I have a rb450g switch where ideally I’d like:
All interfaces/ports are on the same ip subnet, currently, and I’d like to keep it that way - I can possibly set up a separate ip subnet on port 3 and then route communication, but I’d rather keep the existing ip configuration if possible…
How are your interfaces currently set up? Bridged? Switch chip?
The switch chip doesn’t support rules that refer to egress interfaces, you can only check for ingress - what you want can’t be done natively on the switch chip. You’d have to bridge the ports in software (which moves the IP addressing from the master port to the bridge port), and you can then use bridge filters:
http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Firewall
/interface bridge filter
add chain=forward in-interface=ether1 out-interface=ether3 action=accept
add chain=forward in-interface=ether2 out-interface=ether3 action=accept
add chain=forward in-interface=ether3 action=accept
add chain=forward action=drop
Permit traffic from ether1 to ether3, from ether2 to ether3, and from ether3 to anywhere. Then drop everything else.
Bridged was how I set up - thanks very much for the info, worked like a charm…