Hello my friends..!. Hope you are all doing good..
So i have this situation.
My mikrotik router 951ui have 5 interface
Eth1. The WAN interface with the ip
192. 168.134.2/30
Eth2. The camera interface with the ip range 192.168.10.1/24
The dhcp is enable on this interface and there is a src nat rule to
The out interface 192.168.134.2 so it has internet access.
Eth3. The pbx interface with ip range 192.168.20.1/24 also it has internet access and dhcp enable.
Eth4. The data interface with ip 192.168.30.1/23
Also interent access with dhcp on it.
So my question is : how can i prevent traffic between those interface, i mean not just prevent ping between ports but all traffic. In my current situation if some one connect to ethernet data port and take from 192.168.30.1 range it can easly access to camera and even the MK router it self, i want to prevent that.
Please anyone can give me advise on this situation..?
well i know how can i setup VLANs but only with two Mikrotik router, in my situation i have only one 952ui MK router with three switches connected to it’s interfaces one by one.
That’s easy. In the forward chain of firewall rules, allow port 2 to port 1, and allow port 3 to port 1, and allow port 4 to port 1, then delete everything.
BTW, I am basing this on you NOT using a bridge - not much point with every interface being a separate network.. If you are using a bridge, it would be different.
/ip firewall filter
#... and there you explicity allow traffic from/to VLANs' interfaces
add action=accept chain=forward in-interface=VLAN64 out-interface=VLAN65
add action=accept chain=forward in-interface=VLAN65 out-interface=VLAN64
#
# The one ring ... upssss rule that rules them all :) to stop
# any trafic between VLANs esxcept the ones configured above.
# The order of rules is important .. you allow what you want to allow and then block the rest
#
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
very thanksful Mr BartoszP it work…However, i couldnt prevent users in the same LAN from access the LAN devices, i mean for example the eth-4 has connected to ethernet switch and
all users that’s connected to this switch can still access to all the devices on this LAN, i don’t want from any of them to be able to access to those devices, yet without disconnect internet from them
do you have any idea a bout how i can achieve this situation .
You rise a bar … switch traffic is L2 traffic managed internaly by that switch so eg. PC communicate to eg. printer almost directly via that switch so the traffic is not noticed by the router as this traffic do not leave the switch as switches should be inteliigent enogh to not drodcast all traffic to all ports except broadcast traffic. The router does not participate in this traffic so there is no control over it.
You ask: how to isolate whole traffic between any device in the network. Hard task.
BTW. Please follow the link in my signature if you have a bit of free time.
Thanks BartoszP for giving the code samples - I was dying to get to bed when I typed my reply last night…
The example given showed different VLANs which you were not wanting to use. So instead of VLANs, you specify the physical ports.. However with that said as Holvoetn said, if the port on the router has a switch so more than one device is connected, this will not isolate the devices on that same router port. But that is not what you originally asked about.
Why you guys like making judgments without context, or requirements is beyond me.
Put in another way why do you seem surprized when the OP introduces
a. but I want to do this as well OR
b. but I have this equipment here as well.
So bloody well dont start impulsively saving the planet before getting some facts…
a. network diagram to see where internet is coming from and conceptually what devices are at play how they are connected and which subnets are flowing through which ports.
b. then see what has transpired thus far with the FULL config /export
c. finally get a complete set of requirements to get context and to make sense of the offered config
(what users/devices and groups of user/devices including the admin are at play, what they need to be able to do, and what they shouldnt be able to do)
d. with the requirements, a config design can be sorted out that is efficient and meets the requirements and matches the equipment available.
In the OP you talked about limiting access between subnets on different router interfaces, and to the router itself.
Then you asked what appears to be a very different question; it seems you are asking how to keep devices on the same LAN from talking with each other.
To you that may seem like the same thing, but it is very different. I suggest going through this to see what I mean.
And this is why @anav is asking for more details about what your real requirements are, so we don’t have to play 20 questions or whack-a-mole. Also, if you don’t already have the documentation, creating the documentation and explaining your problem will help you understand the problem better yourself.
This, organized thoughts lead to swift resolution of issues and when going through the process one often finds new requirements not previously thought of.
Bang on buckeye, well stated!!!
