Greetings to all,

Current Situation at my home-network:
- 1 Subnet (192.168.178.0/24) with DSL-Hardware (FritzBox) doing DHCP, all clients are connected to WLAN / LAN to this box.

Situation I'd like to realize:
- Still 1 Subnet (192.168.178.0/24) wit DSL-Hardware doing DHCP
- RB941-2nD Connected to Router (kind of acting as a Switch), DHCP-Proxy set, (ether1, 192.168.178.xxx)
- "Special" Devices I'd like to firewall connected to RB941-2nD (ether2 - ether4, 192.168.178.x)
- Firewall-Rules control traffic of connected devices (ether 2 - 4) to OTHER Devices connected directly to FritzBox and / or the Internet

What I realized:
Everything above, but with a separate Subnet on RB941-2nD and NAT.
So with my beginner's knowledge to RouterOS I'm only able to create a second Subnet and work with NAT and Firewall-rules.

The Reason why I'd like to have everything in ONE subnet is based on some services relying on broadcast (e.g. a MineCraft-Server on Raspi which is otherwise not found as a "local game" for my kids and they would need to sign in to Microsoft to connect...)

Is this even possible? I tried to bridge all ports but this is giving me the same subnet (which is good), but firewall-rules are not possible for a bridged network... am I correct?

Thanks for your Ideas appreciate your input to this,
Stay safe,
Martin!

Two options:

- If it would be enough, you can use bridge filters for stateless config (e.g. A can't connect to B, and neither can B connect to A)
- If you want stateful firewall (A can connect to B, but B can't connect to A), you can use bridge's use-ip-firewall=yes, and then you'll see all bridged connections in IP firewall.

[...]you can use bridge's use-ip-firewall=yes, and then you'll see all bridged connections in IP firewall.[...]

So you mean, the only thing I forgot is to edit Bridge SETTINGS (which I found after reading your post) to activate the setting "Use IP-Firewall"?
This would result in having all firewall-options available although all ports are using the same bridge? If it's THAT easy, it's a quick win and a big "thank you" for your post!

If it helps you, that options is not used very often. And when it's mentioned somewhere, it's usually warning to not use it, because its effect in some configs can be a bit unexpected. But for filtering within local subnet, as you want, that's the thing.

Thanks Sob - it solved my desired configuration!
Plus: I added a secondary bridge for keeping the option to have a separated network, so the Routerboard can handle my "normal"- and my "lab"-network.

Firewall now seems to have the need to be reconfigured (I get a ton of "invalid" connections now and need to check why...),
but generally your solution was very helpful - THANKS!

That's the possibly tricky part, there's only one common IP firewall, so if router does some other routing, firewall will see both that and bridged packets.

It is a littly tricky, right. I'm approaching it with Address-Lists at the moment.

Also I have in mind (for a more professional avail) to use VLANs for those different networks in the future and only use ONE bridge for multiple VLANs.
Absolutely a good idea to check back to this forum if something is stuck then, skilled people are around here!

Thanks,
Martin!