Seeking guidance on VLAN, Firewall
Posted: Thu Oct 13, 2022 1:26 pm
Greetings,
Recently I made a post enquiring about getting VLAN(s) to work with my switch & router : forum.mikrotik.com/viewtopic.php?f=13&t ... 30#p957830; I've pretty much got through it—however, I'm super dumb when it comes to firewall(s)! Q: How can I adapt the below VLAN config to my firewall?
VLAN Config:
to work alongside with :-
Best Regards,
Reev
Recently I made a post enquiring about getting VLAN(s) to work with my switch & router : forum.mikrotik.com/viewtopic.php?f=13&t ... 30#p957830; I've pretty much got through it—however, I'm super dumb when it comes to firewall(s)! Q: How can I adapt the below VLAN config to my firewall?
VLAN Config:
Code: Select all
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=bridge1 interface=sfp-sfpplus1
# egress behavior
/interface bridge vlan
# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=20
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=30
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=77
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on the vlan77
/interface vlan add interface=bridge1 name=vlan77 vlan-id=77
/ip address add address=10.17.77.1/24 interface=vlan77
#######################################
# IP Services
#######################################
# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=vlan10 vlan-id=10
/ip address add interface=vlan10 address=172.17.10.1/24
/ip pool add name=dhcp_pool10 ranges=172.17.10.2-172.17.10.254
/ip dhcp-server add address-pool=dhcp_pool10 interface=vlan10 name=dhcp_vlan10 disabled=no
/ip dhcp-server network add address=172.17.10.0/24 dns-server=10.17.77.1 gateway=172.17.10.1
# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=vlan20 vlan-id=20
/ip address add interface=vlan20 address=172.17.20.1/24
/ip pool add name=dhcp_pool20 ranges=172.17.20.2-172.17.20.254
/ip dhcp-server add address-pool=dhcp_pool20 interface=vlan20 name==dhcp_vlan20 disabled=no
/ip dhcp-server network add address=172.17.20.0/24 dns-server=10.17.77.1 gateway=172.17.20.1
# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge1 name=vlan30 vlan-id=30
/ip address add interface=vlan30 address=172.17.30.1/24
/ip pool add name=dhcp_pool30 ranges=172.17.30.2-172.17.30.254
/ip dhcp-server add address-pool=dhcp_pool30 interface=vlan30 name=dhcp_vlan30 disabled=no
/ip dhcp-server network add address=172.17.30.0/24 dns-server=10.17.77.1 gateway=172.17.30.1
# Optional: Create a DHCP instance for vlan77. Convenience feature for an admin.
/ip pool add name=dhcp_pool77 ranges=10.17.77.10-10.17.77.254
/ip dhcp-server add address-pool=dhcp_pool77 interface=vlan77 name=dhcp_vlan77 disabled=no
/ip dhcp-server network add address=10.17.77.0/24 dns-server=10.17.77.1 gateway=10.17.77.1
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=MGMT
/interface list member
add interface=ether1 list=WAN
add interface=vlan77 list=VLAN
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan30 list=VLAN
add interface=vlan77 list=MGMT
#######################################
# VLAN Security
#######################################
/interface bridge port
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus1]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from vlan77, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT
to work alongside with :-
Code: Select all
/ip firewall {
filter add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="drop invalid"
filter add chain=input action=accept protocol=icmp comment="accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="drop all from WAN not DSTNATed"
nat add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none comment="masquerade"
nat add chain=dstnat action=dst-nat protocol=udp dst-port=53 to-address=10.17.77.1 to-ports=53 comment="transparent dns proxy, udp"
nat add chain=dstnat action=dst-nat protocol=tcp dst-port=53 to-address=10.17.77.1 to-ports=53 comment="transparent dns proxy, tcp"
Best Regards,
Reev