Hello,
is there a Mikrotik Router which allows to accomplish following setup?
In the bridge operating mode it acts as a layer 2 switch and allows packet filtering in this operating mode.
This means that the restriction of access to individual areas of your network can be achieved without having to use different networks for this purpose.

In the Bridge operating mode, it behaves like a layer 2 switch between the machine network (automation cell) and the company network.
The IP addresses in the company network are in this case in the same IP address space (subnet) as the addresses in the machine network.
Access between the two network areas can be limited or secured with packet filters and MAC address filters. This allows the separation of part of the
company network without using different network addresses.

How may this config look like? Which hardware can accomplish it?

This isn`t a Problem with RouterOS / Mikrotik
Do it every now and then, mostly for testing / learning purposes
You can configure a bridge without FASTpath and enabled IPFirewall


Performance is the biggest Issue as everything needs go though the CPU

For the OPs use case port isolation would likely not be sufficent.

In this case creating a bridge, adding all of the ports to it and setting use-ip-firewall=yes under /interface bridge settings would provide the the most flexibility, but as pointed out is handled by the CPU so not going to achive wire-speed throughput on smaller Mikrotiks.

Instead of enabling bridged traffic to use the IP firewall there are bridge filters and switch rules - filters are also handled by the CPU, there are only a limited number of switch rules (depends on switch chip in the particular model of Mikrotik). Both of these methods are stateless, there is no connection tracking but for just filtering for access control, rather than NAT, this may not be an issue.

This isn`t a Problem with RouterOS / Mikrotik
Do it every now and then, mostly for testing / learning purposes
You can configure a bridge without FASTpath and enabled IPFirewall


Performance is the biggest Issue as everything needs go though the CPU

Hello,
please find attached the config as proposed. Howerever, the firewall has no effect as the plcs are still available from outsinde.
Is it possibel that the internal switch is responsible?
https://help.mikrotik.com/docs/spaces/R ... p+Features
Should (WAN) Ether1 be no part of the bridge?
Rule Table is not available for the MT7621 RB750Gr3 (hEX).
Thank you

ether1 should be part of the bridge as you are using it for the layer2 switch uplink. In a conventional setup it would not, as there is layer3 routing between the WAN and LAN.

The input chain handles packets destined for the Mikrotik itself, the forward chain handles anything passing through, so you need the following at the end of the existing rules:
/ip firewall filter
add action=drop chain=forward comment="drop all coming from WAN" in-interface-list=WAN

The packet flow https://help.mikrotik.com/docs/spaces/R ... n+RouterOS and in particular https://help.mikrotik.com/docs/spaces/R ... dgeForward may be helpful to understand the path taken.

The IPsec and CAPSman rules are unnecessary for your setup.

ether1 should be part of the bridge as you are using it for the layer2 switch uplink. In a conventional setup it would not, as there is layer3 routing between the WAN and LAN.

The input chain handles packets destined for the Mikrotik itself, the forward chain handles anything passing through, so you need the following at the end of the existing rules:
/ip firewall filter
add action=drop chain=forward comment="drop all coming from WAN" in-interface-list=WAN

The packet flow https://help.mikrotik.com/docs/spaces/R ... n+RouterOS and in particular https://help.mikrotik.com/docs/spaces/R ... dgeForward may be helpful to understand the path taken.

The IPsec and CAPSman rules are unnecessary for your setup.

Thank you,
The firewall rule was added. I also disabled the hw for ether1, however still clients can be accessed from outside.
The connections are shown in the IP firewall table. I have reduced the FW to block everything. Still the firewall has no effect. Any idea?

I am not sure to understand the setup with ether1 part of the bridge (actually I am pretty sure I don't understand it), but maybe using the interface instead of the interface list?:
add action=drop chain=forward comment="drop all coming from ether1" in-interface=ether1

I rarely use use-ip-firewall=yes so overlooked the subtle differences as to how interfaces are referenced - instead of using the in-interface or in-interface-list matchers in-bridge-port or in-bridge-port-list should be used.

From the documentation "in-bridge-port (name; Default: ) Actual interface the packet has entered the router if the incoming interface is a bridge. Works only if use-ip-firewall is enabled in bridge settings."

You will need the established, related rules too, otherwise the return packets from outbound connections will also be dropped.