01.01.2025

1278

Mikrotik Firewall Regeln VLANs separieren + Gast-VLAN nur Internet

Hi zusammen und ein frohes neues Jahr.

Ich brauche mal eure Unterstützung mit den Regeln.
Habe schon ein paar Dinge versucht aber anscheinend bin ich zu doof...oder es hat noch nicht klick gemacht wie ich das nutzen muss.
Ich habe das ganze damals mit der Default-Config gestartet.
Aktuelle Konfig hänge ich an, aber kurz dazu etwas prosa was ich möchte und was ich an Hardware einsetze:
RB5009 als zentraler Router mit Capsman für 3 WLAN-APs + in jeweils einem Docker-Container pi-hole und unbound.

5 VLANs (6. ist VLAN7 für Internet) :
- VLAN1 --> Management-Bereich
- VLAN10 --> Hier läuft alles drin was mit der Haussteuerung zu tun hat
- VLAN20 --> normale User
- VLAN30 --> VOIP
- VLAN99 --> Gästenetz

Was ich erreichen möchte ist eine Zugriffstrennung der VLANS (VLAN1 ausgenommen) untereinander und:
VLAN99 --> reiner Internetzugriff (eventuell sogar nur auf Port 80 und 443 beschränkt + DNS)
VLAN30 --> Nutzung ISP DNS (aktuell händisch im DHCP eingetragen) + reiner Internetzugriff
VLAN20 --> voller Internetzugriff (alle Ports und Protokolle)
VLAN10 --> Zugriff auf alle VLANS
VLAN1 --> Zugriff auf alle VLANS

Machen die Anforderungen denn grundsätzlich so Sinn?

Konfig:

