Community discussions

MikroTik App
 
DitchRat95
just joined
Topic Author
Posts: 12
Joined: Tue Jul 19, 2022 5:43 pm

vlan access to winbox

Sat Oct 08, 2022 3:21 am

So I have two vlans setup on a bridge, I would like Vlan 10 to have management access and client to client with the ethernet ports on the bridge, I would like vlan 20 to only have internet access. I can't access the mt gui from the management witeless vlan 10. Could someone review this and see what they think?

Any other security concerns or tightening of ship recommendations would be welcome as well...
You do not have the required permissions to view the files attached to this post.
 
erlinden
Forum Guru
Forum Guru
Posts: 1281
Joined: Wed Jun 12, 2013 1:59 pm

Re: vlan access to winbox

Sat Oct 08, 2022 9:34 am

This rule defines who has access to the router:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
Together with this rule anything has access to your router:
/interface list member
add comment=defconf interface=CapDataPath list=LAN
I would sort the firewall rules, start with input and then forward.
I prefer both chains to end with "drop everything else" (this way, you only have to write allow rules)
You might want to enable VLAN filtering on your bridge

There might be more posible improvements, still early here.
 
DitchRat95
just joined
Topic Author
Posts: 12
Joined: Tue Jul 19, 2022 5:43 pm

Re: vlan access to winbox

Sun Oct 09, 2022 3:00 am

If anything has access then why can't I gain access to winbox from vlan 10 or 20, am I missing something snit how to access it from a vlan?
 
sid5632
Long time Member
Long time Member
Posts: 515
Joined: Fri Feb 17, 2017 6:05 pm

Re: vlan access to winbox

Sun Oct 09, 2022 3:23 am

You need to add the bridge to the list of interfaces that are tagged under /interface bridge vlan
and get rid of all those untagged entries and let them be determined dynamically by the pvid setting.

Did you actually turn on the bridge vlan filtering?
 
DitchRat95
just joined
Topic Author
Posts: 12
Joined: Tue Jul 19, 2022 5:43 pm

Re: vlan access to winbox

Fri Oct 21, 2022 6:00 am

This rule defines who has access to the router:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
Together with this rule anything has access to your router:
/interface list member
add comment=defconf interface=CapDataPath list=LAN
I would sort the firewall rules, start with input and then forward.
I prefer both chains to end with "drop everything else" (this way, you only have to write allow rules)
You might want to enable VLAN filtering on your bridge

There might be more posible improvements, still early here.
Do you have a example I could see?
 
DitchRat95
just joined
Topic Author
Posts: 12
Joined: Tue Jul 19, 2022 5:43 pm

Re: vlan access to winbox

Mon Oct 24, 2022 5:07 am

So when I enable vlan filtering it kills vlan 20, won't connect or issue ip addresses. And I sorted the rules but had to add drop rules to stop management access from vlan 20 but it can still ping the other subnets. I can access webfig from vlan 10 but when I login it times out.

Who is online

Users browsing this forum: Ahrefs [Bot], MartinsG, Semrush [Bot] and 17 guests