I have a CRS125-24G-1S with one of the ethernet ports set as a mirror destination that captures traffic from interface 25 (switch1-cpu).
Essentially, this captures traffic as it egresses through the router to the Internet (plus it also captures the traffic after it has passed through the CPU and back out to my VDSL2 modem).
My problem is that the sniffer port - ether23 - is still somehow part of the network even though I have removed it from the bridge. Any host connected to ether23 is able to do stuff like DHCP and get IP addresses from my ISP. In other words, it’s not truly isolated and can make layer-2 connections to stuff on other ports. I need this port to be totally isolated.
Here’s the relevant config. What am I missing that will totally separate this interface. A separate bridge with its own VLAN? Something else?
# aug/22/2019 17:01:56 by RouterOS 6.45.3
# software id = 8648-0L6L
#
# model = CRS125-24G-1S
/interface bridge
add admin-mac=4C:5E:0C:A3:61:AE auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether23 ] comment="Sniffer Mirror Port" speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=sfp1
set [ find default-name=ether23 ] comment="Sniffer Mirror Port" speed=100Mbps
set [ find default-name=ether24 ] comment="Link to VDSL modem and NBN" name=\
ether24-NBN speed=100Mbps
/ip address
add address=192.168.0.254/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether24-NBN \
use-peer-dns=no
/ipv6 address
add address=::4e5e:cff:fea3:61ae eui-64=yes from-pool=abb interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether24-NBN pool-name=abb \
pool-prefix-length=56 request=address,prefix use-peer-dns=no
/interface ethernet switch
set egress-mirror0=ether23 egress-mirror1=ether23 ingress-mirror0=ether23 ingress-mirror1=ether23
/interface ethernet switch port
set 25 egress-mirror-to=mirror0 ingress-mirror-to=mirror0