Hi!
I have a rb751g, i have an internet connection on Port 1 , a Switch with Group A of Pcs on Port 2 and a Switch with Group B of Pcs on Port 3.
I need That Group A and B have network access between them for sharing files and more, Group A need to have acces to internet but Group B shoud have access to Group A but NOT internet.
Can you help me?
Thank you
Gaston
Can you give some more information.
How are port 2 and 3 are logically connected? Are they bridged, or do they have two individual IP segments and does the MT route between.
The last solution could be a good one, and then you should create firewall rules allowing/blocking the traffic as desired.
I would separate the ports and run an independent DHCP sever for the port in question.
Then I would tag the IP range for the port in question.
Then put in a firewall rule that applies to that tag.
You could also mangle the traffic coming in from Group B (ether2 in my example) and give it a routing mark of, say, “blackhole”.
Then create a blackhole route so any attempts to get out from Group B (ether2) will fail.
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=ether2
new-routing-mark=blackhole passthrough=no
/ip route
add distance=1 routing-mark=blackhole type=blackhole
Group A will use the default main route.
I would create a specific allowing firewall rule which have an in-interface is ether2 and a src-address of the IP range for the B-servers, and with out-interface your ether1 (WAN)
I’ve done pretty much the same at home.
I have 2 wireless virtual AP’s and they must both connect to internet, but I don’t allow any traffic between them.