Hi,
how to separate network? ether1 - ether4 is my network. ether5 is lan cable to my neighbor. How to isolate him from my network and keep him to access internet?
Thank you
Firewall rules
add action=reject chain=forward comment="DROP Guest" dst-address=192.168.3.0/24 log=yes log-prefix=drop-guest reject-with=icmp-network-unreachable \
src-address=10.10.10.0/24
it is one of my firewall rules. It keeps subnet 10.10.10.0/24 from getting access to subnet 192.168.3.0/24. Log is enabled to check what is going on possibly
Simply:
Unplug ether5 and make him install his connection, so that if he does something illegal, even without his knowledge, they don’t send you to jail…
I’ve seen these things with the neighbors, as an ISP I have to report when asked by the police who owns the contract,
then the police don’t give a damn if the neighbor used it or not,
usually the end user does not have the means to demonstrate that “in reality” the offender (unconscious or not) was the neighbor…
and the line is under the full responsibility of the owner, not the neighbor…
you are right…it was just example…Im just thinking how to separate one network from another without loosing internet… I did now how to describe it better…
Find the two @anav topic about VLAN and the starting configuration,
is described step by step.
the @broderick suppose that already you have splitted the networks…
so when we have splitted networks subnets we can use only firewall rules? and when we want separate ether with same subnet we should use VLAN?
There are many possibilities and the lack of focus will drive us all nuts.
So clearly.
a.. spell out the user requirements ( what users or groups of users you have, and their needs for traffic flow) without noting anything about the configuration.
b. draw a network diagram of the MT devices showing subnets, where the internet is ccoming from and what ports you have available for LAN ports etc…
Once that is done, if you have a config then post it…
/export file=anynameyouwish ( minus router serial # and any public WANIP information ).
With the requirements and the network understood we can figure out an optimal configuration.
Vlans are convenient in separating users at level2, mac address but different subnets achieves the same thing etc…
Correct, for level3 routing, we almost always need firewall rules to prevent the router from connecting the dots (IP addresses).
Assuming that you have a standard configuration the simplest way from my point of view is:
- remove ether5 from the LAN bridge
- create interface list GUEST and add ether5 there
- add IP address and setup DHCP server for ether5 interface
- add a firewall rule to block access for your neighbor to all networks other than WAN
/ip firewall filter add action=drop chain=forward in-interface-list=GUEST out-interface-list=!WAN
I would however take seriously @rextended’s advice…
Hi,
thank you all who written any guide…
this is only teoretical example…Im not going to share internet but I would like to understand how to do it…
now I do understand how to do it with firewall rule and two subnets…
what is the principle to do it by VLAN? I will create only VLAN for ether5?
Do some reading, both mikrotik documents and stuff like
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
meanwhile off to help people with real problems.
Found a way to separate networks by Routing Rules
- Open IP – Routes;
- Go to tab Rules;
- Press “+”
- In field Src. Address write source subnet (like 192.168.88.0/24);
- In field Dst. Address write destinantion subnet (like 192.168.10.0/24);
- In option Action choose unreachable;
- Press OK button.
Make similar second rule for blocking traffic in opposite direction.
Other approach: block everything and only allow what is allowed.