Hi,
I can't find any information about this topic so I have to add own.
I have RB951G-2HnD router board and my ISP gived me five public IPs.
IP addresses:
ISP: 81.120.12.176/29 on ether1
Lan1: 192.168.88.0/24 on ether2
Computer1: 192.168.88.12 (Lan1)
Server1: 192.168.88.10 (Lan1) with access from WAN as WWW server on 81.120.12.178 public ip.
vlan79: 192.168.89.0/24 on ether3
Server2: 192.168.89.15 (vlan79) with access from WAN as WWW server on 81.120.12.179 public ip.
vlan80: 192.168.90.0/24 on ether3
Now not used but in the future will be.
So on ether1 interface I added two public IP addresses:
81.120.12.178 and 81.120.12.179
/ip address
add address=81.120.12.178/29 interface=ether1 network=81.120.12.176
add address=81.120.12.179/29 interface=ether1 network=81.120.12.176
The ether2 interface is connect with switch and there is DHCP sever (on mikrotik for ether2). To this switch are connecet Computer1 and Server1 where for Server1 on the firewall is NAT which forward form public IP (81.120.12.178) 80 port to lan IP 192.168.88.10 (Server1) where is WWW server.
/ip address add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/ip firewall nat add action=dst-nat chain=dstnat dst-address=81.120.12.178 dst-port=80 protocol=tcp to-addresses=192.168.88.10 to-ports=80
On the ether3 interface were added two vlans (79 and 80) but now I only use vlan79. On vlan79 interface I added IP address (192.168.89.1) and dhcp server. The ether3 interface is connect with Server2 where I configured vlan79 intreface. Server2 has lan address (192.168.89.15) and on the firewall is NAT which forward form public IP (81.120.12.179) 80 port to lan IP 192.168.89.15 (Server2) where is WWW server.
/interface vlan add interface=ether3 name=vlan79 vlan-id=79
/ip address add address=192.168.89.1/24 interface=vlan79 network=192.168.89.0
/ip dhcp-server add address-pool=dhcp_pool2 disabled=no interface=vlan79 name=dhcp2
/ip firewall nat add action=dst-nat chain=dstnat dst-address=81.120.12.179 dst-port=80 protocol=tcp to-addresses=192.168.89.15 to-ports=80
I omitted presenting in this topic basic configuration like masquerade etc. but this is done on my router.
All works fine, I have internet on both lans, I have access from WAN to my both servers.
But my problem is that I can access from Lan1 to vlan79 and vice versa. I want to isolate them and block i.e. deny access from server1 to server2 using ping or Web browser from 192.168.88.10 to 192.168.89.15 and vice versa but I want to have access from server1 to server2 using public IPs i.e. I can open web page on server1 from server2 using 81.120.12.179 address in Web brower on server1.
I attach a diagram for better understanding.