# 2024-12-31 13:05:19 by RouterOS 7.16.2
# software id = IQ5X-9EZ7
#
# model = RB5009UG+S+
# serial number = HFE09C7RDDA
/container mounts
add dst=/etc/pihole name=pihole_etc src=/usb1/pihole_etc
add dst=/etc/dnsmasq.d name=pihole_dnsmasq src=/usb1/pihole_dnsmasq.d
add dst=/etc/unbound/custom.conf.d name=unbound_etc src=/usb1/unbound_etc
/disk
set usb1 media-interface=none media-sharing=no
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge-lan \
    vlan-filtering=yes
add name=dockers
/interface wifi
add name=cap-wifi1 radio-mac=xx:xx:xx:xx:xx:xx
add name=cap-wifi2 radio-mac=xx:xx:xx:xx:xx:xx
/interface veth
add address=10.0.0.2/24 gateway=10.0.0.1 gateway6="" name=veth-pihole  
add address=10.0.0.3/24 gateway=10.0.0.1 gateway6="" name=veth-unbound  
/interface wireguard
add listen-port=13231 mtu=1420 name=Wireguard_Tobias_Handy
/interface vlan
add interface=bridge-lan name=vlan1-management vlan-id=1
add interface=sfp-sfpplus1 name=vlan7-wan vlan-id=7
add interface=bridge-lan name=vlan10-system vlan-id=10
add interface=bridge-lan name=vlan20-home vlan-id=20
add interface=bridge-lan name=vlan30-voip vlan-id=30
add interface=bridge-lan name=vlan99-gast vlan-id=99
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=\
    vlan7-wan name=pppoe-WAN-O2 use-peer-dns=yes user=\
    xxxxxxxxxx@s42.bbi-o2.de
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2432,2452,2472 name=2,4G_ax_fixed \
    reselect-interval=2h..12h skip-dfs-channels=disabled width=20mhz
add band=2ghz-ax disabled=no frequency=2412 name=2,4G_ax_Ch1 \
    skip-dfs-channels=disabled width=20mhz
add band=2ghz-ax disabled=no frequency=2432 name=2,4G_ax_Ch5 \
    skip-dfs-channels=disabled width=20mhz
add band=2ghz-ax disabled=no frequency=2452 name=2,4G_ax_Ch9 \
    skip-dfs-channels=disabled width=20mhz
add band=2ghz-ax disabled=no frequency=2472 name=2,4G_ax_Ch13 \
    skip-dfs-channels=disabled width=20mhz
add band=5ghz-ax disabled=no frequency=5180-5240 name=5G_ax_Ch36-48 \
    skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5260-5320 name=5G_ax_Ch52-64 \
    skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5500-5560 name=5G_ax_Ch100-112 \
    skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5180-5320,5500-5580 name=5G_ax_fixed \
    reselect-interval=2h..12h skip-dfs-channels=disabled width=20/40/80mhz
/interface wifi configuration
add comment=---------- disabled=no name=5G
/interface wifi datapath
add bridge=bridge-lan disabled=no name=datapath-system vlan-id=10
add bridge=bridge-lan disabled=no name=datapath-home vlan-id=20
add bridge=bridge-lan client-isolation=yes disabled=no name=datapath-gast \
    vlan-id=99
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" ft=yes \  
    ft-over-ds=yes name=gast wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" ft=yes \  
    ft-over-ds=yes name=home wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" ft=yes \  
    ft-over-ds=yes name=system wps=disable
/interface wifi configuration
add channel=2,4G_ax_fixed country=Germany datapath=datapath-home disabled=no \
    mode=ap name=2,4G_ax_home security=home security.ft=yes .ft-over-ds=yes \
    ssid=LAN-Party tx-power=40
add channel=5G_ax_fixed country=Germany datapath=datapath-home disabled=no \
    mode=ap name=5G_ax_home security=home security.ft=yes .ft-over-ds=yes \
    ssid=LAN-Party
add country=Germany datapath=datapath-gast disabled=no mode=ap name=\
    2,4G_ax_gast security=gast security.ft=yes .ft-over-ds=yes ssid=\
    LAN-Party_Gast tx-power=40
add comment=-------- country=Germany datapath=datapath-gast disabled=no mode=\
    ap name=5G_ax_gast security=gast security.ft=yes .ft-over-ds=yes ssid=\
    LAN-Party_Gast
add country=Germany datapath=datapath-system disabled=no mode=ap name=\
    2,4G_ax_system security=system security.ft=yes .ft-over-ds=yes ssid=\
    LAN-Party_System tx-power=40
add country=Germany datapath=datapath-system disabled=no mode=ap name=\
    5G_ax_system security=system security.ft=yes .ft-over-ds=yes ssid=\
    LAN-Party_System
add channel=5G_ax_Ch36-48 country=Germany datapath=datapath-home disabled=no \
    mode=ap name=5G_ax_home_Ch36-48 security=home security.ft=yes \
    .ft-over-ds=yes ssid=LAN-Party
add channel=5G_ax_Ch52-64 country=Germany datapath=datapath-home disabled=no \
    mode=ap name=5G_ax_home_Ch52-64 security=home security.ft=yes \
    .ft-over-ds=yes ssid=LAN-Party
add channel=5G_ax_Ch100-112 country=Germany datapath=datapath-home disabled=\
    no mode=ap name=5G_ax_home_Ch100-112 security=home security.ft=yes \
    .ft-over-ds=yes ssid=LAN-Party
add channel=2,4G_ax_Ch1 country=Germany datapath=datapath-home disabled=no \
    mode=ap name=2,4G_ax_home_Ch1 security=home security.ft=yes .ft-over-ds=\
    yes ssid=LAN-Party tx-power=40
add channel=2,4G_ax_Ch5 country=Germany datapath=datapath-home disabled=no \
    mode=ap name=2,4G_ax_home_Ch5 security=home security.ft=yes .ft-over-ds=\
