Hello,
We are looking to install a new switch in our datacenter. One of the things I like about mikrotik is the advanced configurations. I know that generally switches are L2 devices, but is there any way for SwitchOS to block IP ranges? Because of the way that the network is configured, we can’t really put a router in the middle between our carrier and the servers, because the public IP address must pass right through to the server. Thus, a switch with IP blocking seems to be the best/only option. Is this possible? Thanks
You need a router with switch properties and Mikrotik has a lot of them.
Also look at the switches because you can also RouterOS on those.
Ok, so lets say I buy a CSS326-24G-2S+RM. How would I basically go about blocking IP ranges, while allowing the public IPs to passthrough the switch?
There is no switch that can switch public IP because you don’t know the MAC address.
Blocking can be done in the rules or RAW lines and combine it with the addres-list to cover large numbers of IP’s.
- Go through all interfaces and set master-port=none
- Go to Bridge, add bridge1
- Click the Settings button. Select “Use IP-Firewall”
- Go to Bridge > Ports, add all interfaces to bridge1
Now you should be able to use the IP > Firewall to filter IP ranges. By putting interfaces into a bridge instead of using the master-port will incur a performance penalty. This is because when interfaces are a slave of another, it uses hardware switching. Putting them in a bridge causes them to go through the CPU (or something like that). If your CPU runs high and you want the firewall ability, you’d need a more powerful unit.
Since your switch is not behind a gateway, take the time to create input filter rules to block remote access to the webfig, winbox, etc.