Separate network trough Bridge

RouterOS General
1

Hi,

I would like to separate my physical port 5 ( Ethernet 5 ) from 2-4 ( LAN )

but allow it access to WAN ( Ethernet 1 )

 

I’m currently using the stock default configuration.

 

I went ( WebFig ) Bridge → Ports and disabled the interface Ether5 and indeed I didn’t get an DHCP IP.
( BTW what is the terminal command to reach Bridge → port ? )

So now I suppose I just top create a DHCP server for this interface.

That’s it ? are anyway they will be to reach one another ?

Thanks.

Create a second DHCP server for dedicated network
Create a second DHCP server for dedicated network
2

You have to remove that interface from bridge. Disabling it there just switches it off as a port in the bridge.
Not diving too deep into details:

  1. You can create another bridge, move that port to it and “clone” the current configuration to the new bridge but with different IPs and then forbid traffic between these bridges/IPs
  2. Reamove port from the current bridge and create/clone the new configuration just for that interface. There is almost the same amount work to do as with a bridge so I would choose option 1 as it let you move more interfaces back&forth in the future.
3

Thanks @BartoszP ,

But for a single physical interface, why create a Bridge !?

4

For future, if you decide that you want another inteface (e.g. WiFi) for that separated subnet than you are ready.

Edit:
BTW … the “Bridge” in the MT world, for most users, is the synonym of a “Switch” so treat it as separate device and remeber that the router manages them in one case as dual/tri/quadro/… “blade switch” and let the traffic flow from one to another by default.

5

Thanks ! @BartoszP very important reminder indeed !

so any MT Bridge ( switch ) can talk to the others !? by default ! and how prevent this ? (only by firewall rules !? or is there a more global option to disable it ? )

and are those MT Bridge are defaulted to communicate with single Interface (for example Ether5 here) ?

6

Treat bridge as a “virtual switch”. It could even has no real interfaces attached (look for loopback solutions for pre 7.something versions when the “lo” interface was introduced). Such a configuration gives you a lot of possibilities and flexibility in setup.
To prevent traffic you have to set firewall rules that block subnets to talk.

1 Like
7

Depending on the device, it might be better to use VLAN configuration on a single bridge (or one bridge and separate ethernet interfaces without a bridge) instead of two bridges, as with two bridges you might lose hardware offloading on one of them.

You can see which kind of configuration is supported by which devices here:

And here:

8

Agreed, VLANs might be a better approach.

I have at home my WAN in a separate VLAN so I can easily pass it on via trunk to other devices for testing purposes.

9

Thank you @goscickiw

One Bridge and a separted Interface is what I wanted , but it seem it will not work with DHCP server… pff

10

THE Bible on setting up VLAN in ROS

No DHCP problems.

1 Like
11

You should have reverted back the original configuration where ether2-5 was in the same bridge, then:

  • In the /interface/vlan table, add a vlan200 interface VLAN ID 200 (or any other number between 2-4094) with the bridge as parent interface.
  • In the /interface/bridge/port table set the PVID value of ether5 to 200 (and if you want, set frame-types=admit-only-untagged-and-priority-tagged instead of the default admit-all but it’s not mandatory for this use case).
  • In the /interface/bridge table turn on vlan-filtering=yes for the main bridge.

For recent versions of RouterOS 7, that’s all you need, no need to manually add/edit entries in /interface/bridge/vlan anymore.

Then go to IP → DHCP Server and run the DHCP Setup wizard for the newly added vlan200 interface. If you use the defconf firewall, maybe also add vlan200 to the LAN interface list.