Community discussions

MikroTik App
 
ahmet82
newbie
Topic Author
Posts: 47
Joined: Thu Aug 20, 2020 12:26 am

Switch rule to block wan traffic for a vlan

Sun Oct 30, 2022 3:19 am

Hello,

I want vlan 10 to access vlan 20, but not be able to access the internet (wan)?

I couldn't find any negate filters on switch rules. So I am not sure how can I detect a device trying to access wan with switch rules to drop the package

I know I can do all of this in the firewall, but I am curious to do it with the hardware.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Switch rule to block wan traffic for a vlan

Sun Oct 30, 2022 3:24 am

Post config
/export file=anynameyouwish ( minus serial number and any public WANIP information)
 
ahmet82
newbie
Topic Author
Posts: 47
Joined: Thu Aug 20, 2020 12:26 am

Re: Switch rule to block wan traffic for a vlan

Sun Oct 30, 2022 10:17 am

Hello

This is a hypothetical question. I dont have a setup that doesnt work. So there is not much to export.

I asking if there is a way to drop wan packages with switch rules.
 
mkx
Forum Guru
Forum Guru
Posts: 8970
Joined: Thu Mar 03, 2016 10:23 pm

Re: Switch rule to block wan traffic for a vlan

Sun Oct 30, 2022 10:36 am

Switch rules are switch-chip specific, so this question can not be answered entirely hypothetic :wink:

What you probably can do is a series of switch rules ... first allow traffic you want to pass (e.g. vlan10 to vlan10, vlan10 to vlan20) and then block everything else. I've never played with switch rules (I only have the low end MT devices), so I don't know if you can use VIDs in switch rules. If you can't use VIDs, then use IP subnets. You can always use router's MAC address as additional match criterion (all traffic between one IP subnet and everything else will target router's MAC address regardless the target IP address).
 
ahmet82
newbie
Topic Author
Posts: 47
Joined: Thu Aug 20, 2020 12:26 am

Re: Switch rule to block wan traffic for a vlan

Sun Oct 30, 2022 11:08 am

You are right 😀. I have a rb5009
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 566
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Switch rule to block wan traffic for a vlan

Sun Oct 30, 2022 11:41 am

I couldn't find any negate filters on switch rules. So I am not sure how can I detect a device trying to access wan with switch rules to drop the package
and
This is a hypothetical question. I asking if there is a way to drop wan packages with switch rules.
If you are asking about https://help.mikrotik.com/docs/display/ ... -RuleTable that is one of the least/poorest documented features that I have tried to find any info on.

There are no examples in either the ROS or SwOS manuals.

The only thing I see as a way to drop a packet is by matching a compound condition with the specified action new-dst-ports = Null. The docs say this will "drop the packet".

If it is possible to have multiple conditions to match, and you want vlan 10 to only be able to be forwarded to vlan 20, and all packets will be ipv4, and there is a single ip subnet associated with vlan 20, then
matching on src-address == vlan 10 subnet && dst-address == vlan 20 address with no action specified is supposed to accept the packet and stop scanning rules. This would be followed by a rule that matches src-address == vlan 10 subnet && dst-address == 0.0.0.0/0 (any ip address) with action new-dst-ports = Null (drop packet).

Again this is only a guess... and your guess is as good as mine as to how to form the multiple condition rule.

Let us know what you discover when you try. 8)
 
ahmet82
newbie
Topic Author
Posts: 47
Joined: Thu Aug 20, 2020 12:26 am

Re: Switch rule to block wan traffic for a vlan

Sun Oct 30, 2022 1:11 pm

This was my theory as well. I will give it a try
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2552
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Switch rule to block wan traffic for a vlan

Mon Oct 31, 2022 12:14 am

https://help.mikrotik.com/docs/display/ ... -RuleTable

A rule without any action parameters is a rule to accept the packet.

new-dst-ports (name; Default: none)
Changes the destination port as specified, multiple ports allowed, including a switch CPU port. An empty setting will drop the packet. When the parameter is not used, the packet will be accepted

Who is online

Users browsing this forum: Xelmep and 31 guests