CRS112-8P-4S questuin on port isolation

rhodri · April 13, 2025, 8:17am

Hi guys,

right I have followed the section on port isolation in on the mikrotik support documents
https://help.mikrotik.com/docs/spaces/ROS/pages/103841836/CRS1xx+2xx+series+switches+examples#CRS1xx%2F2xxseriesswitchesexamples-ProtocolLevelIsolation

And basically doesnt seem to work.. which is a bit perplexing and frustraing and was wondering what i was doing wrong.

I have 4 ports inuse with one being the uplink. ether8 in the uplink and the other 3 ether1,ether2 and ether5 are to other routed networks

We have only 3 vlans inuse vlan1(native), vlan100 for management and vlan1000. For general traffic vlan1 , management vlan100 and internet so not a big network but I want to try and stop any unwanted dhcp servers and generally work toward securing port and the traffic going though. everything else seems to be working just can’t get the right behaviour.

/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] poe-out=forced-on power-cycle-ping-address=\
    10.100.10.1 power-cycle-ping-enabled=yes power-cycle-ping-timeout=2m speed=\
    100Mbps
set [ find default-name=sfp9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp11 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp12 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

/interface vlan
add interface=bridge1 name=vlan100_bridge1 vlan-id=100
add interface=bridge1 name=vlan1000 vlan-id=1000

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
    
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether1
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge1 comment=defconf interface=ether6
add bridge=bridge1 comment=defconf interface=ether7
add bridge=bridge1 comment=defconf interface=ether8
add bridge=bridge1 comment=defconf interface=sfp9
add bridge=bridge1 comment=defconf interface=sfp10
add bridge=bridge1 comment=defconf interface=sfp11
add bridge=bridge1 comment=defconf interface=sfp12

/ip neighbor discovery-settings
set discover-interface-list=all

/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,ether5,ether8 vlan-id=100
add tagged-ports=switch1-cpu,ether5,ether8 vlan-id=1000

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 disabled=yes new-customer-vid=1000 ports=\
    ether1,ether2,ether3

/interface ethernet switch port
set 0 isolation-leakage-profile-override=2
set 1 isolation-leakage-profile-override=2
set 4 isolation-leakage-profile-override=2 vlan-type=edge-port

/interface ethernet switch port-isolation
add forwarding-type=bridged port-profile=2 ports=ether8 protocol-type=\
    dhcpv4,dhcpv6 registration-status="" traffic-type="" type=dst

/interface ethernet switch vlan
add ports=switch1-cpu,ether5,ether7,ether8 vlan-id=100
add ports=switch1-cpu,ether1,ether2,ether3,ether5,ether8 vlan-id=1000

/ip address
add address=10.100.10.110/24 interface=vlan100_bridge1 network=10.100.10.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-client
add add-default-route=no disabled=no interface=vlan1000 use-peer-dns=no \
    use-peer-ntp=no

/ip dns
set servers=10.100.10.1

/ip route
add distance=1 gateway=10.100.10.1

/ip ssh
set forwarding-enabled=remote

/system clock
set time-zone-name=Europe/London

/system identity
set name=SW01

/system note
set note="" show-at-login=no

/system ntp client
set enabled=yes primary-ntp=10.100.10.1 secondary-ntp=10.100.10.2 \
    server-dns-names=\
    0.uk.pool.ntp.org,1.uk.pool.ntp.org,2.uk.pool.ntp.org,3.uk.pool.ntp.org

any help would be great

Thanks
Rhodri

rhodri · April 24, 2025, 8:37am

Eample Daigram:

Quite a simple network, 2 vlans one for managemnt and another for we will call client traffic and to add in something all the clients should be using PPPoE no issue but one client has beening messing and some how as added a dhcp server to their internet interface (clients will be clients).

The config below is a working config on our CRS112-8P-4S-IN before adding any DHCP filtering

/interface bridge
add admin-mac=CC:2D:E0:4B:AD:7E auto-mac=no comment=defconf name=bridge1 \
    protocol-mode=none
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
/interface ethernet switch trunk
add member-ports=sfp9,sfp10 name=trunk1
/port
set 0 name=serial0
/system ntp key
add key-id=121
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether1
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge1 comment=defconf interface=ether6
add bridge=bridge1 comment=defconf interface=ether7
add bridge=bridge1 comment=defconf interface=ether8
add bridge=bridge1 comment=defconf interface=sfp9
add bridge=bridge1 comment=defconf interface=sfp10
add bridge=bridge1 comment=defconf interface=sfp11
add bridge=bridge1 comment=defconf interface=sfp12
/interface ethernet switch egress-vlan-tag
add tagged-ports=trunk1,ether1,ether2 vlan-id=200
add tagged-ports=trunk1,switch1-cpu,ether1,ether2 vlan-id=100
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=200 ports=ether3,ether4,ether8
/interface ethernet switch port
set 0 vlan-type=edge-port
set 1 vlan-type=edge-port
set 2 vlan-type=edge-port
set 3 vlan-type=edge-port
set 7 vlan-type=edge-port
/interface ethernet switch vlan
add ports=trunk1,ether1,ether2,ether3,ether4,ether8 vlan-id=200
add ports=trunk1,switch1-cpu,ether1,ether2 vlan-id=100
/ip dhcp-client
add default-route-tables=main interface=vlan100
/system clock
set time-zone-name=Europe/London
/system identity
set name=SBCP-SW01
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=172.16.0.1
/tool romon
set enabled=yes

my first idea is that really i want all the ports to be the same so changing isolation-leakage-profile-override would be unnecessary because this would be handy for any port as and when its made like I do not want unnecessary DHCP traffic by accident or malicious..

all that should need to be added would be

/interface ethernet switch port-isolation
add forwarding-type=bridged port-profile=29 ports=trunk1,switch1-cpu protocol-type=dhcpv4,dhcpv6 registration-status="" traffic-type="" type=dst vlan-profile=promiscuous

the above (going by https://help.mikrotik.com/docs/spaces/ROS/pages/103841836/CRS1xx+2xx+series+switches+examples#CRS1xx%2F2xxseriesswitchesexamples-ProtocolLevelIsolation) should drop DHCP traffic heading to the trunk port but allow DHCP traffic going from.

So we get a offer of an IP from the DHCP server (not the rogue) arriving on ether8 alas we are not able to get DHCP from the trusted source on trunk1 so on one way its working which would point the the port isolation thats the issue.

In my testing, what I found was weird when you get the isolation-leakage-profile-override it does not seem to set or report as set

Only after enabling and disabling would it then work or atleast report its been set to winbox.

but leaving it default just to handle DHCP seems to block all DHCP traffic when using the example from the help section of mikrotiks website it just doesnt seem to work at all and allows DHCP in both directions.

any help at this point would be great because it’s bugging me profusely

Thanks
Rhodri