Hey all..
Banging my head on the wall about this one. I need to configure a RB450 as a simple switch with an up-link port and two downstream ports that CANNOT see each other.. When the traffic leaves the switch on any port it DOES NOT need to be tagged. I have seen many (router on a stick) examples, but none that meet my needs. The scenario is as follows.
A server and two hosts are connected to a RB450.
Both hosts can see the server and the server can see both hosts.
The hosts CANNOT see each other.
I have done this with much cheaper hardware, but would like to do it with RBs for reliability and peace of mind.
Any help would be greatly appreciated
Solution 1 (L2 hardware):
Put the ports 1 to 3 in a switch (1 is master, 2 and 3 are slaves).
Then, under Switch->Rule create 2 rules, to redirect traffic from port 2 to port 1 and from port 3 to port 1.
Solution 2 (L2 software):
Create a bridge for ports 2 and 3.
Under Bridge->Filters create the proper forward rules.
Solution 3 (L2/L3 software):
Keep ports independent, set up a small subnet for each port/machine and use IP->firewall->Filter Rules to set the proper forward filters.
Small addition… This solution will not work with RB450 (without G). Rules and rule table are not supported by the switch chip ICPlus175 in this model.
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
BRILLIANT!!!
This is exactly what I needed and it works. Thanks for letting me know about the chipset issue.
Many Many thanks.
Alternative, super-simple solution: create a bridge, put ether1, ether2, and ether3 in the bridge, and set the horizon value for ether2 and ether3 to the same number. Split horizon bridging isn’t just for VPLS. 
Read more here: [u]http://wiki.mikrotik.com/wiki/MPLSVPLS#Split_horizon_bridging[/u]
– Nathan
P.S. – What is this thread doing in the BETA forum?