Different (sub)nets for each port? [solved]

RouterOS General
1

Hi,

I’m wondering whether it’s possible to configure a MikroTik product like the hEX PoE lite in such a way, so I can share my internet with someone else without giving them access to my LAN.
Let’s say there are three parties and every party has its own switch after the shared router. Also everyone’s LAN is connected through one cable at a specific port.

  • My stuff: 192.168.1.0/24
  • Friendly Neighbour: 192.168.2.0/24
  • Strange Neighbour: 192.169.172.0/24

Can this be done?
Is it possible with the mentioned product or do I have to reach for something better?

Greetings,
schotter

2

Yes use vlans.
Route three vlans through the single port (assuming your stuff is also on that port?)

However that does not seem like the whole story and to config the router for that we need the whole story
A network diagram will help.

3

without complicate anything, simply add rules on bridge filter:
ether1 can’t communicate with ether2,
ether1 can’t communicate with ether3,
ether2 can’t communicate with ether1,
ether2 can’t communicate with ether3,
ether3 can’t communicate with ether1,
ether3 can’t communicate with ether2,
is more simple than use 3 pool, 3 DHCP server, 3 NAT, etc…

assuming the bridge is called “bri-lan” and the 3 ports are called ether1, eher2 and ether3:

/interface bridge filter
add action=drop chain=forward in-bridge=bri-lan in-interface=ether1 out-bridge=bri-lan out-interface=ether2
add action=drop chain=forward in-bridge=bri-lan in-interface=ether1 out-bridge=bri-lan out-interface=ether3
add action=drop chain=forward in-bridge=bri-lan in-interface=ether2 out-bridge=bri-lan out-interface=ether1
add action=drop chain=forward in-bridge=bri-lan in-interface=ether2 out-bridge=bri-lan out-interface=ether3
add action=drop chain=forward in-bridge=bri-lan in-interface=ether3 out-bridge=bri-lan out-interface=ether1
add action=drop chain=forward in-bridge=bri-lan in-interface=ether3 out-bridge=bri-lan out-interface=ether2

if you do this not like “in this way”,
Any 192.169.172.0/24 can maliciously reach 192.168.1.0/24 and 192.168.2.0/24
because all net are on same router…

4

The description is not clear.
A. If the toplogy is such that EACH neighbour (and you) has their own port on the router heading towards their own switch
B. If the topology is such that one ethernet cable due to available location wiring will carry two or the three of the networks.

Case A
Easiest and best option is simply define the three separate subnets and their interface is the associated etherport being used.
As far as separation, that is easily taken care of in firewall forward filter rules. In the forward chain simply put in a last rule that drops all traffic.
In this case you will want to put an allow LAN to WAN rule for internet access prior to this last rule.

Case B
If you have to put 2 or more subnet through a wire, then thats when vlans make sense.. However this is predicated upon there being a smart device at the other end to be able to read vlan tags and then send/disperse the traffic where it needs to go. Since A is more likely wont go into more detail.

5

Thanks for your replies. It’s case A. Every neighbour will have their own cable, maybe a second one for redundancy, but those will be fixed to certain ports.