Community discussions

MikroTik App
 
User avatar
reevansxyz
just joined
Topic Author
Posts: 18
Joined: Sat Jul 02, 2022 7:49 pm
Location: Asia/Kuala_Lumpur
Contact:

Seeking guidance on VLAN, Firewall

Thu Oct 13, 2022 1:26 pm

Greetings,

Recently I made a post enquiring about getting VLAN(s) to work with my switch & router : forum.mikrotik.com/viewtopic.php?f=13&t ... 30#p957830; I've pretty much got through it—however, I'm super dumb when it comes to firewall(s)! Q: How can I adapt the below VLAN config to my firewall?

VLAN Config:
#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=bridge1 interface=sfp-sfpplus1

# egress behavior
/interface bridge vlan

# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=20
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=30
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=77


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the vlan77
/interface vlan add interface=bridge1 name=vlan77 vlan-id=77
/ip address add address=10.17.77.1/24 interface=vlan77


#######################################
# IP Services
#######################################

# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=vlan10 vlan-id=10
/ip address add interface=vlan10 address=172.17.10.1/24
/ip pool add name=dhcp_pool10 ranges=172.17.10.2-172.17.10.254
/ip dhcp-server add address-pool=dhcp_pool10 interface=vlan10 name=dhcp_vlan10 disabled=no
/ip dhcp-server network add address=172.17.10.0/24 dns-server=10.17.77.1 gateway=172.17.10.1

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=vlan20 vlan-id=20
/ip address add interface=vlan20 address=172.17.20.1/24
/ip pool add name=dhcp_pool20 ranges=172.17.20.2-172.17.20.254
/ip dhcp-server add address-pool=dhcp_pool20 interface=vlan20 name==dhcp_vlan20 disabled=no
/ip dhcp-server network add address=172.17.20.0/24 dns-server=10.17.77.1 gateway=172.17.20.1

# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=vlan30 vlan-id=30
/ip address add interface=vlan30 address=172.17.30.1/24
/ip pool add name=dhcp_pool30 ranges=172.17.30.2-172.17.30.254
/ip dhcp-server add address-pool=dhcp_pool30 interface=vlan30 name=dhcp_vlan30 disabled=no
/ip dhcp-server network add address=172.17.30.0/24 dns-server=10.17.77.1 gateway=172.17.30.1

# Optional: Create a DHCP instance for vlan77. Convenience feature for an admin.
/ip pool add name=dhcp_pool77 ranges=10.17.77.10-10.17.77.254
/ip dhcp-server add address-pool=dhcp_pool77 interface=vlan77 name=dhcp_vlan77 disabled=no
/ip dhcp-server network add address=10.17.77.0/24 dns-server=10.17.77.1 gateway=10.17.77.1

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=MGMT

/interface list member
add interface=ether1     list=WAN
add interface=vlan77     list=VLAN
add interface=vlan10     list=VLAN
add interface=vlan20     list=VLAN
add interface=vlan30     list=VLAN
add interface=vlan77     list=MGMT


#######################################
# VLAN Security
#######################################

/interface bridge port
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus1]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from vlan77, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT

to work alongside with :-
 /ip firewall {
  filter add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
  filter add chain=input action=drop connection-state=invalid comment="drop invalid"
  filter add chain=input action=accept protocol=icmp comment="accept ICMP"
  filter add chain=input action=accept dst-address=127.0.0.1 comment="accept to local loopback (for CAPsMAN)"
  filter add chain=input action=drop in-interface-list=!LAN comment="drop all not coming from LAN"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept in ipsec policy"
  filter add chain=forward action=accept ipsec-policy=out,ipsec comment="accept out ipsec policy"
  filter add chain=forward action=fasttrack-connection connection-state=established,related comment="fasttrack"
  filter add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related, untracked"
  filter add chain=forward action=drop connection-state=invalid comment="drop invalid"
  filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="drop all from WAN not DSTNATed"
  nat add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none comment="masquerade"
  nat add chain=dstnat action=dst-nat protocol=udp dst-port=53 to-address=10.17.77.1 to-ports=53 comment="transparent dns proxy, udp"
  nat add chain=dstnat action=dst-nat protocol=tcp dst-port=53 to-address=10.17.77.1 to-ports=53 comment="transparent dns proxy, tcp"

Best Regards,
Reev

Who is online

Users browsing this forum: erlinden, w32pamela and 30 guests