Hi, all
I have DMZ segement and a lot of servers in it. But I need also to isolate communication between servers inside DMZ segment, excluding default gateway.
What is rule I should to use ?
If the servers are in the same IP subnet , then they talk to each other without using the default gateway.
You have to split them up, at least in different subnets.
Or assign them to different VLAN’s. If the servers can’t handle VLANs then you need a switch to “untag” the VLAN, and send it out to a dedicated port for that server.
There are various ways you can do it. VLAN is one (no CPU load involved) but makes only sense
if you want groups of clients to isolate from another group (and still on IP level they can talk to each other).
Simpler one could be filters: IP firewall : you run all bridge traffic through IP/firewall and filter with rules,
or do filter within bridge/filter.
Firewall gives all granularity you want, but can load the CPU (in general drop rule do not load that much though)…
On wireless AP settings you can disable default forward option, that way clients also can not see each other.
Can you be more specific with what you want to do/achieve?
Hi all !
Thank you very much for your answers. I will try to give more deatails.
I have already 3 vlans in my installation: vlan 88 - LAN, vlan 6 - MGMT, vlan 10 - DMZ.
In DMZ vlan I have a lot of servers but I don’t whant that servers in DMZ has access to each other inside DMZ segment (vlan).
Yes, I can make for each server separeted vlan, but it’s not comfortable from my point of view.
You can use a switch with this feature.
Or when all servers are directly connected to the MikroTik router, you can use a bridge without hardware offload to do the same thing.
In MikroTik, this is done by setting the “horizon” value of the ports where the servers are connected all to the same value.
In switches (not MikroTik, but full-featured enterprise switches) this feature is known as “port isolation” or “private VLAN”.
This is a feature where you can configure a group of ports that each can talk to another port (where the router is connected) but not to eachother.
If you want strict separation use VLAN (see in this exemple all departments as separate parts of your DMZ: http://mikrotikacademy.pl/konfiguracja-vlan/ )
Less strict separation (level 3) is by using subnets eg /30 small subnets. The servers will have to use the gateway if they follow the IP routing rules to communicate.
Unnecessary, as I already explained. You can do it within a single segment when you have capable switches or use the software bridge.
Yes Pe1chi, fully agree. You can do the isolation in the DMZ itself via the hardware/software there. And the MKT bridge with horizon setting is also a solution.
While looking for a good exemple , I got carried away in the MUM presentations on switching and VLANs, and therefore my posting was delayed. I did not see your answer at that time, as the edit screen cannot update. Only wanted to react on the “not comfortable”.
It’s not clear what the configuration and intention is (how many is a lot? virtual or physical? virtual network on the host? some filtered communication needed? where to keep control? need for logging?..)
Up to Strelok to decide … there are plenty of solutions.
Simple problem this one compared to the “bridge +DHCP” issues 
.