When I Google, I get mixed results
Can someone confirm that it is possible to do Private VLAN on the RB4011 router?
Can someone confirm that it is possible to do Private VLAN on the RB4011 router?
I would like everyone connecting to RB4011 to be isolated from each other and only connect to internet and a few other internal services.Can someone confirm that it is possible to do Private VLAN on the RB4011 router?
As @anav already wrote (using different words): what exactly does "Private VLAN" mean in your context? If wikipedia article describes your view of the matter, then ... hell yes, RB4011 can run large number of private VLANs.
Easy peasy and please read this article to get you going.I would like everyone connecting to RB4011 to be isolated from each other and only connect to internet and a few other internal services.
As @anav already wrote (using different words): what exactly does "Private VLAN" mean in your context? If wikipedia article describes your view of the matter, then ... hell yes, RB4011 can run large number of private VLANs.
What do you mean ? Everyone isolated from everyone ? Even if they are on the same VLAN ?I would like everyone connecting to RB4011 to be isolated from each other and only connect to internet and a few other internal services.
As @anav already wrote (using different words): what exactly does "Private VLAN" mean in your context? If wikipedia article describes your view of the matter, then ... hell yes, RB4011 can run large number of private VLANs.
Yes - only cloud services are used. So we want everyone to be in their own bubble.What do you mean ? Everyone isolated from everyone ? Even if they are on the same VLAN ?
I would like everyone connecting to RB4011 to be isolated from each other and only connect to internet and a few other internal services.
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 horizon=1 interface=ether1
add bridge=bridge1 horizon=1 interface=ether2
add bridge=bridge1 horizon=1 interface=ether3
add bridge=bridge1 horizon=1 interface=ether4
Why not if i enable the Bridge Firewall ?If more than one user exists on the same port, then nothing on MT device can prevent those users talk to each other as long as they are in same VLAN (or none VLAN).
Why not if i enable the Bridge Firewall ?
You can successfully block users to reach each other using the Bridge Firewall even if they exist on the same interface...
But, when using the Bridge Firewall, in order for it to work, you must disable the hardware offload,...
AFAIK (but I may be wrong) traffic between two wireless clients of same radio (i.e. same wifi interface) is handled by wireless driver. While technically they are handled by CPU (because whole wireless driver runs on CPU), they don't pass bridge logic handled by CPU.And ofcorse on the wireless interface all the traffic goes through the CPU...
client1 -> air -> wireless chip -> wireless driver -> wireless chip -> air -> client2
client1 -> air -> wireless chip -> wireless driver -> bridge port A -> bridge (on CPU) -> bridge port A -> wireless driver -> wireless chip -> air -> client 2
With forwarding=yes, Enabled Bridge firewall was working just fine between 2 wireless clients on the same radio....they don't pass bridge logic handled by CPU.
/interface bridge
add name=bridge1 vlan-filtering=no
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=100 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether6 pvid=200 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether7 pvid=300 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether8 pvid=300 frame-types=admit-only-untagged-and-priority-tagged
/interface bridge vlan
add bridge=bridge1 untagged=ether6,ether7,ether8 vlan-ids=100
add bridge=bridge1 untagged=ether2 vlan-ids=200
add bridge=bridge1 untagged=ether2 vlan-ids=300
/interface bridge set bridge1 vlan-filtering=yes