"Default forward" on ethernet

Caci99 · June 12, 2008, 12:44pm

In a wireless connection we have the feature of default forward, which would enable or disable
the capability of browsing clients computers connected to the wireless interface.

Is there any option similar to this, which can be applied on an ethernet port, so clients
connected to the same ethernet using switch, should not be able to access each other?

Thank you, Toni

macgaiver · June 12, 2008, 12:46pm

Use smart switches, use VLANs

hilton · June 12, 2008, 3:56pm

Remember that all wireless clients access each other via the single wlan1 port, which means you can disable forwarding.

But on Ethernet, you need a switch/hub for this so as macgaiver says, the only way is to use VLANs. By default, all ethernet ports on a switch are in the same broadcast domain (and VLANs disables this).

Does this make sense?

Caci99 · June 12, 2008, 4:47pm

Yes of course, it’s the first thing that crossed my mind, switch with Vlans.
But you know, I was wishing of a more concentrated solution within Mikrotik
RouterOS, silly somehow huh

Thanks for your replies, Toni

Pepo · June 12, 2008, 9:44pm

thanks all, but I’m just a Beginner and i want you to tell me how can i do VLans to all of my clients to isolate all of them, can i ???
all i want is to give me a quick example…

Caci99 · June 12, 2008, 10:20pm

Yes Pepo, first of all you need a managed switch which gives you the capability to control its ports.
This way you can isolate different computers which connect to the switch. How? Tagging the ports of the switch. Lets say you have a 16 port managed switch, and you want to separate 4 of the computers to the rest of them. You tag those four ports with tag1 lets say and the rest with tag2. The thing gets just a little more complicated when you have two swithes, but the idea remains the same.

Back to the topic. I have seen that even using different IP addresses on the same ethernet port does not make the computers unvisible. Lets say we have the following configuration:
/ip address
192.168.1.1/24 ether1
10.1.1.1/29 ether1

than we do have some computers on the first network and some others on the second. I have noticed that these can still see each other, not by their netbios name, but by their IP address. This is because I think thay have deafault route on the same ethernet port of the router, like:

/ip route
AS 0.0.0.0/0 192.168.10.1
ADC 192.168.1.0/24 ether1
ADC 10.1.1.0/29 ether1

The only way to make them invisible is to use some firewall rules, I think.