I have attached a picture with a basic network diagram below.
R1 and R2 are both Mikrotik routers and located in separate buildings. Hub 1 (H1) is again located in a separate building, and connected to Ether3 on R2.
I would like all clients connected to H1 to be on a separate subnet, with access to the internet, but not able to access anything else connected to R1 or R2.
I had considered simply setting up a network and DHCP server on R2 for Ether3, and providing a static route to R1, but don’t know that that gives me the security I need.
Any ideas on the best way to proceed?
That will be half of the equation; you should add a firewall rule on R2 to prevent H1 users to reach anything but Internet.
Thanks for the response Pukkita.
Do my firewall rules operate on the interface? I assume that will be safer than the IP range.
Firewall rules can refer to interfaces as input/output. In RouterOS, traffic addressed to the router itself goes to the input chain, while traffic traversing it from/to the devices in the LAN goes to the forward chain.
If your goal is isolation without relying on IPs, then a better approach will be using a VLAN for the H1 wireless traffic, then setting a firewall filter rule on R1 dropping anything on the forward chain coming out of the vlan (in-interface=vlan_interface) that is not going to exit trough the WAN (out_interface != WAN).
Great! Thank a lot Pukkita, I spent the best part of today getting a VLAN established, and it works just as I’d like.
Thanks again for your help.