Hi,
We are using a 493/AH as local Router. We need to setup the following configuration
Ether1 - Wan Port
Ether2,3,4,5,6,7,8,9 are user port, we need to ensure there is no broadcast traffic between ether2 to 9.
However Ether1 should be able to send and receiver Traffic from Ether2 to 9 as its the WAN Port
There are no IP Configuration required / This routes Just needs to act as Layer2 VLAN Switch
Kindly support in this regard.
Regards
sorry, but… where are VLANs?.. =)
Hi,
Sorry for the confusion, There are no VLAN, We just need to restrict traffic between Port Port 2 to 9, However Port 1 Being the gateway, should be able to receiver and transmit Packets to all other ports.
Some kind of Port Isolation, However the primary gateway prot be shared
create a bridge, add all ports to it,
/interface bridge settings set use-ip-firewall=yes
/ip firewall filter add disabled=no chain=forward in-bridge-port=ether1 action=accept
/ip firewall filter add disabled=no chain=forward out-bridge-port=!ether1 action=drop
Thanks Chupaka
The config that you have suggested works fine.
There is a similar case in one of our other router, Howevere the difference is
Port 1 is the WAN Port (With Live IP)
Port 2 to 9 is LAN Port (Either with Live IP or Natted Private IP)
We need to Restrict traffic between 2 to 9 and Route all traffic to 1
How do we restric traffic between 2to9 (as port one being the WAN cannot be on the same bridge as 2 to 9)
We have assigned WAN IP and Route it on Port 1
We have created a bridge with prot 2 to 9 inside it and have Assigned Private IP and Natted the same
Now we are also to route data between the bridge and Port1
– Finally need to restrict traffic between 2 to 9
Kindly support us with the solution
Regards
it seems like in second case you may simply use Bridge Firewall:
/interface bridge filter add disabled=no chain=forward in-bridge=your_bridge out-bridge=your_bridge action=drop
and
/interface bridge settings set use-ip-firewall=no
, if you don’t really need it
Thanks again it works like a charm
Hears an other one = Getting greedier 
=
My administrator says that while all the ports (2to9) being restricted to share among themselfe, he would not be able to monitor hosts on other ports (assuming that his NMS is connected in port9)
What would be the config in the following case
port 2 to 8 only needs to be restricted to trasfer the traffic however port 9 shall be the admin port which should have access to share data betwee 2 and 8 and also use Internet router via port 1
Rest of the config is same - Port 1 is the wan port, birdge1 which has port2 to 9 is the LAN Port
Thanks in advance
something like
/interface bridge filter print
/interface bridge filter add disabled=no chain=forward in-interface=ether9 action=accept place-before=0
/interface bridge filter add disabled=no chain=forward out-interface=ether9 action=accept place-before=0
then your ether9 interface will behave like ether1 - any packets to/from ether9 will be allowed
Use the bridge port horizon feature to allow 2-9 to talk to 1, but not allow 2-9 to talk to each other.
From memory only different horizons are allowed to talk to each other. So set port 1’s horizon to 1, and port 2-9’s horizon to 2.
Bingo, much easier than yuk bridge filters