    yes ssid=LAN-Party tx-power=40
add channel=2,4G_ax_Ch9 country=Germany datapath=datapath-home disabled=no \
    mode=ap name=2,4G_ax_home_Ch9 security=home security.ft=yes .ft-over-ds=\
    yes ssid=LAN-Party tx-power=40
add channel=2,4G_ax_Ch13 country=Germany datapath=datapath-home disabled=no \
    mode=ap name=2,4G_ax_home_Ch13 security=home security.ft=yes .ft-over-ds=\
    yes ssid=LAN-Party tx-power=40
/ip pool
add name=dhcp-pool-vlan20-home ranges=10.0.20.50-10.0.20.99
add name=dhcp-pool-vlan10-system ranges=10.0.10.200-10.0.10.239
add name=dhcp-pool-vlan99-gast ranges=10.0.99.100-10.0.99.199
add name=dhcp-pool-vlan1 ranges=10.0.1.100-10.0.1.199
add name=dhcp-pool-vlan30-voip ranges=10.0.30.200-10.0.30.239
add name=dhcp-pool-backup ranges=192.168.0.10-192.168.0.99
/ip dhcp-server
add address-pool=dhcp-pool-vlan1 interface=vlan1-management lease-time=1w \
    name=dhcp-vlan1
add address-pool=dhcp-pool-vlan20-home interface=vlan20-home lease-time=1w \
    name=dhcp-home
add address-pool=dhcp-pool-vlan99-gast interface=vlan99-gast lease-time=1d \
    name=dhcp-gast
add address-pool=dhcp-pool-vlan30-voip interface=vlan30-voip lease-time=1w \
    name=dhcp-voip use-framed-as-classless=no
add address-pool=dhcp-pool-vlan10-system interface=vlan10-system lease-time=\
    1w name=dhcp-system
# Interface not running
add address-pool=dhcp-pool-backup interface=ether7 lease-time=1w30m name=\
    dhcp-backup
/container
add comment=pihole envlist=pihole_envs interface=veth-pihole mounts=\
    pihole_etc,pihole_dnsmasq root-dir=usb1/pihole start-on-boot=yes
add comment=unbound envlist=unbound_envs interface=veth-unbound mounts=\
    unbound_etc root-dir=usb1/unbound start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Berlin
add key=WEBPASSWORD name=pihole_envs value=xxx
add key=DNSMASQ_USER name=pihole_envs value=xxx
add key=TZ name=unbound_envs value=Europe/Berlin
/interface bridge port
add bridge=bridge-lan comment=Uplink-VLAN-Switch interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan comment="direkte Ports" frame-types=\  
    admit-only-untagged-and-priority-tagged interface=ether4
add bridge=dockers comment=docker interface=veth-pihole
add bridge=dockers interface=veth-unbound
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether2,ether3 vlan-ids=10
add bridge=bridge-lan tagged=bridge-lan,ether2,ether3 vlan-ids=20
add bridge=bridge-lan tagged=bridge-lan,ether2,ether3 vlan-ids=30
add bridge=bridge-lan tagged=bridge-lan,ether2,ether3 vlan-ids=99
add bridge=bridge-lan tagged=bridge-lan untagged=ether2,ether3 vlan-ids=1
/interface list member
add comment="BackupNetz Port7" interface=ether7 list=LAN  
add interface=vlan1-management list=LAN
add interface=vlan10-system list=LAN
add interface=vlan20-home list=LAN
add interface=vlan30-voip list=LAN
add interface=vlan99-gast list=LAN
add comment="Internet O2" interface=pppoe-WAN-O2 list=WAN  
add interface=Wireguard_Tobias_Handy list=LAN
add interface=ether8 list=WAN
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=\
    vlan1-management package-path=/packages/ require-peer-certificate=no \
    upgrade-policy=require-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment=EG disabled=no \
    master-configuration=5G_ax_home_Ch36-48 name-format="%I 5G" radio-mac=\  
    xx:xx:xx:xx:xx:xx slave-configurations=5G_ax_system,5G_ax_gast \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=yes master-configuration=\
    2,4G_ax_home name-format="%I 2,4G" radio-mac=xx:xx:xx:xx:xx:xx \  
    slave-configurations=2,4G_ax_system,2,4G_ax_gast supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=DG disabled=no \
    master-configuration=5G_ax_home_Ch52-64 name-format="%I 5G" radio-mac=\  
    xx:xx:xx:xx:xx:xx slave-configurations=5G_ax_system supported-bands=\
    5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    2,4G_ax_home_Ch1 name-format="%I 2,4G" radio-mac=xx:xx:xx:xx:xx:xx \  
    slave-configurations=2,4G_ax_system supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=Scheuer disabled=no \
    master-configuration=5G_ax_home_Ch100-112 name-format="%I 5G" radio-mac=\  
    xx:xx:xx:xx:xx:xx slave-configurations=5G_ax_system supported-bands=\
    5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    2,4G_ax_home_Ch5 name-format="%I 2,4G" radio-mac=xx:xx:xx:xx:xx:xx \  
    slave-configurations=2,4G_ax_system supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=Keller disabled=no \
    master-configuration=2,4G_ax_home_Ch13 name-format="%I 2,4G" radio-mac=\  
    xx:xx:xx:xx:xx:xx slave-configurations=2,4G_ax_system,2,4G_ax_gast \
    supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=yes master-configuration=\
    5G_ax_home name-format="%I 5G" radio-mac=xx:xx:xx:xx:xx:xx \  
    supported-bands=5ghz-ax
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=Wireguard_Tobias_Handy name=\
    peer1 public-key="xxx"  
