I can’t seem to figure out how to segment out the interfaces in RouterOS or build isolated LANs. From the default config in 6.36.1, I set all of the interface Master Ports to ‘None’. Then I create a bridge and add an IP 192.168.22.1 to it and for some reason I can ping it from a different subnet 192.168.88.0/24 in a command prompt on my PC plugged into ether2. I want to create three or four isolated networks which all have access to the Internet. Ideally they would be on separate VLANs corresponding to various SSIDs in my wireless environment. I just can’t understand how to isolate the various networks. It seems any IP I create on any interface is reachable from ether2 192.168.88.0/24 no matter what I try. I’ve added rules to the firewall as well with no luck.
Go into bridge > ports and check which interfaces are connected to your bridge. Any interface of the bridge will be in the same layer 2 broadcast (thus the same IP network) with the others.
The easiest thing to do is to make a bridge for each LAN segment that you want, and to connect the physical interface(s) you want to participate in that network segment, along with the virtual AP interface that you intend to be part of that network.
If you have a network that you intend to be wired-only or wifi-only, then you can just put an IP address directly onto the physical ethernet interface / virtual-ap interface in question. Just make sure that none of these isoloted ports is connected to any bridge, unless you intend to bridge multiple interfaces into one IP range.
This will be a bit more straightforward with the new-style bridging that will be available in ROS v6.41 so I’ll stop here with the details.
Thanks for the reply… the problem is I don’t have any interfaces connected to the bridge but it still pings from ether2. I did notice there is a switch that I can’t get rid of and it seems like all five ports are connected to it, but even with that switch, there is nothing I can see that should be routing any of the physical interfaces to the Bridge IP of 192.168.22.1
The way I read this, this is just a simple case of routing to connected routes.
Do /ip route print
The router will automatically route packets between directly connected subnets. If you don’t want this to be the case you have to firewall it or use a VRF.
Oh yeah, the router will forward packets between IP ranges unless you tell it not to using a firewall filter rule as acruhl states.
One more thing to point out: once you add a filter rule to the forward chain to block lan-to-lan communication, you will still be able to ping the Mikrotik’s IP address in lan2 from lan1 and vice versa because such traffic routes through the input chain and not the forward chain. Just FYI.
Thanks, ZeroByte. So would only the bridge IP be pingable after I configure the firewall to drop communication between LANS 1 & 2? I didn’t actually test it with any nodes on the networks after setting up my firewall rules. I just noticed that the IP that was assigned to the bridge was pinging no matter what rules I set up in the firewall.
Here are the results of /IP route print (minus my public IP):
Correct. Any traffic which is to/from the router itself is processed in the input / output chains and not the forward chain, even if a device on LAN1 is communicating with the Mikrotik’s IP address on the LAN2 interface. FORWARD chain only applies if the packet enters and then leaves the router.
Honestly, it’s not that big of an issue because any communication between a LAN segment and the router that’s permitted on one IP address will be the same on any of the router’s IP addresses.