hello there,
I have a little problem with separating 2 subnets from each other totally.
The setup:
RB750GL
ether1 = internetgateway
ether2 = company lan
ether3 = vlan10 with company lan and vlan11 with guest wlan.
there is bridge1 with vlan10 and ether2
there is bridge2 with vlan11 only
i want bridge1 and 2 to be seperated totally.
bridge2 is for internet use only.
so i drop input from src-address bridge2-subnet with dst-address ether2-subnet
and i drop input from src address ether2-subnet with dst-address bridge2-subnet
and i drop forwarding from bridge2 that has NOT ether1 as outgoing interface. (block everything that is not internet)
***
The problem: an ip scanner in vlan11 can scan the ip-subnet of ether2. i dont want that.
i think it has to do with the fact, that filter rules work on layer3, and ip scanner works von layer2 (MAC). is that right?
how can I block layer2-traffic between two different interfaces or ip-subnets?
greetz,
horstkevin