Hello,
I have created EoIP between two sites.
Is it possible, that computer plugged on site1 into ethernet5 on mikrotik has access only on other computers on site1 and will not have access to anything on site2?
Or can I limit access of computer on ethernet5 only to internet and some PCs on LAN?
when I set rule on firewall I get message:
“in/out interface matcher not possible when interface(ether5) is slave - use master instead (bridge1)”
But I don’t want to block access for whole bridge. only limit particular ethernet port.
I have never done EOIP but am thinking about it.
I would probably create a second bridge for my EOIP tunnel and reserve one of my etherports for the EOIP tunnel.
(or simply assign a different LAN subnet to the etherport).
To this port one can attach a switch, an AP, NAS whatever you want to share with others.
By the simple fact that your are on a diffferent bridge or different subnet ensures there is no layer connectivity between the EOIP tunnel and the rest of your router.
When making firewall rules simply add allow rules between subnets and you should be good to go! (note my last rule in input and forward chain is drop all else).
I could also allow the other end to use a printer on my lan by adding a forward rule… access through layer 3 is up to the person configuring the router.
If you want a different behaviour for eth5 than the rest of the bridge, then you need to isolate it. Two options: another vlan within same bridge or independent of the bridge.
Then once isolated, you can setup custom routing for that port, excluding access to tunnel. You do that by creating a dedicated routing table = “route-mark=”
Personally I agree that second bridge would over-complicate situation. If I understand OP’s description correctly, he wants the all devices on Site1 to have L2 access to all devices on Site2, except particular device on Site1Ether5, which should have access only to other Site1 devices but not to Site2 devices.
This sounds like typical bridge-filter scenario, because all LAN ports and EoIP are most likely bridged together.
If ports are not bridged together, I wonder why there is need for EoIP instead of any other L3 tunnel (IPIP, GRE, IPsec) which will have most likely less overhead.
@OP: you can’t do this with firewall. Firewall is L3 feature (works between non-bridged interfaces and affects IP forwarding) but you are using L2 tunnel which acts like another Ethernet port. If you have a look on packet flow diagram you can see that bridged data does not even reach firewall.
However, @anav have a good point - do you really require L2 connection between all computers on all sites? (i.e. do all of them need to be on same LAN segment?) This is possible but an unusual approach because all your broadcasted data will travel through tunnel as well, which will greatly increase your uplink bandwidth. More common solution is having separate L2 segment for each site or even several L2 segments on each site. Then, routers can use ****
/ip firewall
to define rules for access across those L2 segments. (that will allow more sophisticated rules than simple bridge-filter)
