On a 5-port, with Ether1 being the connection to the Internet, how can I allow ports 2-5 to use port 1, but not be able to see each other or at least not be able to communicate with each other?
The shortest and most elegant way is to be stateful:
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=accept
add chain=forward out-interface=ether1 action=accept
add chain=forward action=drop
That means, in English:
- allow all packets in connections that are already established
- allow all packets in connections that are related to already established ones (FTP data, etc.)
- drop all invalid packets
- allow hosts to establish new connections to hosts behind ether1
- drop all packets
This will essentially allow hosts behind ether2-5 to establish connections to the Internet behind ether1, but not to each other.
I think you meant:
add chain=forward connection-state=invalid action=drop
Thanks for the replies
I sure did.
If you want all the ports to share the same layer2 network, but still prevent communication, make a bridge and put in those 4 ports, then specify the same horizon number for each port.
Is this the best way or are VLANs better?
I tried to set them up at one time, but couldn’t get it working properly.
VLANs are layer 2 technology. They have little to do with what you’re trying to do. You could have a different VLAN on each port, but you’d still either block via bridge horizon filters, or routed VLAN interfaces via IP firewall rules.