Hi, I want to Isolate eth2 and eth3 and eth4 and eth5 from another (RB450), but I have noooooo idea if thats even possible, the application is for a hotspot, there is AP’s plugged into eth2,3,4,5 and I don’t want my site to be a free repeater to anyone, the AP’s already have Client Isolation on it, but u can just connect from AP-eth2 to AP-eth3 and you have a free piggyback link, I dont want that, how can I fix the problem?
the AP’s are sectors, I’ve got 3x Sectors and 1x Omni
the AP’s are all in the 192.168.1.x range
and the clients are on the 192.168.182.x range, because eth1 have a hotspot controller plugged into it (same ip range as AP’s), thats sitting in my flat, and the RB450 with all the AP’s is sitting on the roof of a high building in a nice white box
Default configuration is for ports 2-5 to be in a switch group with 2 as the master and 3-5 as the slaves.
To isolate them from each other remove those ports from the switch group and setup firewall rules that block traffic from each input to anything but the uplink in the forward chain and to the router for required services (e.g. DHCP, DNS, ICMP, …) in the input chain.
You can write rules based on input or output interface, so for example:
add action=accept chain=forward in-interface=ether1 comment="ether1 gets forwarded to 2-5 as needed"
add action=accept chain=forward in-interface=ether2 out-interface=ether1-gateway comment="ether2 only forwards to the outside"
add action=accept chain=forward in-interface=ether3 out-interface=ether1-gateway comment="ether3 only forwards to the outside"
add action=accept chain=forward in-interface=ether4 out-interface=ether1-gateway comment="ether4 only forwards to the outside"
add action=accept chain=forward in-interface=ether5 out-interface=ether1-gateway comment="ether5 only forwards to the outside"
add action=drop
Note that this is NOT a sane working configuration, just enough of a fragement to give you some ideas. The basic point is that among other possibilities you can filter traffic based on the source and destination interfaces. I’d probably set up a chain (lets call it “outgoing-traffic”) and jump to that for legit outbound forwarding pairs, and another (lets call it “incoming-traffic”) and jump to that for legit inbound pairings. For each of those traffic chains I’d then do any other filtering needed.
OK! I’ve tried everything on that guide, All I want is a eth2,3,4,5 (in) <----------eth1-POE trunk thingy---------> Eth2,3,4,5 (out) and I want isolation on eth2,3,4,5
the reason for this mission is, I cant lay 4 cables down, I only have 1 cable running up, its a flat apartment building, strict rules!
So I want to hook up 4x DHCP servers onto eth2,3,4,5 and then shoot it up with eth1 and then split it out, and plug eth2,3,4,5 on 4 UBNT AP’s
I’ve got 2x RB750’s that just doesn’t wanna do anything else then being a lame gateway on port 1, and a switch or router on eth2,3,4,5
I have no idea what you are trying to say here, and suspect that no one else does either. You need to be clearer and more specific about what you are seeing. Posting output from the router CLI is very helpful. Try doing this:
/interface ethernet export
If it does not say “master-port=none” for all of the ports, then you have not removed them from the switch group, and traffic will flow between them without being filtered by the firewall rules.
I’ve got 4 exactly the same DHCP servers , in server rack
The Problem: I’ve got 1 Ethernet cable with POE running up for 80meters from server rack to the roof, I’m not aloud to use more cables because its again the rules, getting that one cable took me 2 years
and 4 AP’s on the roof of a large building, each AP, must use it’s own DHCP server for personal reason
So can this be done, using 2x RB750 to use as “splitters”
I’ve seen, I’ve mentioned RB450 all the time in my old post, sorry for that, I actually meant RB750’s
but I’ve sorted out my problem now, thx to google and youtube vidz.
I used “Etherner Over IP”, best thing ever invented, now I’ve got my 4 tunnels that wanted so bad.
No firewall rules needed for this mission, only use ID’s on the EoIP configs.
its amazing! now I can use my 1 cable with poe and have 4 isolated ethernet ports on both sides, and on the “tower” I use a RB750UP, also amazing, I’ve had some problems on certain ports with the auto poe function for some odd reason with a bullet2 as dummy load, the red LED’s went on and off all the time, randomly , but I just changed the poe option from AUTO to ON ,on port 2 to 5 and the problem sorted.