/ip address
add address=192.168.0.1/24 comment=backup interface=ether7 network=\
    192.168.0.0
add address=10.0.1.1/24 interface=vlan1-management network=10.0.1.0
add address=10.0.10.1/24 interface=vlan10-system network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-home network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-voip network=10.0.30.0
add address=10.0.99.1/24 interface=vlan99-gast network=10.0.99.0
add address=192.168.100.1/24 comment=Wireguard interface=\
    Wireguard_Tobias_Handy network=192.168.100.0
add address=10.0.0.1/24 interface=dockers network=10.0.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add disabled=yes interface=ether8
/ip dhcp-server lease
-gelöscht-
/ip dhcp-server network
add address=10.0.1.0/24 comment=1 dns-server=10.0.0.2 gateway=10.0.1.1 \
    ntp-server=10.0.1.1 wins-server=10.0.1.1
add address=10.0.10.0/24 comment=System dns-server=10.0.0.2 gateway=10.0.10.1 \
    ntp-server=10.0.10.1 wins-server=10.0.10.1
add address=10.0.20.0/24 comment=home dns-server=10.0.0.2 gateway=10.0.20.1 \
    ntp-server=10.0.20.1 wins-server=10.0.20.1
add address=10.0.30.0/24 comment=voip dns-server=62.109.121.1,62.109.121.2 \
    gateway=10.0.30.1 ntp-server=10.0.30.1 wins-server=10.0.30.1
add address=10.0.99.0/24 comment=gast dns-server=10.0.99.1 gateway=10.0.99.1
add address=192.168.0.0/24 comment=backup dns-server=192.168.0.1 gateway=\
    192.168.0.1 ntp-server=192.168.0.1 wins-server=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \  
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\  
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\  
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp  
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1  
add action=drop chain=input comment="defconf: drop all not coming from LAN" \  
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \  
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \  
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \  
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\  
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \  
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \  
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \  
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Docker src-address=10.0.0.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip upnp interfaces
add interface=vlan20-home type=internal
add interface=pppoe-WAN-O2 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6  
add address=::1/128 comment="defconf: lo" list=bad_ipv6  
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6  
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6  
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6  
add address=100::/64 comment="defconf: discard only " list=bad_ipv6  
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6  
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6  
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6  
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\  
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\  
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\  
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \  
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\  
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \  
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\  
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\  
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec  
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\  
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\  
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \  
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6  
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6  
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \  
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\  
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139  
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\  
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\  
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\  
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec  
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\  
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router
/system logging
add disabled=yes topics=wireless
add disabled=yes topics=caps
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=ptbtime1.ptb.de
add address=ptbtime2.ptb.de
add address=0.de.pool.ntp.org
add address=1.de.pool.ntp.org
/system scheduler
add interval=1d name=pppoe_reconnect on-event="/interface pppoe-client disable\  
    \_pppoe-WAN-O2\r\
    \n:delay 2s\r\
    \n/interface pppoe-client enable pppoe-WAN-O2" policy=\  
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-02-15 start-time=03:59:05
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Danke mal für denkanstöße oder Lösungen.

