Good evening,
I have the following problem with my Mikrotik CRS326-46G-2S+.
I would like to block the internal VLAN traffic and redirect it to a gateway.
So 2 servers on port 7 and 8 have tagged the VLAN 20 and a firewall on port 10 as well.
Now I would like the two servers on port 7 and 8 VLAN 20 to no longer be able to talk to each other but to take the route via the gateway.
How can I implement this?
I have searched for several hours but have not found anything.
Currently I have more than 30 VLANs.
One for each application.
And there will be more.
My plan is to reduce the Vlans to 3 or 4.
But the VMs should not be allowed to communicate with each other
There is also another case where I want to do this.
And I would like to know if the Mikrotik switches are able to do this.
Otherwise I will unfortunately have to switch to other manufacturers.
I wouldn’t like that so much
What you are looking for is called “PVLAN” constructuon in general (Private VLAN) and you would be using some form of “Isolated Ports” in a “Isolated VLAN” construction.
So 2 devices in such PVLAN cannot directly talk to each other but must pass through a device connected on a “Promiscous” port.
As far as I know, Mikrotik does not have this feature.
If you run Cisco ACI/SDAccess fabric (or other vendor) same result can be reached by tagging (SGT’s) your traffic offering micro-isolation/segmentation but that is a whole different story. So in 1 IP-space you can have full control on what-talks-to-what
But PVLAN is a dirty hack, do yourself a favor, use separate vlans and the IP firewall rules, as mkx already wrote!
As for using ACI instead of a single CRS326-46G-2S+ : It´s like suggesting a homeless person to move in to the royal castle. It would certainly solve his problems…
Yep, it sure is. Totally different worlds.
Good to know Mikrotik does support something like a PVLAN on certain models/chipsets so that might indeed solve the topic-starters main concern.
