Isolate single PC on LAN port

RouterOS Beginner Basics
1

Hi guys,
I have work Laptop that is currently connected over guest wifi (isolated from home lan). But have some issues with connection reliability due to distance.
Want to use LAN cable but on the same cable I have personal Laptop. Not using both at the same time.
So I want when connecting on the same LAN cable:

  • personal MacBook access all land devices(NAS, HomeAutomation servers, etc) as it is now
  • work windows Laptop access only internet and be blind, not to know that other LAN devices even exists.

I have another spare mikrotik if required, but have no clue how to setup both.
Current: hAP ax3
Spare: hAP ac2
Would prefer setup without additional hardware but any suggestion would be welcome.
Found that cannot set VLAN on work laptop due to missing option in adapter settings and permissions for installation.
So I guess I have only option to setup with additional router, but question how.

2

You could set up VLANs. Use spare MT as VLAN-enabled switch with existing ethernet cable used as trunk uplink. The relevant port on main router would again be configured as trunk port. It’s then up to IP setup on main router to properly separate both VLANs (there can be any number of devices in any of those VLANs).

It is beyond the scope of this forum to teach you about VLANs in general, but here’s tutorial on how to set up VLANs in ROS.

3

Yep, I started to read how to setup VLANS, seems long way to go.
Are there any other way by simple blocking with firewall rules for specific mac address?
Seems for one PC (when using 1-2 days a week) spare 24/7 powered router and huge config changes looks to much.

4

You could try to use firewall rules to block according to MAC address … but that would mean that main router would have to process all traffic through that particular port (shared between LAN device and “quaranteened” device) which might affect overall performance. But doable indeed. You can construct a firewall filter matching src-mac-address and instruct bridge to use ip-firewall … or you could construct even bridge filter (which would probably be more efficient).
You’d have to add some setup to isolate the two devices from each other on the local switch if they were to be used at the same time (again very doable). But IMO you would end up with convoluted setup prone to misconfigurations in future.
VLANs, OTOH, are very elegant solution … and very future proof. And when you get to know VLANs you’ll see they are not that complicated after all.

5

By investigating how default cunfiguration isolating guest wifi from lan
found that bridge has filters droping in/out (guest wlan interfaces)

/interface bridge filter
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3

So question arises - why I cannot do simmillar to filter by mac address:

add action=drop chain=forward src-mac-address={workLaptopMac}
add action=drop chain=forward dst-mac-address={workLaptopMac}

I will try it tomorrow at some time.
Are there any reasons not to use this, or this has some drawbacks, holes, etc, or will not work at all?

6

Bridge filters are, IMO, a bit unflexible (if not for other things they are not stateful). But if you can come up with some which will do the job for you, then by all means go for it.

7

Tested, those 2 filter rules by src-mac-address/dst-mac-address on bridge works as expected.

add action=drop chain=forward src-mac-address={workLaptopMac}
add action=drop chain=forward dst-mac-address={workLaptopMac}

No connections can be made to other LAN devices.
NMap scans does not see anyone other that router and itself on network. So I would say better than expected.
So gonna leave VLANS to rest until more difficult setup is required.
Thanks