Help needed. Separate internet access per port in the bridge

lokz · January 17, 2025, 12:15pm

Device is L009UiGS-RM
All ports are in the bridge1 except ETH1 which is WAN. Basically default router configuration as from factory.

I would like to leave ETH2-ETH5 in the bridge. ETH7 and ETH8 to be for second user, ETH8 for third user

Should I remove them from the bridge and make second bridge with ETH7 and ETH8 or I read some say VLAN is the better way for doing this?
Two extra DHCP-s can be created, but fixed IP is also OK for this scenario.

All users have to have access through ETH1 WAN and firewall to the web, and they need to be isolated from each other for all protocols (screencasts and similar things). Bridge1 should be able to access Mikrotik devices which are connected to those ports, for management.

Can you write me the simplest config that would achieve this? Thanks.

ConradPino · January 17, 2025, 1:18pm

Stay with single bridge as switch chip hardware offload is limited to single bridge; added bridges are CPU only.
Understand switch chip features: https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features
Use Bridge VLAN Filtering: https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering
Reserve VLAN 1 for device management; add three (3) VLAN, one for each user port group.

lokz · January 17, 2025, 2:37pm

Will something like this work in this case?

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30

/ip pool
add name=dhcp_pool_vlan10 ranges=192.168.110.10-192.168.110.100
add name=dhcp_pool_vlan20 ranges=192.168.120.10-192.168.120.100
add name=dhcp_pool_vlan30 ranges=192.168.130.10-192.168.130.100

/ip dhcp-server
add address-pool=dhcp_pool_vlan10 interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 interface=vlan20 name=dhcp_vlan20
add address-pool=dhcp_pool_vlan30 interface=vlan30 name=dhcp_vlan30

/ip address
add address=192.168.110.1/24 interface=vlan10 network=192.168.110.0
add address=192.168.120.1/24 interface=vlan20 network=192.168.120.0
add address=192.168.130.1/24 interface=vlan30 network=192.168.130.0

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=10
add bridge=bridge1 interface=ether6 pvid=20
add bridge=bridge1 interface=ether7 pvid=20
add bridge=bridge1 interface=ether8 pvid=30
add bridge=bridge1 interface=ether1

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,vlan10,vlan20,vlan30 vlan-ids=10,20,30

/ip firewall filter
# Allow established/related connections
add action=accept chain=input connection-state=established,related
add action=accept chain=forward connection-state=established,related

# Allow access to WAN from all VLANs
add action=accept chain=forward in-interface=vlan10 out-interface=ether1
add action=accept chain=forward in-interface=vlan20 out-interface=ether1
add action=accept chain=forward in-interface=vlan30 out-interface=ether1

# Allow User1 (VLAN10) to access User2 (VLAN20) and User3 (VLAN30)
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward in-interface=vlan10 out-interface=vlan30

# Allow User1 (VLAN10) to access devices behind User1
add action=accept chain=forward in-interface=vlan10 out-interface=vlan10

# Drop inter-VLAN traffic (except allowed above)
add action=drop chain=forward in-interface=vlan20 out-interface=vlan10
add action=drop chain=forward in-interface=vlan20 out-interface=vlan30
add action=drop chain=forward in-interface=vlan30 out-interface=vlan10
add action=drop chain=forward in-interface=vlan30 out-interface=vlan20

# Drop invalid connections
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid

# Drop all other input
add action=drop chain=input

# NAT masquerade for WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

erlinden · January 17, 2025, 2:47pm

Quick scan:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,vlan10,vlan20,vlan30 vlan-ids=10,20,30

Should be:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1, vlan-ids=10,20,30

Only tagged ports should be added.

This can be removed:

# Allow User1 (VLAN10) to access devices behind User1
add action=accept chain=forward in-interface=vlan10 out-interface=vlan10

# Drop inter-VLAN traffic (except allowed above)
add action=drop chain=forward in-interface=vlan20 out-interface=vlan10
add action=drop chain=forward in-interface=vlan20 out-interface=vlan30
add action=drop chain=forward in-interface=vlan30 out-interface=vlan10
add action=drop chain=forward in-interface=vlan30 out-interface=vlan20

And add:

# Drop all other input
add action=drop chain=forward

Have a look at this great topic please:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

anav · January 17, 2025, 3:06pm

Disagree…
ether1 should NOT be part of the bridge ports or related settings, its WAN and nothing to do with bridge.

On the other subject.
when you create /interface bridge port for access ports and enter the PVID, the router dynamically includes the required untagging on corresponding /interface bridge vlan config lines.
However, this can lead to a lack of understanding of how to setup /interface bridge vlan.

In your case bridge ports should be
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether2 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether3 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether4 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether5 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether6 pvid=20
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether7 pvid=20
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether8 pvid=30

Bridge vlans bare minimum…
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-id=10
add bridge=bridge1 tagged=bridge1 vlan-id=20
add bridge=bridge1 tagged=bridge1 vlan-id=30

What I prefer to see… ( to ensure vlans are well understood )
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3,ether4,ether5 vlan-id=10
add bridge=bridge1 tagged=bridge1 untagged=ether6,ether7 vlan-id=20
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-id=30

One can combine vlan IDs, WHEN there is no difference between any of the PORTS/WLANS included.