Hello, we have a RB4011 connected to 4 different buildings with dumb switches in each building.
Now we want to seperate the manage building from the rest so they cant talk to the manage building.
Is it just to setup a Vlan for the port that goes to that building or do I need a smart switch?
Everything is right now with default configs, set with quickset and dhcp range.
Please provide a network diagram to assist.
A smart switch would be a smart idea because any vlan subnets you make in the RB4011 could then be more easily distributed.
Network diagram is needed indeed.
The simplest network topology with one subnet per building and one building per RB4011 ethernet port does not require smart switches and VLANs, some reconfiguration of RB4011 will do. However if you want to segment networks in the buildings (or have flexible configuration, some subnet spanning more than one building), then indeed the simplest way is to use VLANs (and smart switches in the buildings).
When providing network diagram, you can provide current RB4011 configuration as well: run /export hide-sensitive file=anynameyouwish, fetch the resulting file, open it with text editor, mask off any public IP addresses there might be visible, and copy-paste it to [__code] [/code] environment (the square brackets icon above post editor window). This way you’ll get a quality suggestion on how to change config.
# mar/03/2021 11:39:07 by RouterOS 6.47.9
# software id = V50M-CHT9
#
# model = RB4011iGS+
# serial number = D4480Dxxxxxxx
/interface bridge
add admin-mac=08:55:31:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
speed=10Gbps
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=unifi value=0x010459A0597E
/ip pool
add name=dhcp ranges=192.168.0.1-192.168.1.239
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/ip address
add address=192.168.1.254/23 comment=defconf interface=ether1 network=\
192.168.0.0
add address=wanip/30 interface=sfp-sfpplus1 network=wanip
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.0.0/23 comment=defconf dhcp-option=unifi dns-server=\
192.168.1.254,8.8.8.8 gateway=192.168.1.254 netmask=23
/ip dns
set allow-remote-requests=yes servers=wan.wan
/ip dns static
add address=192.168.1.254 comment=defconf name=router.lan
/ip firewall address-list
add address=wan list=admin
add address=192.168.1.239 list=internet
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=3478 protocol=udp to-addresses=wan to-ports=3478
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5514 protocol=udp to-addresses=192.168.1.254 to-ports=5514
add action=dst-nat chain=dstnat connection-type="" disabled=yes dst-address=\
89.160.89.126 dst-port=8080 protocol=tcp to-addresses=192.168.1.254 \
to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=8443 protocol=tcp to-addresses=192.168.1.254 to-ports=8443
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=8880 protocol=tcp to-addresses=192.168.1.254 to-ports=8880
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=8843 protocol=tcp to-addresses=192.168.1.254 to-ports=8843
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=6789 protocol=tcp to-addresses=192.168.1.254 to-ports=6789
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5656-5699 protocol=udp to-addresses=192.168.1.254 to-ports=\
5656-5699
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=27117 protocol=tcp to-addresses=192.168.1.254 to-ports=27117
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=1001 protocol=udp to-addresses=192.168.1.254 to-ports=1001
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=1900 protocol=udp to-addresses=192.168.1.254 to-ports=1900
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=443 protocol=tcp to-addresses=192.168.1.254 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5222 protocol=tcp to-addresses=192.168.1.254 to-ports=5222
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5223 protocol=tcp to-addresses=192.168.1.254 to-ports=5223
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5269 protocol=tcp to-addresses=192.168.1.254 to-ports=5269
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5280 protocol=tcp to-addresses=192.168.1.254 to-ports=5280
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5281 protocol=tcp to-addresses=192.168.1.254 to-ports=5281
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5298 protocol=tcp to-addresses=192.168.1.254 to-ports=5298
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=5298 protocol=udp to-addresses=192.168.1.254 to-ports=5298
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=3478 protocol=tcp to-addresses=192.168.1.254 to-ports=3478
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=19302 protocol=udp to-addresses=192.168.1.254 to-ports=19302
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=19305 protocol=udp to-addresses=192.168.1.254 to-ports=19305
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=10001 protocol=udp to-addresses=192.168.1.254 to-ports=10001
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=80 protocol=tcp to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=80 protocol=udp to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=22 protocol=tcp to-addresses=192.168.1.254 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address=wan \
dst-port=22 protocol=udp to-addresses=192.168.1.254 to-ports=22
/ip route
add distance=1 gateway=wan
/ip service
set www-ssl certificate=root-cert disabled=no
/system clock
set time-zone-name=Europe/
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You did not clarify about how dumb switches in buildings are connected to RB4011. Assuming each of those switches is connected to individual ethernet ports of RB4011 and assuming you want to run one subnet per building, then:
If the op selects
add chain=forward action=drop as the last rule in the forward chain, will not that stop the etherports from seeing each other at layer3?? (aka one rule replaces many rules??)
It would, but his current setup is default which “only” drops everything from WAN. I was writing task list according to his current config, not according to your golden standard.
You like people to suffer needlessly… must be that contract with the devil 
Is it possible to only vlan eth2 and leave the rest like it is?
Every switch is connected directly into ethernet ports, but the managers are using switch connected to eth2 and we would like the rest of the network not to be able to reach that building if you can understand what I mean.
If you only want to isolate LAN beyond ether2, then only perform steps I listed for ether2. E.g. remove ether2 from bridge, set IP address from a new IP subnet to ether2, add DHCP server on ether2 (with appropriate settings for selected subnet), add appropriate firewall rules which will block connections from LAN interface-list towards ether2 (you probably want to allow connections in the opposite direction).
Whatever connected to the rest of ports will continue to work as is.
I will try my best to do that, thank you 