RB1100Hx2 basic setup

PTPStudio · February 11, 2020, 4:32pm

If anybody know please help me with these settings on RB1100Hx2. Here is diagram https://i.mt.lv/cdn/rb_files/Block-RB1100AHx2.pdf
I going to use those 2switches 5x5 ports for local IPs… Wan.. port 11 and port 12 for NAS… How to set it up right? 5local ports need to be on same local IP network but block traffic between those ports by firewall rules no problem I got it and another 5local ports need diferent local IP…simple I thing but I do not know how to set it up I need 1 local IP for one group then another local IP for another group..No bridge… I need setup all ports for firewall rules but if ports in bridge I cant use firewall rules to block traffic between ports on bridge…How to set up IP for group of LAN ports so I can use IP firewall to work…Thnks

inteq · February 11, 2020, 10:21pm

Believe me…I have…tried…to read…your…question 3…times…but I…was…unable…to focus…and…understand…it.

PTPStudio · February 12, 2020, 4:46am

Appologize, How to set up local IP example 192.168.0.1 for 5 local ports? Do not use a bridge mode…Is there switch mode or something? Then in firewall I can create rules to block traffic between those ports because if there are in bridge I cant do it..There are rules for bridge settings accept firewall, but I need elso those ports accept firewall rules…

ingus16 · February 12, 2020, 7:00am

Use bridge and add ports to bridge then add network address to brdige .
Bridge use conjuction with switch chips to gain maximum toughput between same network local an devices.
Example and features https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#VLAN_Example_1_.28Trunk_and_Access_Ports.29

mkx · February 12, 2020, 12:49pm

It can be done.

But, you better think (and try to explain to us, only to make things clearer for your self) why do you want to have all of those hosts in same subnet and yet block some (if not all) communication between them? I can think of a number of reasons (most are either invalid or impractical), perhaps you’ll enlighten us with some new?

PTPStudio · February 12, 2020, 5:52pm

I explain it ..no problem..I have this small local - wifi - network there is about 60 + - devices..pc phones tvs etc…On 5 local ports are 4 wifi APs then NAS on one port… access to NAS is allow from all ports but not betwen APs ports…Same subnet? because they all access to NAS from all kind devices so is it better on same subnet…right? Why block those ports? Its simple…You are network professional and security no?? Do You know if one device get infected with nasty trojan horse or virus how fast searching on neighbors pcs and devices and owner of virus pc do not know it and all network getting uknow problems.. pc windows etc…Safety first at this point…I donot like reinstall pc twice in month…I elso doing pc maintance on that network…I can save lots of time if no pc get infected of course another way they downloaded but there is no share to antoher pcs in same network…You get it? Now is time You answer me to…

mkx · February 12, 2020, 8:38pm

There are a couple of ways of doing what you want:

set use-ip-firewall=yes and construct appropriate firewall filter rules. Be sure to disable hw-offload on all ports you want to enforce firewall or else packets will bypass firewall (you do that by setting hw=no for any port in /interface bridge port)
use split-horizon feature … bridge ports with same horizon value don’t communicate with each other

The second option is more resource friendly, but less tunable (communication either flows or doesn’t at all … compared to firewall way where you have possibility of fine tuning allowed communication).

Beware that this kind of traffic control affects device performance.
And that you can not control communications between devices connected to the same RB port, that communication has to be blocked in downstream devices (e.g. AP which blocks communication between its client devices or a switch with port isolation).

And no, I’m not a network professional, I’m a radio engineer / sysadmin who had to learn some networking to get around less competent networking guys (no matter which hat I wear, I always stumble upon some )

PTPStudio · February 15, 2020, 7:42am

There are a couple of ways of doing what you want:

set use-ip-firewall=yes and construct appropriate firewall filter rules. Be sure to disable hw-offload on all ports you want to enforce firewall or else packets will bypass firewall (you do that by setting hw=no for any port in /interface bridge port)

use split-horizon feature … bridge ports with same horizon value don’t communicate with each other

The second option is more resource friendly, but less tunable (communication either flows or doesn’t at all … compared to firewall way where you have possibility of fine tuning allowed communication).

Beware that this kind of traffic control affects device performance.
And that you can not control communications between devices connected to the same RB port, that communication has to be blocked in downstream devices (e.g. AP which blocks communication between its client devices or a switch with port isolation).

And no, I’m not a network professional, I’m a radio engineer / sysadmin who had to learn some networking to get around less competent networking guys (no matter which hat I wear, I always stumble upon some )

One think in bridge in ports are all those ports in bridge but at one is rootport rootpatchost 10 rest is designated port why is this or what for is it? Thnks

BartoszP · February 15, 2020, 10:45am

@PTPStudio:
Why do you quote whole previous post? Does it makes your answer more valuable? Do you see “Post replay” button?

rooted · February 16, 2020, 9:25am

@BartoszP

Why do you come into threads just to chastise people’s posting behavior?