RB750GL with port1 as WAN / PPPoE,
port2 is master switch with a dumb desktop switch attached that connects to my pc as as well as a pc running virtual machines (ESXi),
port2 has an RB411AR attached setup as an AP with 5 wireless clients,
port3 is connected to a LANed client,
port 5 is available.
How can I keep the AP clients separate from the LANed clients as well as from each other; but still allow them access to a file share on a virtual machine on the ESXi box?
For security reasons I’d like a way to keep all clients separate ie not able to see each other on the network but still all able to access a file share.
In a general sense, why not just make a few firewall rules that block one group of IPs from communicating with another group of IPs, permitting all IPs to the file share? If you are less concerned with security, and more with informational overhead and chatter, just make sure you have L2 or L3 segregation between your mikrotik ports (not bridged).
If you are using the switch chip, you have no way of doing user isolation between ports, and the same holds true for a dumb switch. You could use a bridge for your purposes, it just takes more CPU time, but should get you want you want.
1.) Remove all master-port settings on each port of the 750.
2.) On the 411, move that to port 5(or any free port), and disable “default forward” on it’s radio card(s)
3.) Plug your server directly into ether2
4.) Create a bridge, and add in ports 2-5 to the bridge. Set a the same horizon value to ports 3-5. Horizon means, any packets that come in on this bridge port cannot leave another bridge port with the same horizon value.
5.) All LAN IP addresses/DHCP server, etc will be assigned to the bridge interface
Otherwise you can use different routed interfaces and use the firewall to block communication, but I’m guessing that’s not what you want to do.
It can be depending on your infrastructure, network setup, and equipment used. Without more information I can’t say, but if your only pieces of equipment are dumb switches and a MikroTik, then no. Keep in mind the MikroTik is a router, not a switch. It treats each VLAN interface you give it as a separate routed interface.
Provided the printer can be accessed by an IP address then it’s possible only by setting up a bridge like I suggested, or have it on a different subnet and use a firewall. The switch chip on the RB doesn’t have very many if any functions that I am aware of for isolating clients, and with your current switch, it has no way of isolating anything. If it needs to be accessed through a computer, or “different” classes of users, then the firewall method I mentioned is probably best.
I.E. place your wireless users on one routed interface, the printer on another, and the 3rd class of clients on a 3rd routed interface. Firewall between them all.