I need to make a Mikrotik router NOT been seen on layer2 by the ISP.
Here is the situation:
My customer has an Internet connection via a tagged VLAN on a fiber connection from his ISP. On this connection only two MAC-addressen may be active.
Behind the Mikrotik there are two other routers who get their IP-adres by DHCP.
The Mikrotik as it own public IP-adres on an other VLAN on the same fiber (this works).
So, the Mikrotik has to be a ‘dumb’, invisible switch to the frist VLAN.
I made a bridge, and added three ports to that bridge… one tagged-vlan for the fiber, and two other ports for each of the routers behind the Mikrotik.
The problem is that the Mikrotik is detected by the ISP and gets counted for the max of two MAC-addresses, as result one of the other two routes doesn’t get a IP-adres.
So far i disabled ARP on all the interface in the bridge as well the bridge itself.
Also i turned off discovery of the these interface under /ip neighbours.
I even made filter rules on the bridge where i drop in the output-chain all frames with the MAC-adresses as source of these interfaces.
Still the ISP is somehow detecting the Mikrotik?
If your Mikrotik router is a model with a HW switch, and you’re not already using it on the LAN side for yourself, you could just slave the other two routers’ interfaces to the one connected to the ISP. These three ports would then act as a dumb switch and pass through the vlan tags untouched, etc, and the Mikrotik’s only appearance in the switch group would be its own WAN IP interface…
If this is not an option, then there are a couple of other things you can do on the bridge:
make sure STP is disabled on the bridge, as that could be the source of MACs that they’re seeing.
if all else fails, you can go into bridge firewall and create an output filter rule which matches out-bridge = the bridge in question, and action=drop
This will guarantee that the Mikrotik cannot transmit on that VLAN regardless of which services you have enabled/disabled on the Interface.
the answer is simple, first just make sure the port is not switch, than in firewall filters on output at WAN interface, set output to drop except to a whitelist (you still need to be able to use DNS for example). Drop output to 255.255.255.255 (this is a broadcast for the entire internet).
I have used this before and noticed it does drop a few packets, but certain utilities like neighbour discovery will not work then on WAN.
I wouldn’t recommend these settings for the task at hand.
The OP wants to block the Mikrotik from participating in a connection which goes through it at layer 2.
The easiest solution is my suggestion #2 for bridges - use a bridge firewall rule.
chain=output action=drop out-bridge={the wan bridge he has created}
Done.
For good measure, he may want to also drop all frames in the input chain with in-bridge={the wan bridge he has created} but this is just to keep any kind of broadcast traffic on that bridge from being forwarded up the stack to IP and wasting even more CPU cycles determining that the router has no IP address on the bridge.
the problem with doing so on layer 2 is that you will block dhcp and pppoe from your side so you wont be able to connect to your ISP then. Thats why i use the firewall instead, it allows what needs to work on layer 2 to work but can block various other things.
You misunderstood the problem. The Mikrotik has its own VLAN for WAN, and needs to pass a second VLAN through for the other two routers on a separate VLAN. He makes a bridge for that second VLAN only, and wants to cause the Mikrotik to not tx/rx on that VLAN at all. Bridge firewall is the best way to do that.