Got Mikrotik?
Here is my config
Q: which guy needs vlans @ home
A: a guy with a summit24 :-) thanks to http://www.cheat.at
/ip firewall filter export
add action=accept chain=in_vlan10 comment="" disabled=no dst-port=8291 protocol=tcp src-address-list=\ safe add action=accept chain=in_vlan10 comment="" disabled=no dst-port=21 protocol=tcp src-address-list=safe add action=drop chain=in_vlan10 comment="" disabled=no dst-port=22 protocol=tcp src-address-list=\ ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w chain=in_vlan10 \ comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=in_vlan10 \ comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=in_vlan10 \ comment="" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=in_vlan10 \ comment="" connection-state=new disabled=no dst-port=22 protocol=tcp add action=accept chain=in_vlan10 comment="" disabled=no dst-port=22 protocol=tcp add action=accept chain=in_vlan10 comment="" disabled=no icmp-options=8:0-255 protocol=icmp add action=accept chain=in_vlan10 comment="" connection-state=established disabled=no add action=accept chain=in_vlan10 comment="" connection-state=related disabled=no add action=log chain=in_vlan10 comment="" disabled=yes log-prefix="" add action=drop chain=in_vlan10 comment="" disabled=no
Here ist my input chain of vlan10 (wan) with sshcrawler autoblacklister
add action=accept chain=in_vlan11 comment="" disabled=no dst-port=8291 protocol=tcp src-address-list=lan add action=accept chain=in_vlan11 comment="" disabled=no dst-port=80 protocol=tcp src-address-list=lan add action=accept chain=in_vlan11 comment="" disabled=no dst-port=22 protocol=tcp src-address-list=lan add action=accept chain=in_vlan11 comment="" disabled=no dst-port=21 protocol=tcp src-address-list=lan add action=accept chain=in_vlan11 comment="" disabled=no dst-port=53 protocol=udp src-address-list=lan add action=accept chain=in_vlan11 comment="" disabled=no dst-port=67 protocol=udp src-address-list=lan add action=accept chain=in_vlan11 comment="" disabled=no icmp-options=8:0-255 protocol=icmp \ src-address-list=lan add action=accept chain=in_vlan11 comment="" connection-state=established disabled=no add action=accept chain=in_vlan11 comment="" connection-state=related disabled=no add action=log chain=in_vlan11 comment="" disabled=yes log-prefix="" add action=drop chain=in_vlan11 comment="" disabled=no
Here my input chain of vlan11 my (lan)
add action=accept chain=in_vlan12 comment="" disabled=no icmp-options=8:0-255 protocol=icmp \ src-address-list=vlan12 add action=accept chain=in_vlan12 comment="" connection-state=established disabled=no add action=accept chain=in_vlan12 comment="" connection-state=related disabled=no add action=log chain=in_vlan12 comment="" disabled=yes log-prefix="" add action=drop chain=in_vlan12 comment="" disabled=no
Here my input chain of vlan12 (switch mgmt)
add action=accept chain=in_vlan13 comment="" disabled=no icmp-options=8:0-255 protocol=icmp \ src-address-list=vlan13 add action=accept chain=in_vlan13 comment="" connection-state=established disabled=no add action=accept chain=in_vlan13 comment="" connection-state=related disabled=no add action=log chain=in_vlan13 comment="" disabled=yes log-prefix="" add action=drop chain=in_vlan13 comment="" disabled=no
Here my input chain of vlan13 (wlan) “pwgen -s 60” for wpa key
add action=accept chain=forward_vlan11 comment="" disabled=no out-interface=vlan10 src-address-list=lan add action=accept chain=forward_vlan11 comment="" disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=xx \ out-interface=vlan11 protocol=tcp src-address-list=safe add action=accept chain=forward_vlan11 comment="" disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=xxxx \ out-interface=vlan11 protocol=tcp add action=accept chain=forward_vlan11 comment="" connection-state=established disabled=no add action=accept chain=forward_vlan11 comment="" connection-state=related disabled=no add action=log chain=forward_vlan11 comment="" disabled=yes log-prefix="" add action=drop chain=forward_vlan11 comment="" disabled=no
Here my forward chain for vlan11 (lan) with2 portforwards and out-interface vlan10
so no wlan client is able to get from vlan13 to vlan10 to vlan12 etc or reverse
add action=accept chain=forward_vlan12 comment="" disabled=no out-interface=vlan10 src-address-list=\ vlan12 add action=accept chain=forward_vlan12 comment="" connection-state=established disabled=no add action=accept chain=forward_vlan12 comment="" connection-state=related disabled=no add action=log chain=forward_vlan12 comment="" disabled=yes log-prefix="" add action=drop chain=forward_vlan12 comment="" disabled=no
Here my forward chain for vlan12 (switch mgmt) for ntpdate :-)
add action=accept chain=forward_vlan13 comment="" disabled=no out-interface=vlan10 src-address-list=\ vlan13 add action=accept chain=forward_vlan13 comment="" connection-state=established disabled=no add action=accept chain=forward_vlan13 comment="" connection-state=related disabled=no add action=log chain=forward_vlan13 comment="" disabled=yes log-prefix="" add action=drop chain=forward_vlan13 comment="" disabled=no
Here my forward chain for vlan13 (wlan)
add action=jump chain=input comment="" disabled=no in-interface=vlan10 jump-target=in_vlan10 add action=jump chain=input comment="" disabled=no in-interface=vlan11 jump-target=in_vlan11 add action=jump chain=input comment="" disabled=no in-interface=vlan12 jump-target=in_vlan12 add action=jump chain=input comment="" disabled=no in-interface=vlan13 jump-target=in_vlan13 add action=accept chain=input comment="" connection-state=established disabled=no add action=accept chain=input comment="" connection-state=related disabled=no add action=log chain=input comment="" disabled=yes log-prefix="" add action=drop chain=input comment="" disabled=no
Here are the jumps to the input chains
add action=jump chain=forward comment="" disabled=no jump-target=forward_vlan11 src-address-list=lan add action=jump chain=forward comment="" disabled=no dst-address-list=lan jump-target=forward_vlan11 add action=jump chain=forward comment="" disabled=no jump-target=forward_vlan12 src-address-list=vlan12 add action=jump chain=forward comment="" disabled=no jump-target=forward_vlan13 src-address-list=vlan13 add action=accept chain=forward comment="" connection-state=established disabled=no add action=accept chain=forward comment="" connection-state=related disabled=no add action=log chain=forward comment="" disabled=yes log-prefix="" add action=drop chain=forward comment="" disabled=no
Here are the jumps to the forward chains
/ip firewall nat export
add action=src-nat chain=srcnat comment="" disabled=no out-interface=vlan10 src-address=xxx.xxx.xxx.xxx/xx \ to-addresses=xxx.xxx.xxx.xxx add action=src-nat chain=srcnat comment="" disabled=no out-interface=vlan10 src-address=xxx.xxx.xxx.xxx/xx \ to-addresses=xxx.xxx.xxx.xxx add action=src-nat chain=srcnat comment="" disabled=no out-interface=vlan10 src-address=xxx.xxx.xxx.xxx/xx \ to-addresses=xxx.xxx.xxx.xxx add action=dst-nat chain=dstnat comment="" disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=xxxx \ protocol=tcp to-addresses=xxx.xxx.xxx.xxx to-ports=xx add action=dst-nat chain=dstnat comment="" disabled=no dst-address=xxx.xxx.xxx.xxx/xx dst-port=xxxx \ protocol=tcp to-addresses=xxx.xxx.xxx.xxx/xx to-ports=xxxx
Here my nat table
Have fun