I have a Mikrotik RB1100AHx2 router and two CRS125-24G-1S switches. I’ve implemented “Switch with a separate router (RoaS)” as a starting point from here: Using RouterOS to VLAN your network. This works well.
Now I would need to isolate every client from each other in Blue VLAN. How do you make that happen?
Use a firewall rule that stops forwarding from source: your IP range to destination: your IP range
Someone will probably answer saying I’m wrong due to general toxicity.
By default firewall rules will only act on routed, not bridged, traffic. You could use the use-ip-firewall=yes and use-ip-firewall-for-vlan=yes under /interface bridge settings to force the bridged traffic within a VLAN to be processed too, alternatively a bridge filter or bridge split horizon.
Note that none of these methods work if the switches are using hardware offloading as the traffic never reaches the software bridge, some of the switch chips support port isolation but not always with VLANs.
I dont see any attempt to answer the OPS question?
He said, and I may be wrong but he wants to isolate every USER/DEVICE, WITHIN a VLAN.
I have always understood that this request is not possible at L3 as firewall rules are designed for traffic between vlans for example and have no affect on L2 traffic within a VLAN.
The only thing that I think comes close is the situation when you have WIFI users on the SAME SSID.
I believe it is possible to block wifi users (on the same vlan or subnet) using the same SSID from seeing each other.
Please advise!!!
In particular, one can only isolate wlan users from each other when they’re using same BSSID … meaning clients are connected to the very same AP. Such isolation doesn’t work in environment where multiple APs use same SSID, clients connecting to different APs can’t be isolated using this technique, one has to revert to L2 tricks, implemented on all switches/bridges and that may prove to be royal PITA.
Only a thought: one could avoid playing tricks on APs and intermediate switches when using CAPsMAN with local-forwarding=no. Then it would boil down to isolating clients on CAPsMAN device itself. Never tried myself tough.
If OP has wired clients on his mind, then technique mentioned by @anav doesn’t make any sense anyways. In that case it would be possible to isolate clients using split horizon (assuming each has own access port on one of CRSes). It would probably work nicely for clients of each CRS1xx, however isolation of clients connected to different CRS1xx would still be a challenge, which could be solved by using different VLAN ID for “blue VLAN” on different CRSes (creating separate IP subnet) … which should not be a problem since clients have to be isolated anyways.
Split Horizon is a software feature, so it’s not wise to use it on CRS1XX, where you have a proper hardware port isolation.
As for isolating “blue vlan” on one CRS125 from another one, I guess it can be done using bridge filter on RB1100 if they both are connected to it.
Thank you for all the replies. The network in question has only wired clients. I don’t have access to it so that I could test things until next week.
Is the consensus that I should set up port isolation on each switch on ports which are part of the blue VLAN like in this example and then add a bridge filter rule on RB1100AHx2? How would that rule look like? (Blue VLAN is on interface “BLUE_VLAN”, vlan-id is 10 and subnet is 10.0.10.0/24. Port ether1 on each switch is connected to the router.)
I guess something like this:
/interface bridge filter
add action=drop chain=forward in-interface=ether2 mac-protocol=vlan out-interface=ether3 vlan-id=10
add action=drop chain=forward in-interface=ether3 mac-protocol=vlan out-interface=ether2 vlan-id=10
If ether2 and ether3 are ports where the switches are connected.
I tried to use the port isolation feature of the switch. I followed this example.
I ran the following commands on switch1:
/interface ethernet switch port-isolation
add port-profile=1 ports=ether1 type=dst
/interface ethernet switch port
set ether1 isolation-leakage-profile-override=0
set ether2 isolation-leakage-profile-override=1
set ether3 isolation-leakage-profile-override=1
# etc...
Once these rules were enabled the devices connected to the ports on blue VLAN (ether2-ether8 on switch1) were unable to receive an IP from the router or access the internet. Port ether1 on switch1 is connected to the router.
I think this is where my knowledge on how to configure CRS1XX/2XX ends.
I have only one of the line and it’s in production, so I can’t use it for testing purposes.
I guess that port-profile is somehow messing with the vlan config, or at least with it’s part that makes ether1 a trunk port.
But I don’t know how to overcome it. And “googling” for the answer doesn’t really help too.