Hi,
My planned setup:
+-------------------------------------------------+
| RB2011 |
+-------------------------------------------------+
eth1 eth2 eth3 eth4 eth5 eth6 eth7
| | | | | | |
WAN pc1 pc2 server box1 box2 box3
The intercommunication between the machines on the LAN needs to be strict regulated. Some of them are not trusted and vulnerable, and needs to be isolated from each other, with /ip firewall filter and connection tracking.
A small subset of the LAN intercommunication require wire-speed switching, regulated with /interface ethernet switch rule, based on tcp/udp port numbers (without connection tracking)
Box1-3 needs to discover each other via a network broadcast address.
RB2011 is DHCP server for all machines on the LAN.
I’m thinking about two alternatives:
Alternative A) One single LAN IP-network, bridging configured with use-ip-firewall=yes, combined with a few switch rules for the wire-speed traffic.
Alternative B) Several small IP networks for LAN, isolating each machine, except those that must share a common broadcast address. And try to use switch rules with new-dst-port to route the wire-speed traffic also between different IP networks.
What do you suggest?
Would it be possible to route packets, between different IP networks, with /interface ethernet switch rule and new-dst-port action?