Good evening,
I have the following problem with my Mikrotik CRS326-46G-2S+.

I would like to block the internal VLAN traffic and redirect it to a gateway.

So 2 servers on port 7 and 8 have tagged the VLAN 20 and a firewall on port 10 as well.
Now I would like the two servers on port 7 and 8 VLAN 20 to no longer be able to talk to each other but to take the route via the gateway.

How can I implement this?

I have searched for several hours but have not found anything.

Many thanks in advance for your help.

Why do both servers have to be in same VLAN? This complicates things a lot.

Let me explain.

The two servers are Hyper Visor.

Currently I have more than 30 VLANs.
One for each application.
And there will be more.

My plan is to reduce the Vlans to 3 or 4.
But the VMs should not be allowed to communicate with each other

There is also another case where I want to do this.
And I would like to know if the Mikrotik switches are able to do this.
Otherwise I will unfortunately have to switch to other manufacturers.
I wouldn't like that so much

Thanks

What you are looking for is called "PVLAN" constructuon in general (Private VLAN) and you would be using some form of "Isolated Ports" in a "Isolated VLAN" construction.
So 2 devices in such PVLAN cannot directly talk to each other but must pass through a device connected on a "Promiscous" port.

As far as I know, Mikrotik does not have this feature.


If you run Cisco ACI/SDAccess fabric (or other vendor) same result can be reached by tagging (SGT's) your traffic offering micro-isolation/segmentation but that is a whole different story. So in 1 IP-space you can have full control on what-talks-to-what

https://community.fs.com/article/what-i ... works.html

Thanks for the tip with the PVLAN.

Too bad that the Mikrotik doesn't have the exact feature I need.


Thanks anyway

Hi,

yes you can, with switch port isolation, there is even a PVLAN chapter in the MT Wiki:

https://help.mikrotik.com/docs/display/ ... 0scenarios

But PVLAN is a dirty hack, do yourself a favor, use separate vlans and the IP firewall rules, as mkx already wrote!

As for using ACI instead of a single CRS326-46G-2S+ : It´s like suggesting a homeless person to move in to the royal castle. It would certainly solve his problems...

I'll give it a try.

Thank you very much for your help

As for using ACI instead of a single CRS326-46G-2S+ : It´s like suggesting a homeless person to move in to the royal castle. It would certainly solve his problems...

Yep, it sure is. Totally different worlds.
Good to know Mikrotik does support something like a PVLAN on certain models/chipsets so that might indeed solve the topic-starters main concern.