How can I block all communication between multiple ports? What should I turn off/on ?
I have 3 Windows PCs (Port2, Port5,Virtual wirelesslan) and stuff like NAS, Printer, IPcamera, etc. for security reasons I want to block all communication between Windows devices, but be open for NAS,etc
I did google and try some of the firewall rules with action=drop, but when I tried ping between Port2+Port5, it wasn’t blocked.
Is there a way to block L2 communication between Port2 + Port 5 + Virtual wlan on the same bridge/subnet?
Okay so I have to ask, most people want to block users from each other, not ports. What do you have against ports LOL.
Seriously, users are on L2 subnets. Do you have different subnets per port? In which case blocking is easy!
Do you have one subnet on 3 different ports and want to block the ports.
The question I would ask is WHY, you put them on the same subnet.
If you dont want the users on different ports talking to each other, put them on different subnets.
If you dont have enough ports for the number of subnets you need then switch from assigning a subnet to a port, to assigning vlans to a bridge problems solved.
To do what you are asking (whether it is really what you want/need) you will need to use switches that have port isolation as an option.
For example, see Port Isolation for how a MikroTik 24 port switch running SwOS can be configured.
Assuming you want to do everything on the RB2011 which has multiple switches, you are going to have more of a problem, and I don’t know if it can be done without involving the RB2011 CPU, and that will affect performance. But if you are using wireless, that’s already using the CPU for bridging between wired and wireless ports (going only by the block diagram).
If you can limit everything to the Gb switch, then you may be able to use the /interface ethernet switch port-isolation feature to do what you are asking about, but it won’t help with wireless.
If you are just trying to protect the windows PC’s, why not just use the windows firewall?
Hi Toravon, this illustrates that asking about a config setting is a waste of time.
What you did in response is an excellent response to the kind of information we need to help design a good config.
Namelky state all the requirements, all the needed traffic flows
OF WHICH one is I need to share a printer
a identify all users/devices, groups of users/devices
b. identify all the traffic they need to be able to accomplish or not accomplish
So you had one requirement (shared printer ) who needs access to it…
Another requirement implied, you want certain users/devices or groups of users/devices not to be able to see each other.
Yea, that makes sense that it would be easier to have all 3 PCs on one switch (eth2-4), I did check in WinBox, and in Switch => Port isolation , you can “forward overide” and then choose “forward to”.
Only struggle that I need to add new cable through the house, I don’t mind cables on the wall, but other people in the household do.
I do use Windows firewall, even I choose the option to be NOT detectable on the network, but with Windows updates(Windows doing stuff in background) and vulnerabilities, I do like to have more security even in the router.
I see that I did try filters in Bridge like EXAMPLE:
but still when I turn off windows firewall, and then ping the IP adress , it wasn’t blocked
So is there other way where I make 6-9 rules to block IP(all IP adresses are static) or MAC adress so it block communication between devices ? and turn off some hidden setting like “allow fast path”
I dont give a rats ass about your config intentions, or doing this or doing that, its fruitless.’
Whats important is to communicate your requirements.
a. identify users/devices, groups of users/devices
b. identify what traffic should be allowed.
Then a config that makes sense can be constructed within the context of the requirements.
No worries, wiseroute, have at it.
Trying to solve issues without context is the antithesis of your avatar name.
Hopefully after some introspection, there may be an attempt reach the goals of your nick.
Otherwise one is actually hampering process and learning, probably not intentional but surprized it has not been realized.
As for the OP, a good config is based on good planning which comes from a rigorous study of the requirements.
Anything else is playing whackamole.