Grüße

Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben

Content-ID: 670438

Url: https://administrator.de/forum/mikrotik-firewall-regeln-vlans-separieren-gast-vlan-nur-internet-670438.html

Ausgedruckt am: 04.01.2025 um 06:01 Uhr

13 Kommentare

Neuester Kommentar

Vielleicht hilft das hier etwas zum Verständnis?!
Auch lesenswert zum Thema Regeln ist dieser Thread

VLAN10 --> Zugriff auf alle VLANS

Heisst das dann kein Internet und nur VLANs oder auch Internet zusätzlich zu den VLANs? 🤔

Folgende Regeln vor der generelle Drop-Rule in der Forward Chain platzieren:

VLAN99 --> reiner Internetzugriff
VLAN30 --> Nutzung ISP DNS (aktuell händisch im DHCP eingetragen) + reiner Internetzugriff

/interface list
add name=INET_ONLY

/interface list member
add interface=vlan99-gast list=INET_ONLY
add interface=vlan30-voip list=INET_ONLY

/ip firewall filter add chain=forward in-interface-list=INET_ONLY out-interface=pppoe-WAN-O2 action=accept

VLAN20 --> voller Internetzugriff (alle Ports und Protokolle)
VLAN10 --> Zugriff auf alle VLANS
VLAN1 --> Zugriff auf alle VLANS

/interface list
add name=LAN_FULL_ACCESS

/interface list member
add interface=vlan1-management list=LAN_FULL_ACCESS
add interface=vlan10-system list=LAN_FULL_ACCESS
add interface=vlan20-home list=LAN_FULL_ACCESS

/ip firewall filter add chain=forward in-interface-list=LAN_FULL_ACCESS action=accept

Dann noch diese Regel am Ende der Forward-Chain hinzufügen...

add action=drop chain=forward comment="drop everything else"

IPv6 analog zu IPv4 gleiches Schema, ist aber bei dir eh noch abgeschaltet, insofern erst relevant, wenn IPv6 aktiviert wird...

Gruß gastric

Danke für deine Rückmeldung.
VLAN10 benötigt auch Inet

Die Links schaue ich mir an.

Grüße

Danke dir für die Lösung. Und direkt noch eine Frage hinterher.
Kann ich für das reine Internet VLAN30 und VLAN99 über eine Interface Liste "internet_only" zusammen zu fassen und das dann so

/ip firewall filter add chain=forward in-interface-list=internet_only out-interface=pppoe-WAN-O2 action=accept

einfügen?

Grüße

Zitat von @Tobi26:

Danke dir für die Lösung. Und direkt noch eine Frage hinterher.
Kann ich für das reine Internet VLAN30 und VLAN99 über eine Interface Liste "internet_only" zusammen zu fassen und das dann so

/ip firewall filter add chain=forward in-interface-list=internet_only out-interface=pppoe-WAN-O2 action=accept

einfügen?

Grüße

Klar.

Einen Frage noch zu dem Punkt:

Dann diese Regel ...
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

... abändern in folgende Regel

add action=drop chain=forward comment="defconf: drop everything else"

Die Regel ist bei mir nicht in der foward chain sondern in der input chain...

Sorry musst du am Ende als "CatchAll-Regel" hinzufügen statt ersetzen. Diese greift dann nur wenn für Netze/Traffic keine explizite Allow-Regel erstellt wurde, so dass dessen Traffic nicht automatisch geforwarded wird.

