Hi guys

I would like to limit 2 windows pc's from my home network so that they can access only the internet but not the local network.

I was wondering what is the best approach for this so that i can leverage my hardware and keep the solution dynamic (in the future i might add this restriction to more devices)

My mind was set on VLANs, but then again i don't know very much about them to be sure that it's the right approach.

My gear is a hEx PoE lite and a RB260GS

Does anybody have this already, any advice you can share?

If you can have the PCs that need to be isolated connected directly to hEX, not the switch, then you can do it without vlans and in several different ways:
- you can create separate subnet(s) for such PC(s)
- you can run IP firewall on the bridge
- you can configure bridge own filtering
- you can use bridge horizon feature

Hello.

I don't have any free ports in the router, so i have no choice but to connect them to the switch runnings SwOS.

Also i want maximum performance so i don't want to do any filtering/routing/bridging in the CPU, i want to use something that my devices have hardware support for.

Thank you for your suggestion!

Hello.

I don't have any free ports in the router, so i have no choice but to connect them to the switch runnings SwOS.

Also i want maximum performance so i don't want to do any filtering/routing/bridging in the CPU, i want to use something that my devices have hardware support for.

Thank you for your suggestion!

And still it is better to vacate some ports on the router to have devices, that need to be separated, there, and move the rest (or most) of the LAN to the switch.
Of course if it can be done physically.

Otherwise, vlans seems to be the only way: port isolation on the switch won't do the trick if some of LAN devices remain connected to the bridge on the router.

VLAN approach is the only scalable approach.

Depends.
What is the ethernet cable path to those PCs.
If you have control over those lines separately, then as OVX stated getting a small unmanaged switch at the mikrotik may be useful.
Two ways
(The two cables coming from the PCs that need to be isolated plug into the switch and one cable from the switch goes to the mikrotik) if you dont have a free port then get a second unmanaged switch
(Use second switch to plug incoming ethernet cables from all other devices and take one cable to the mikrotik to free up ports)

Then you simply dont use the bridge for these two PCs
you assign them the physical port as the interface, call it LAN2 or DMZ network, give them their own address block, DHCP and DHCP network, IP pool etc.....

As stated if you keep expanding this concept VLANs is the way to go.
in this case Mikrotik makes very affordable small managed switches to help.

Hi all

I already have the hardware, and i don't have the luxury to plug the computers in the router.

The router has a link to the switch, i will eventually have computers that need to be isolated plugged in the router and the switch at the same time.

I agree that the VLAN way is the best way, but i don't have the RouterOS skills to configure this.

Hi all

I already have the hardware, and i don't have the luxury to plug the computers in the router.

The router has a link to the switch, i will eventually have computers that need to be isolated plugged in the router and the switch at the same time.

I agree that the VLAN way is the best way, but i don't have the RouterOS skills to configure this.

Nicolae, I thought the same abut XVO helped me through the worst bits, a few lost teeth, down a few pints of blood, but in the end I am fully recovered and I am exploding with VLANS I think I am up to 8 right now and some on Virtual APs no less. Somebody help me IM outta control!!

Seriously, if we take it slow, it may even feel good Just do one VLAN, in slow time, step by step and it will be like magic.
The key is to ENSURE you have SAFE MODE ON, throughout the entire time.
(note: Being a complete idiot, I now hit the safe mode first thing ALWAYS each session I open up on winbox)

You will need to.
create vlan interface including assigning a Vlan name and number and assign the VLAN to your current bridge under the interface selection.
On the Interface LIST ensure you add the VLAN to the LAN interface ( the bridge should already be there under LAN as well)
UNDER IP MENU, create vlan ip pool, ip address, DHCP server (using the pool), DHCP network.

On the Bridge menu (ignore the first Bridge Tab, you will use it later)
ports tab - ensure the physical ports coming out of the router that carry vlans are associated with the bridge
vlans tab - ensure that the tagged ports include the vlans that your router is controlling, the bridge itself, and the physical ports on the router that carry the traffic.

In terms of firewall rules it depends if you have a drop everything rule as standard fare at the end of input/forward rules.
If so, then you will need to create an accept forward traffic rule, VLAN to WAN (in-interface: VLAN out-interface WAN, or if two ISPs use out-interface-list=WAN

If you are more of an allow everything and create rules to block then you may need something like Drop Forward Rule where one states, in-interface VLAN, Out-Interface=!WAN
(meaning drop all traffic from vlan to anything but the WAN).

Last step and if you managed to forget, now is the time to hit SAFE MODE. Go back to Bridge, click on the bridge name in the menu and then select the VLAN TAB. (To be clear this is not the vlan tab that is viewable from when Selecting Bridge from the left hand menu, but one that becomes available when you double click on the bridgename itself (visible when the first tab (default tab called Bridge) on the menu is highlighted). At the popup menu select VLAN and you will see a checkbox next to VLAN filtering that is blank. Check this box.

You should be just about done!