rules allowing access to VLAN100 from all other VLANs, those rules use address lists), but you don't have similar rule to allow responses. Either remove this rule or create another rule that accepts established and related from VLAN200 to VLAN400.

How did this thread get so out of control LOL

Consider you dont need anything but the default firewall rules...................
From Default firewall rule Settings on any MT router.........
Forward chain

(default rules)
fasttrack
allow established, related (only need single rule of this type in forward chain)
drop invalid packets

USER rules (assume three vlans 10,20,30)
allow vlan 10 to access internet
allow vlan 20 to access internet
allow users in vlan20 to access a shared printer in vlan10 (vlan subnet to single IP for example)
allow admin (on vlan30) access to all other vlans10,20
allow admin access to internet (one IP in vlan30)

Last Rule
DROP ALL ELSE

Done...............................................................

THe VLANs (all on the same bridge) by their structure block crosstalk at layer2.
The firewall rules block (or allow cross talk depending upon user rules) at Layer 3 (routing)

Who can share rules that would drop traffic between ports without having vlans?

Provide a diagram to give us an indication of the network you want to establish and then detail some requirements, - what you wish to accomplish with your network in terms of users (not any equipment configuration discussion).
Otherwise, the question is too vague.....