Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander2017-03-07 14:01:53
Mikrotik
Alexander, 2017-03-07 14:01:53

Routing between VLANs on the same port in Mikrotik?

Good afternoon! Tell me, I have created two vlans on the Mikrotik port. Picked up DHCP for them and sent it to the switch. I checked it from the switch - everything is fine, I get the addresses in accordance with the necessary vlan. Then I did NAT for each vlan - the Internet appeared accordingly and pings went from one vlan to another, but I need to cut off network X from network Y, and network Y should easily go to network X. I started making rules in the Firewall, but as soon as I did one the rule to prohibit passing traffic from network X to Y packets stopped going in both directions. I tried to make a permissive rule for the passage of packets from Y to X, but pings do not go, however, the number of packets in the statistics of the rule increases, which means the rule is being processed.
I'm dealing with vlans for the first time, I'm sure that I'm doing something wrong, please tell me about my mistakes and how to implement this scheme?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
A
Alexander Romanov, 2017-03-07
@moneron89

Enough, in fact, one rule.
And explain why you masquerade? Two networks on one router will work fine without it, if you haven’t put something else there.
From Mikrotik's point of view, vlans are ordinary interfaces. They are no different from any other interfaces, and routing is the same. Accordingly, in the firewall, distinctions are introduced absolutely in full accordance with the logic of what is happening.

Report
R
Ruslan Fedoseev, 2017-03-07
@martin74ua

ping from network X to network Y - ping replies go from network Y to network X, and therefore fall under your deny rule.
You need to disable the passage of tcp syn packets from network Y to network X, this will close the possibility of establishing a connection from network Y to network X, but vice versa will be possible. Ping will go both ways, and udp will go both ways.
For more details - read how the TCP protocol works

Report
V
Viktor Belsky, 2017-03-07
@Belyj

Before drop, make a cut rule to go from X to Y, but set the Connection State to Established and Related, this will make it possible to receive responses to packets that were sent from network Y.

Report
A
Alexander, 2017-03-10
@Kr1og5n

Thank you all for your replies, it cleared things up. I decided to do the following for myself - I limited the networks to each other, and made one computer an exception so that it could go to any network. Basically, this is what I needed.

Similar questions
O
ODISW2015-10-15 15:25:49
How to connect several WEB servers to one external IP via Mikrotik? 3Reply
A
Andrey Makarenko2021-06-22 13:07:55
Mikrotik, ip address forwarding? 1Reply
P
Pavel Perkov2021-06-23 16:04:15
Double NAT in another country, how to overcome? 4Reply
E
eri2015-10-17 20:33:56
How to force IOS user on Mikrotik hotspot to open Safari? 1Reply
A
Ashot Aslanyan2015-10-18 20:25:02
How to convert static mac addresses from Mikrotik arp table to DHCP-lease? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question