Hello good day
I have tried to crate 3 Lan groups
Internet already working on all 3 groups but I want to isolate, those three subnets not to be able to ping lan1 x lan2 x lan3 lan4,
192.168.2.1/24
192.168.3.1/24
192.168.4.1/24
This three range should not be able to ping each other,
meaning I want them to be isolated to each other, anyone have tried this on winbox thank you in advance
It depends on how your network is connected together.
If all subnets are on completely separate branches of the network, it can be done quite easily.
Basic lines:
- identify ports on your router which will serve certain subnet (1 subnet per port ! )
- remove those ports from bridge
- define DHCP server and IP pool on those ports
- define firewall rules to block communication between subnets
If however those subnets can go over the same branches of your network, then you may have to look into VLANs.
A bit more complex but quite powerful once setup correctly.
So can you please first clarify further what exactly you want to do, why you want to do it this way, which device you have as router and how your network is made up (a simple drawing is sufficient).
I want LAN1(eth2) 192.168.1/24 to be isolated with eth 3: 192.168.3.1/24, eth4 192.168.4.1/24
but still have internet access
Thanks
Forward chain
From subnet or interface
To subnet or interface
Action drop
Repeat for all combinations.
Be careful communication which is needed, does get allowed before the drop rules.
Adding
If you still struggle with this on your own you need to come forward with the requested info.
Okay seems like i lready configure it from the start and forget to test all the ports, I only can ping the gateway of the ports 192.168.1, 192.168.2.1 192.168.3.1
I test one computer in my home lab to be in ether 3 and the ip is 192.168.3.252, I try to ping this ip and I received RTO from 192.158.4.253 without the firewall rules
but should the 3 gateways .2.1 .3.1 .4.1 can’t ping each other? or it should? and also can i just make port 2 eth2 the only one can access the mikrotik?
Thanks, sorry for asking a lot
That is actually a bad solution. It does not scale, when you have 5 interfaces there are already 20 combinations.
Better: add each interface to an interface list. There already exists the interface list LAN in the default configuration that is good to use for this. Add the ethernet ports all to that interface list LAN (under the interface menu there is a Interface List item).
Then in the firewall you add a rule in the “forward” chain: In. Interface list: LAN Out Interface list: LAN action: reject reject-with: admin prohibited.
Then you can expand it to whatever number of networks you want without worry, just add each new network to the LAN interface list.
W.r.t. being able to ping 192.168.2.1 from a PC with IP 192.168.3.252 even when traffic to the 192.168.2.x net is blocked: that is normal, no action is required. The gw addresses are all on the same router, this is not considered “forwarding” so it is not blocked by such rules. And it does not pose any additional risk either.
Rules for access router’s own IP addresses by default don’t care about ingress interface, so it’s expected that you’re able to ping addresses 192.168.1, 192.168.2.1 and 192.168.3.1 if access to router’s “native” address is allowed. This is a cosmetic issue but if it really bothers you, it is possible to “fix” it (I’m not going to write the recipe though).
Its okay I’m trying to learn since I bought a second-hand unit for this testing, all seems to be working ill try to manage the bandwidth next
@pe1chl
I fully agree with you but given the limited info and context, it was the easiest to reply.
I did a search on how to isolate two LANs and came upon your post. I am new to Mikrotik and felt intimidated witting a new firewall rule. Well, what you wrote worked perfectly! I wish to thank you for your post.