I’m trying to setup a Mikrotik switch (running RouterOS 6.46.1) on a rather complex network with a multitude of VLANs. There are 3 ports belonging to a single VLAN, which lead to devices further down the line, all of which have the public IP address, meaning they are routed straight to the Internet.
What I want to achieve is isolate these 3 ports from each other so no broadcast traffic, or any traffic is going between them on this switch - but rather want devices behind those ports rely on their internet connection to access each other. E.g. device on a port 1 wants to send data to a device on a port 3, say connecting to it with PuTTY or some such, but all the traffic from port 1 goes into a world wide web first and then gets routed back to port 3 as if these devices were in different places geographically.
Using filter rules to just segment IP ranges is not an option, because there’s a wild mix of public IP addresses (even if in the same network range) on each port.
Port isolation can be done by using horizon property of bridge ports.
However, you will have problem with connectivity between clients that have IP addresses within same IP subnet … because devices want to connect directly to other devices inside same subnet without involving a gateway, that’s what subnetwork is all about.
If you describe the reasons why you want to block direct connectivity between clients we might give you some idea about how to achieve your goals.
A single VLAN on those 3 ports contains a nearly fully used /24 subnet (nearly 250 devices). The idea is to severely limit a rather noticeable broadcast traffic going back and forth.
I still don’t see a solution. As I wrote, the communication between hosts from same subnet won’t use gateway. You could configure bridge to use IP firewall and block broadcasts (but not all of it, some broadcast types are required e.g. “ARP who has”).
But perhaps a better way would be to create a few smaller subnets from the /24 you have now. For sure you would loose a few IP addresses (if you divide /24 to 4 subnets of /26, you loose 9 additional addresses: 3 network addresses, 3 masks and 3 for router), but broadcast traffic would be slightly better contained. If your LAN gear is VLAN capable, then you could separate those subnets into different VLANs…
I have to chime in in not seeing a proper solution but I totally understand the demand.
A dodgy solution with a noticeable admin overhead would be bridge horizon and static routes for all hosts in the same subnet via the default g/w. And this being set on each and every host.
Far from nice, far from easy but pretty smart
But I fear the switch CPU going nuts under the bridge horizon load - IIRC setting a horizon goes directly to the CPU.
E.g. device on a port 1 wants to send data to a device on a port 3, say connecting to it with PuTTY or some such, but all the traffic from port 1 goes into a world wide web first and then gets routed back to port 3 as if these devices were in different places geographically.
The problem is that devices are in same subnet hence they won’t try to use gateway when they’ll want to talk to eachother.
Unless router runs proxy-arp for the whole subnet …
