Isolating LAN port

bobikas · February 8, 2020, 7:38pm

Hello friends,
after day or two of googling, I still haven’t found solution how to isolate my TV box connected on ether3 from LAN and allow to use only internet.
Now I have standard WISP AP setup when all lan ports are in single bridge.
Tried to move ether3 to separate bridge, assign dhcp… but without success.
I am not sure do I need WLAN or there is easier way for this task. I am stuck.
I was thinking understand a bit networking before first mikrotik
Thanks for any help

Kaos1337 · February 9, 2020, 4:03pm

Hello,
you could configure another VLAN (read this guide) for your TV box and block the inter-VLAN traffic.

mkx · February 9, 2020, 5:40pm

If it’s single port you want to isolate, then you can follow the path you started with (for a single port you don’t need another bridge, can attach IP config directly to that port, just make sure it’s not member of any bridges). But you definitely need some firewall filter rules to block connectivity from IP TV to the rest of LAN, such as this one:

/ip firewall fiter
add chain=forward action=drop in-interface=ether3 out-interface-list=LAN

The rule above will only block connections initiated by device(s) connected via ether3 targeting the rest of LAN, connections in the other direction will be allowed … if you want to block hose as well, then construct another filter rule with in-interface-list=LAN and out-interface=ether3.

bobikas · February 14, 2020, 10:16pm

mkx can you be more specific with some steps.

In Bridge->Ports disabled ether3 port (to remove from bridge)
In IP->Addresses created new IP Address: 192.168.2.1/24, Network: 192.168.2.0, Interface: ether3
firewall left as is (block later)

TV has no internet at all. What else is missing. DHCP? how WAN(ether1) is connected to ether3 without bridge, have no clue.
I see too much trees when not understand the forest

mkx · February 24, 2020, 12:18pm

You have to remove ether3 from Bridge->Ports (disabling it is not enough).

Yes, you have to create DHCP server (with all needed properties, such as address pool and network settings) for devices to get IP connectivity.

WAN (ether1) is connected to ether3 the same way as your “old” LAN (bridge): via routing engine running on top of IP stack in router’s CPU.

anav · February 24, 2020, 6:20pm

mkx as far as forward chain fire rules go.

Lets say the op has his normal LAN on the bridge 192.168.1.0/24
Lets say the op creates a special LAN not on the bridge (and only on eth3 port) with 192.168.88.0/24

would it not be easiest to do the following…

Forward chain
standard rules
(-fastrack rule
-allow connections - established, related
-drop invalid)

User defined rules
allow 192.168.1.0/24 access to internet (normal lan users access to internet)
allow 192.168.88.0/24 access to internet (iptv box access to internet)
allow 192.168.1.10 access to IPTV subnet ( to allow OPs computer to access IPTV devices/resources when required).
[other types of allow rules if required]
allow port forwarding rule
allow access from one lan to a single IP on the other lan for a common shared device like a printer
[Last rule]
Drop all else (chain=forward action=drop)

IN this regard one specifically states what they wish to allow, such as internet for both lans.
Since there is no rule for the LANS in either direction to talk to each other (except for the admins rule of course), then that traffic should get dropped.

In summary…
The drop all else rule at the end of the forward chain stops the router from routing across subnets and bridges and ports etc…(layer 3).

Can you explain how layer 2 is stopped by the three factors of bridge separation, port separation and subnet separation??