Hi, I’m trying to create an isolated subnet on my home network for some work things.
I first tried to use a VLAN, and followed the very helpful guide here http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 but it knocked my ethernet speed down to 33% and wifi speed to almost 10%, so maybe the hAP ac is not suited to handle a number of virtual LANs.
So now, I’m just trying to isolate the work devices behind another physical router. I’d like it so that nothing on the “home” network (192.168..) can see the work network (10...*) and vice versa.
Ideally something like this:
Building off the default config, and following a couple posts, I was able to remove ether3 from the default bridge, and create a new dchp pool for it
http://forum.mikrotik.com/t/configure-multiple-subnets-with-dhcp/79416/1
http://forum.mikrotik.com/t/remove-port-from-the-default-brige/125811/1
So far, the work pc gets assigned an IP in the 10.10.50.* range, but it can’t reach the internet, despite the following rules:
/ip firewall filter
add action=accept chain=forward comment="work access to WAN" out-interface-list=WAN src-address=10.0.0.0/8
add action=drop chain=forward comment="drop any other work" src-address=10.0.0.0/8
It doesn’t appear to be able to reach the MT router either.
I’m pretty new to networking, and I feel like the issue is something to do with the firewall rules, but I don’t have a good understanding of them to know what’s wrong or how to fix it.
Also, is the work-bridge necessary, or can I do everything off the ether3 interface directly?
isolated-subnet.rsc (4.19 KB)