Hello
Is there any benefit to using a VLAN vs just using firewall rules to separate devices, for example in the case ‘I have some Chinese WiFi IOT device I don’t entirely trust’?
Note the “firewall” approach will only work if these IoT things are cabled DIRECTLY on a Mikrotik port! (but I guess you knew that)
I think both approaches are about equally “safe” if executed correctly. But if you have several devices it is not easy to cable every IoT “thing” directly on a wired port of a Mikrotik.
Good point about the wired cables.
Will the firewall isolation work for wireless?
If you make a separate SSID/Network for your “IoT” related stuff this can be linked to separate IP-range and then yes, you can filter accordingly.
I don’t use Mikrotik for any wireless, but this should be well documented on how to do that.
I mean if I used the same IP range and network with wireless, but used firewall rules to segregate the devices, is this as effective as a VLAN?
I think you can consider this also as a “yes”
But again : I don’t use Mikrotik for wireless.
OK thanks.
What I am not sure of is if two subnets (going out diff etherports) are on the same bridge.
What connectivity does the bridge allow if any at L2??
If none, then concur, if it allows L2, then I would caveat the statement by yes, but as long as one subnet is not the bridge or on a different bridge.
Remember L3 blocking (firewall rules) has to be in place regardless of L2 situation.
I like vlans as there is no ambiguity in that vlans enjoy L2 separation and one only has to worry about L3 rules.