Hi there,
I have (basic?) questions about interface lists.
My new RB5009 comes with two interface lists: WAN and LAN.
By default, the bridge interface is the only member of the LAN list:
The LAN list is then used in several places:
So far so good. Now I added some VLANs, for example:
As you can see, I setup a VLAN interface (vlan-10-trusted) which is a child of the bridge and I also configured a DHCP server for that network.
I then disabled the above mentioned firewall rule (just for resting):
The first thing I noticed is that in Winbox, neighbor discovery was not working when my PC was in my VLAN 10.
This makes sense to me because of this sentence from the docs:
But let us assume, I did not add vlan-10-trusted to LAN list.
Since `allowed-interface-list` of the mac-winbox server was set to LAN as well, I assumed that I cannot connect using Winbox.
But it works. Why is that?![:shock:]( "Shocked")
It looks a bit inconsitent to me, compared to the neighbor discovery case above.
If I enable the firewall rule again, I cannot connect via Winbox anymore from my VLAN.
The firewall rule referenced the LAN list. And since I did not add vlan-10-trusted to that list explicitly, incoming traffic from the VLAN is blocked. So this is similar to the neighbor discovery case.
But now comes the bonus question:
Let us say, I do not add vlan-10-trusted to LAN list, so the list contains just the bridge, and I keep the firewall rule as it is (blocking everything not coming via LAN ... the bridge).
I would assume that DHCP traffic from the VLAN to the router is blocked just like the winbox traffic.
But it is not. All my VLAN clients successfully get an IP address from the router. Why?![:o]( "Surprised")
Can somebody give me some insights here on what I am missing?![:)]( "Smile")
I have (basic?) questions about interface lists.
My new RB5009 comes with two interface lists: WAN and LAN.
By default, the bridge interface is the only member of the LAN list:
Code:
/interface list memberadd comment=defconf interface=bridge list=LANThe LAN list is then used in several places:
Code:
/ip firewall filteradd action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN/ip neighbor discovery-settingsset discover-interface-list=LAN/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANSo far so good. Now I added some VLANs, for example:
Code:
/interface vlanadd interface=bridge name=vlan-10-trusted vlan-id=10/ip pooladd name=dhcp_pool2 ranges=10.0.10.2-10.0.10.254/ip dhcp-serveradd address-pool=dhcp_pool2 interface=vlan-10-trusted name=dhcp-10-trusted/interface bridge portadd bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10/interface bridge vlanadd bridge=bridge tagged=ether1,bridge vlan-ids=10/ip addressadd address=10.0.10.1/24 interface=vlan-10-trusted network=10.0.10.0/ip dhcp-server networkadd address=10.0.10.0/24 gateway=10.0.10.1As you can see, I setup a VLAN interface (vlan-10-trusted) which is a child of the bridge and I also configured a DHCP server for that network.
I then disabled the above mentioned firewall rule (just for resting):
Code:
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANThe first thing I noticed is that in Winbox, neighbor discovery was not working when my PC was in my VLAN 10.
This makes sense to me because of this sentence from the docs:
OK, so when I added vlan-10-trusted to the LAN list, neighbor discovery was working from VLAN 10 as expected.Care must be taken when working with bridges and lists. Adding a bridge as a member is not the same as adding all its ports! And adding all slave ports as members is not the same as adding the bridge itself. This can particularly impact functionality of neighbor discovery.
But let us assume, I did not add vlan-10-trusted to LAN list.
Since `allowed-interface-list` of the mac-winbox server was set to LAN as well, I assumed that I cannot connect using Winbox.
But it works. Why is that?
It looks a bit inconsitent to me, compared to the neighbor discovery case above.
If I enable the firewall rule again, I cannot connect via Winbox anymore from my VLAN.
The firewall rule referenced the LAN list. And since I did not add vlan-10-trusted to that list explicitly, incoming traffic from the VLAN is blocked. So this is similar to the neighbor discovery case.
But now comes the bonus question:
Let us say, I do not add vlan-10-trusted to LAN list, so the list contains just the bridge, and I keep the firewall rule as it is (blocking everything not coming via LAN ... the bridge).
I would assume that DHCP traffic from the VLAN to the router is blocked just like the winbox traffic.
But it is not. All my VLAN clients successfully get an IP address from the router. Why?
Can somebody give me some insights here on what I am missing?
Statistics: Posted by psychodeer — Thu Apr 03, 2025 10:49 pm