Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander2017-03-07 14:01:53
Mikrotik
Alexander, 2017-03-07 14:01:53

Routing between VLANs on the same port in Mikrotik?

Good afternoon! Tell me, I have created two vlans on the Mikrotik port. Picked up DHCP for them and sent it to the switch. I checked it from the switch - everything is fine, I get the addresses in accordance with the necessary vlan. Then I did NAT for each vlan - the Internet appeared accordingly and pings went from one vlan to another, but I need to cut off network X from network Y, and network Y should easily go to network X. I started making rules in the Firewall, but as soon as I did one the rule to prohibit passing traffic from network X to Y packets stopped going in both directions. I tried to make a permissive rule for the passage of packets from Y to X, but pings do not go, however, the number of packets in the statistics of the rule increases, which means the rule is being processed.
I'm dealing with vlans for the first time, I'm sure that I'm doing something wrong, please tell me about my mistakes and how to implement this scheme?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
A
Alexander Romanov, 2017-03-07
@moneron89

Enough, in fact, one rule.
And explain why you masquerade? Two networks on one router will work fine without it, if you haven’t put something else there.
From Mikrotik's point of view, vlans are ordinary interfaces. They are no different from any other interfaces, and routing is the same. Accordingly, in the firewall, distinctions are introduced absolutely in full accordance with the logic of what is happening.

Report
R
Ruslan Fedoseev, 2017-03-07
@martin74ua

ping from network X to network Y - ping replies go from network Y to network X, and therefore fall under your deny rule.
You need to disable the passage of tcp syn packets from network Y to network X, this will close the possibility of establishing a connection from network Y to network X, but vice versa will be possible. Ping will go both ways, and udp will go both ways.
For more details - read how the TCP protocol works

Report
V
Viktor Belsky, 2017-03-07
@Belyj

Before drop, make a cut rule to go from X to Y, but set the Connection State to Established and Related, this will make it possible to receive responses to packets that were sent from network Y.

Report
A
Alexander, 2017-03-10
@Kr1og5n

Thank you all for your replies, it cleared things up. I decided to do the following for myself - I limited the networks to each other, and made one computer an exception so that it could go to any network. Basically, this is what I needed.

Similar questions
A
Ashot Aslanyan2019-05-27 23:03:19
How to find out which user plugged the cable into the LAN router? 1Reply
R
remendado2021-01-22 18:59:37
Mikrotik IPSec - how to bring a fallen tunnel back to life? 0Reply
I
Igor Krivintsov2021-01-24 11:57:43
Why does the second route become inactive in mikrotik? 1Reply
F
FRANZEE2019-06-03 11:43:00
How to add an Era 2000 v2 controller on a different subnet? 1Reply
D
Dmitry2021-01-28 14:53:38
L2TP tunnel through ISP L2TP connection on Mikrotik? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question