Hi
Is there a way to isolate ports while using routerboard with basic switch menu (like Hex) and hardware offloading? I used filter to isolate ports in bridge, but it doesn’t work with HW offload.
What do you mean with isolate ports?
I mean port level isolation.
https://wiki.mikrotik.com/wiki/Manual:CRS_examples#Port_Level_Isolation.
In other words, blocking communication between ports that are not Uplink ports.
I don’t think it can be done on those routers (in hardware, I mean).
Of course you can isolate the ports (just remove master-port) but then you need to route them or bridge with horizon → no hw.
Assigning each interface/port as a different bridge isolates them I thought???
Yes, it does, in terms of safety against the devices connected to them seeing each other on L2. Whether you permit them to see each other at L3 (routing) depends on your firewall rules; without firewall rules, L3 traffic is freely routed between all interfaces.
But what the OP had in mind is the functionality of some switches which allow to permit the ports to forward packets at L2 only to chosen other ports, not to all. So all devices are in the same IP subnet but they can not see each other on L2, while all of them can see the gateway and the gateway can see all of them too.
So the hEX in particular, with its MT7621, cannot do this in hardware; it seems to be possible for models with ar8327 chip which supports rules in hardware, so you can say that a frame coming in through a given port will be forwarded to CPU port regardless what the MAC table of the chip says. But it is just a theoretical answer, I haven’t tried yet.
But I can see no serious limitation coming from the fact that it must be done in software - the hardware-assisted bridge allows frames between LAN devices to bypass the CPU, but frames towards internet must be handled by the CPU anyway. So the handling of the traffic between each of the connected devices and the internet is handled the same way regardless whether the bridge uses hardware assistance or not, and the islolation rules configured on the bridge (in software) do not take so much CPU unless some malware floods the network with broadcast traffic, which would be a serious issue also if hardware port isolation would be in place.
So the only configuration where hardware port isolation would have an advantage would be where some other device, not the Mikrotik itself, would be the gateway for the devices connected to those ports to be isolated.
U can set same horizon value to that port u dun want them talk to each other under…
Bridge > port > horizon.
HW offload have to unchecked.