I have just started using my MikroTik HAP ax lite. I searched around this forum and searched around the web but couldn't find a solution to a pretty simple thing:
I have a mini-pc as a server which I want to isolate from the rest of my network (which in practice is just wifi clients like laptops and phones). I will have the server connected on ether2. I want the server unable do connect to any of the other devices on the wifi.
As I understand it I can do one of two things:
Create a VLAN directly on the port ether2 (or something like that)
Create a VLAN on the bridge and set the bridge to do VLAN filtering
I tried following the youtube tutorial Mastering VLAN Configuration on MikroTik, Step-by-Step Guide to use VLAN filtering on the bridge. I got pretty far, I setup a VLAN that I added to the bridge and then added IP addresses for that VLAN and then I added a dhcp server. That worked. The server got an ip address but I couldn't ping anything.
I tried doing this using Winbox and would really much prefer to use that right now.
The 3rd option would be to keep ether2 out of any bridge, used as a standalone port but no VLAN needs to be created above it. Just /ip address assignment and optionally DHCP server setup on the port.
The firewall is only effective if you can make sure the server is not on the same Layer 2 as the other devices (not on same VLAN interface, or the bridge interface if no VLAN are used). Otherwise, if we insist to keep the server on the same Layer 2, then the IP firewall can only isolate the server if the use-ip-firewall option is turned on in the bridge settings, which is not good for performance. (or use bridge filter / switch ACL, but then it's not considered to be the firewall anymore).
one bridge, subnet 192.168.88.0/24 for all ports and wifi except ether2.
ether2, subnet 10.10.20.0/24,
On WIFI, settings we use access list and BLOCK ether2 interface and mac address of server.
On firewall settings we ensure no cross talk between subnets permitted at layer3
Another option:
ALL on same bridge.
Access list entry same as above ( but just the mac add of the server )
PLUS
on bridge setting for ports we use horizon to block WLAN and ether2.
Ensure you set the horizon value to the same value lets say 8, for ether2 and the WLAN
I think for this config, where ether2 is not part of the bridge, and the bridge has WiFi and the other ports, then we don't need to do the blocking on the WiFi (because ether2 is not on the same layer 2 as the WiFi clients, the MAC address of the server plugged into ether2 will never be seen by the devices on the bridge). Blocking at the IP firewall level (chain forward) is sufficient. And the IP firewall is able to easily do selective blocking (in one direction + allow response) because it has connection tracking.
Yes, using horizon will help you isolate the ports, however this disables hardware offload on all MikroTik devices, and I am not sure but maybe bridge FastPath will also be nullified (this is used by FastTrack too). If the devices support switch ACL or port isolation, then it's better to use those functions instead. And if we want to do selective blocking with bridge horizon, then local-proxy-arp is needed to force traffic through the IP firewall.
I question how you are framing that requirement - it depends on what this server is for - presumably it needs access to the internet as do the wifi clients. So which way round is your requirement:
The server should not access the clients
The clients should not access the server
ie which one might be doing any attacking?
