Community discussions

MikroTik App
 
User avatar
Toravon
just joined
Topic Author
Posts: 3
Joined: Sun May 28, 2023 8:39 pm

Block communication between multiple ports

Sun May 28, 2023 9:59 pm

Hi,
[my HW/SW] RB2011UiAS-2HnD-IN, RouterOS 6.49.8

How can I block all communication between multiple ports? What should I turn off/on ?
I have 3 Windows PCs (Port2, Port5,Virtual wirelesslan) and stuff like NAS, Printer, IPcamera, etc. for security reasons I want to block all communication between Windows devices, but be open for NAS,etc
I did google and try some of the firewall rules with action=drop, but when I tried ping between Port2+Port5, it wasn't blocked.

Is there a way to block L2 communication between Port2 + Port 5 + Virtual wlan on the same bridge/subnet?
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 343
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Block communication between multiple ports

Sun May 28, 2023 10:49 pm

Bridge-filter ... bridge-horizon !
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block communication between multiple ports

Mon May 29, 2023 3:43 am

Okay so I have to ask, most people want to block users from each other, not ports. What do you have against ports LOL.

Seriously, users are on L2 subnets. Do you have different subnets per port? In which case blocking is easy!
Do you have one subnet on 3 different ports and want to block the ports.
The question I would ask is WHY, you put them on the same subnet.
If you dont want the users on different ports talking to each other, put them on different subnets.

If you dont have enough ports for the number of subnets you need then switch from assigning a subnet to a port, to assigning vlans to a bridge problems solved.
 
User avatar
Toravon
just joined
Topic Author
Posts: 3
Joined: Sun May 28, 2023 8:39 pm

Re: Block communication between multiple ports

Mon May 29, 2023 9:17 pm

If I put them on separate subnet/VLAN, how they will all see/connect NAS/NVR/Printer ?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Block communication between multiple ports

Mon May 29, 2023 10:07 pm

To do what you are asking (whether it is really what you want/need) you will need to use switches that have port isolation as an option.

For example, see Port Isolation for how a MikroTik 24 port switch running SwOS can be configured.

Assuming you want to do everything on the RB2011 which has multiple switches, you are going to have more of a problem, and I don't know if it can be done without involving the RB2011 CPU, and that will affect performance. But if you are using wireless, that's already using the CPU for bridging between wired and wireless ports (going only by the block diagram).

If you can limit everything to the Gb switch, then you may be able to use the /interface ethernet switch port-isolation feature to do what you are asking about, but it won't help with wireless.

If you are just trying to protect the windows PC's, why not just use the windows firewall?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block communication between multiple ports

Tue May 30, 2023 7:04 pm

Hi Toravon, this illustrates that asking about a config setting is a waste of time.
What you did in response is an excellent response to the kind of information we need to help design a good config.
Namelky state all the requirements, all the needed traffic flows
OF WHICH one is I need to share a printer

a identify all users/devices, groups of users/devices
b. identify all the traffic they need to be able to accomplish or not accomplish


So you had one requirement (shared printer ) who needs access to it........
Another requirement implied, you want certain users/devices or groups of users/devices not to be able to see each other.

Make a comprehensive list for proper planning.
 
User avatar
Toravon
just joined
Topic Author
Posts: 3
Joined: Sun May 28, 2023 8:39 pm

Re: Block communication between multiple ports

Thu Jun 01, 2023 3:31 am

To do what you are asking (whether it is really what you want/need) you will need to use switches that have port isolation as an option.

For example, see Port Isolation for how a MikroTik 24 port switch running SwOS can be configured.

Assuming you want to do everything on the RB2011 which has multiple switches, you are going to have more of a problem, and I don't know if it can be done without involving the RB2011 CPU, and that will affect performance. But if you are using wireless, that's already using the CPU for bridging between wired and wireless ports (going only by the block diagram).

If you can limit everything to the Gb switch, then you may be able to use the /interface ethernet switch port-isolation feature to do what you are asking about, but it won't help with wireless.
Yea, that makes sense that it would be easier to have all 3 PCs on one switch (eth2-4), I did check in WinBox, and in Switch => Port isolation , you can "forward overide" and then choose "forward to".
Only struggle that I need to add new cable through the house, I don't mind cables on the wall, but other people in the household do.

If you are just trying to protect the windows PC's, why not just use the windows firewall?
I do use Windows firewall, even I choose the option to be NOT detectable on the network, but with Windows updates(Windows doing stuff in background) and vulnerabilities, I do like to have more security even in the router.

--------------------------------------------------

I see that I did try filters in Bridge like EXAMPLE:
/interface bridge filter 
action=drop chain=forward dst-mac-address=1 src-mac-address=2
action=drop chain=forward dst-mac-address=2 src-mac-address=1
in Bridge setting, I did try turn on/off "Use IP Firewall" , and "allow fast path"

and in firewall I did try like this EXAMPLE:
/ip firewall filter add action=drop src-address=1 dst-address=2
/ip firewall filter add action=drop src-address=2 dst-address=1
but still when I turn off windows firewall, and then ping the IP adress , it wasn't blocked


So is there other way where I make 6-9 rules to block IP(all IP adresses are static) or MAC adress so it block communication between devices ? and turn off some hidden setting like "allow fast path"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block communication between multiple ports

Thu Jun 01, 2023 2:08 pm

I dont give a rats ass about your config intentions, or doing this or doing that, its fruitless.'
Whats important is to communicate your requirements.
a. identify users/devices, groups of users/devices
b. identify what traffic should be allowed.

Then a config that makes sense can be constructed within the context of the requirements.
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Block communication between multiple ports

Thu Jun 01, 2023 4:23 pm

@ anav... calm down 😂

i think you should take some break from that vrrp tutorial writing... and get some fresh air down the hill... next to the river.

and don't forget to bring your fishing tools, and some snacks 😉
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block communication between multiple ports

Thu Jun 01, 2023 5:26 pm

No worries, wiseroute, have at it.
Trying to solve issues without context is the antithesis of your avatar name.
Hopefully after some introspection, there may be an attempt reach the goals of your nick.
Otherwise one is actually hampering process and learning, probably not intentional but surprized it has not been realized.

As for the OP, a good config is based on good planning which comes from a rigorous study of the requirements.
Anything else is playing whackamole.

Who is online

Users browsing this forum: miks and 47 guests