Hi, all. I have a hEX PoE and I’m trying to configure two separate networks, both with access to the WAN/Internet but not to each other. One of the networks is solely on Ether2. There is a bridge that contains ports Ether3, 4, and 5. VLAN1 uses that bridge as its interface and VLAN2 uses Ether2 as its interface.

I have a computer connected directly to Ether2 and it is able to ping both out to the Internet and a printer on VLAN1. Can anyone offer advice as to why objects in these VLANs are able to talk to each other, and how to stop it while leaving WAN communication working?

Many thanks for any help!

Would need to see the complete config.
/export hide-sensitive file=anynameyouwish

would also state that use of vlan1 is not recommended as that is the defaut vlan for bridges and really shouldnt be used for any data flow.

My apologies for the delayed response. I never saw a notification that someone had replied and got tied up with other tasks. Here is the configuration:

feb/18/2022 20:54:59 by RouterOS 6.49.2

software id = PWYG-2P82

model = 960PGS

serial number = 89FA075FCE4B

/interface bridge
add admin-mac=64:D1:54:4B:73:99 auto-mac=no comment=defconf name=bridge
add mtu=1500 name=bridge2
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=ether2 name=vlan2 vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.212.100-192.168.212.200
add name=Pool2 ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp bootp-support=none disabled=no interface=bridge name=
defconf

DHCP server can not run on slave interface!

add address-pool=Pool2 disabled=no interface=ether2 lease-time=10h name=DHCP2
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge2 interface=vlan2
add bridge=bridge2 frame-types=admit-only-vlan-tagged ingress-filtering=yes
interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.212.1/24 comment=defconf interface=bridge network=
192.168.212.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=
192.168.2.1 netmask=24 ntp-server=104.149.164.142,50.205.244.107
add address=192.168.212.0/24 comment=defconf dns-server=
208.67.222.222,208.67.220.220 gateway=192.168.212.1 netmask=24
ntp-server=104.149.164.142,50.205.244.107
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.212.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=MikroMentel
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I think you should relook at your planning and network structure.
There is no need for vlans if you only have two subnets.
There is no need for two bridges in you only have two subnets.
In fact there is no need for a bridge at all.
You have mixed them up in such a way that the config is prone to errors.

Suggest instead you articulate your requirements/
a. what users/devices or groups of user/devices do you have.
b. what traffic flows do you want them to have and not to have.

Then a network diagram showing the infrastructure in place will complete the picture and
a design/config will naturally fall out.
How many ports do you need? Are there are devices involved (switches, access points etc).

None of firewall rules block traffic between both LAN subnets …

My limited understanding is that using firewall rules would use the CPU instead of hardware offloading the vlan. Is this true?

On most low-end switch chips hardware offloading of VLANs means that traffic within same VLAN but spanning multiple physical ports will be handled by switch chips. Inter-VLAN traffic, however, is routed and only high-end switch chips (e.g. in CRS3xx and some other devices) support HW offloaded routing.

None of switch chips support firewalling in hardware, ROS can only offload traffic which could be fast-tracked.