Appologize,, How to set up local IP example 192.168.0.1 for 5 local ports? Do not use a bridge mode...Is there switch mode or something? Then in firewall I can create rules to block traffic between those ports because if there are in bridge I cant do it..There are rules for bridge settings accept firewall, but I need elso those ports accept firewall rules...Believe me...I have...tried...to read....your...question 3....times...but I....was...unable....to focus...and....understand...it.
Then in firewall I can create rules to block traffic between those ports because if there are in bridge I cant do it..There are rules for bridge settings accept firewall, but I need elso those ports accept firewall rules...
I explain it ..no problem..I have this small local - wifi - network there is about 60 + - devices..pc phones tvs etc...On 5 local ports are 4 wifi APs then NAS on one port... access to NAS is allow from all ports but not betwen APs ports....Same subnet? because they all access to NAS from all kind devices so is it better on same subnet...right? Why block those ports? Its simple...You are network professional and security no?? Do You know if one device get infected with nasty trojan horse or virus how fast searching on neighbors pcs and devices and owner of virus pc do not know it and all network getting uknow problems.. pc windows etc...Safety first at this point...I donot like reinstall pc twice in month....I elso doing pc maintance on that network...I can save lots of time if no pc get infected of course another way they downloaded but there is no share to antoher pcs in same network...You get it? Now is time You answer me to....Then in firewall I can create rules to block traffic between those ports because if there are in bridge I cant do it..There are rules for bridge settings accept firewall, but I need elso those ports accept firewall rules...
It can be done.
But, you better think (and try to explain to us, only to make things clearer for your self) why do you want to have all of those hosts in same subnet and yet block some (if not all) communication between them? I can think of a number of reasons (most are either invalid or impractical), perhaps you'll enlighten us with some new?
One think in bridge in ports are all those ports in bridge but at one is rootport rootpatchost 10 rest is designated port why is this or what for is it? ThnksThere are a couple of ways of doing what you want:
- set use-ip-firewall=yes and construct appropriate firewall filter rules. Be sure to disable hw-offload on all ports you want to enforce firewall or else packets will bypass firewall (you do that by setting hw=no for any port in /interface bridge port)
- use split-horizon feature ... bridge ports with same horizon value don't communicate with each other
The second option is more resource friendly, but less tunable (communication either flows or doesn't at all ... compared to firewall way where you have possibility of fine tuning allowed communication).
Beware that this kind of traffic control affects device performance.
And that you can not control communications between devices connected to the same RB port, that communication has to be blocked in downstream devices (e.g. AP which blocks communication between its client devices or a switch with port isolation).
And no, I'm not a network professional, I'm a radio engineer / sysadmin who had to learn some networking to get around less competent networking guys (no matter which hat I wear, I always stumble upon some )