Hmm... ich habe das gestern mal alles hoffentlich richtig übernommen, danach ging aber aus keinem Netz mehr was raus Richtung Internet.
Hier nochmal meine aktuellen Regeln, die neuen sind deaktiviert sonst hätte ich das hier nicht posten können

ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp  
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked  
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid  
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp  
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1  
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN  
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec  
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec  
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"connection-state=established,related hw-offload=yes  
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked  
add action=accept chain=forward comment="internet_only fuer Gast und VOIP" disabled=yes in-interface-list=internet_only out-interface-list=WAN  
add action=accept chain=forward comment="volles internet fuer LAN" disabled=yes in-interface-list=LAN out-interface-list=WAN  
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid  
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN  
add action=drop chain=forward comment="alles andere verwerfen" disabled=yes  

Nur mal OT nebenbei bemerkt das 13231 kein freier Port ist sondern ein fest reservierter IANA Port und die unauthorisierte Verwendung zu mindestens nicht Gentlemen like ist!

https://www.iana.org/assignments/service-names-port-numbers/service-name ...
Wireguard empfiehlt immer die Ephemeral Ports (49152–65535, RFC 6335) zu verwenden wie z.B. 53231. Oder man verwendet L2TP um das zu umgehen.

Ich gebe dir absolut Recht... dachte das eigentlich vor der Einrichtung gecheckt zu haben, aber offensichtlich nicht oder nicht richtig 🙈.
Wird geändert!
und Danke für den Hinweis.

Hab den Fehler gefunden, bzw das Problem.
Es liegt wohl daran, dass ich DNS über den Pi-Hole und unbound laufen lasse.
Somit muss ich noch die beiden Container, bzw. die "bridge-docker" sowohl in die input als auch in die forward chain zulassen.
Ich teste mal und berichte...

So scheint es jetzt erstmal zu funktionieren.
Könnt ihr mal drauf schauen ob ich mir da was komisches zusammen gebaut habe oder ob das so passt:

add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp  
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked in-interface-list=LAN  
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid  
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp  
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1  
add action=accept chain=input comment="DNS in dockers" in-interface=bridge-dockers  
add action=accept chain=input comment="DNS fuer Internet_only" dst-port=53 in-interface-list=internet_only protocol=udp  
add action=accept chain=input comment="DNS fuer Internet_only" dst-port=53 in-interface-list=internet_only protocol=tcp  
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes  
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec  
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec  
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes  
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked  
add action=accept chain=forward comment="Forwarding fuer dockers" in-interface=bridge-dockers  
add action=accept chain=forward comment="forwarding fuer LAN" in-interface-list=LAN  
add action=accept chain=forward comment="internet_only fuer Gast und VOIP" in-interface-list=internet_only out-interface-list=WAN  
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid  
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN  
add action=log chain=forward comment=log connection-nat-state="" connection-state=""  
add action=drop chain=forward comment="alles andere verwerfen"  

🙏 Danke (und ja der Wireguard-Port wird noch geändert

)

Fehler 1:

add action=accept chain=forward comment="forwarding fuer LAN" in-interface-list=LAN

Die Regel lässt bei dir quasi alles aus dem LAN zu auch die beschränkten Netze kommen damit überall hin wenn da sämtliche internen Interfaces in der LAN liste stehen, ergo muss die weg.

Fehler 2:

Kann und sollte weg, da undefinierte states ...

add action=log chain=forward comment=log connection-nat-state="" connection-state=""

Und immer dran denken, wenn du die Forward Chain am Ende generell droppst brauchst du für jedes Netz auch eine entsprechende Allow-Regel damit dessen Traffic auch geroutet wird.
So wie es bei jeder anderen Firewall eben auch ist.

gelöst Frage Router, Routing MikroTik

Mehr von Tobi26

No connection to CAPsMANTobi26 - 25 Kommentare

Heiß diskutiert