Hi all,

firstly the use case - I have common home network with Mikrotik router in NAT mode with provider's AP on WAN and eth ports bridged together with wlan. And I am thinking about separating one of the eth ports from the rest due to security reasons - typicaly to protect new devices during their first update. (All computers in LAN/wlan are used by regular users including me, who knows how many computer worms may be crawling there from time to time...)

The questions:
1) The first thing I do before the updating anything is enabling a sw fw and dropping all incoming connections. Considering that, is having a separate network for upgrading useful?... or paranoid and the sw fw is enough?
2) If useful, how simply separate lets say eth4 port? Can I simply remove eth4 from bridge and use fw to drop all forwards bridge>eth4 resp. eth4>bridge? (And still use the same IP adressess and DHCP server?)

Thank you for your advices, hope the questions are not too dumb 0:) still learning but already in love with Router OS

Different Solutions for the Problem...
But if you want to keep it "Easy", i would create a sepreate Guest-Network / Bridge

Basic Setup-Exemple:

Step 1: Create Bridge
Step 2: Assign IP for Guest-Network
Step 3: Create DHCP
Step 4: Allow DNS-Request
Step 5: Reassign ether4-Interface to Bridge2 (Guest-Network)

Step 5 : Test
Everything should work on the Guest-Network


Step 6: Firewall and Co
Add Firewall-Rules to limit Traffic between LAN-Network, Internet & Guest-Network

Thank you very much for your reply! One more thing - why there is necessary to add another fw rules to limit traffic becose of the new bridge? I thought that default rules in /ip firewall are valid for all bridges and the only rule I need to add is to drop the packets coming from one bridge to another.

You could do an off bridge thing and this is simpler, no dhcp etc.

Simply remove ether2 from existing single bridge
Give it an IP address 192.168.55.1/24 interface=ether2 network=192.168.55.0

DONE!

Now for every new device all you need to do is give it an IP (IPV4 settings) like 192.168.55.2 or .5 whatever,
You will have access to the router in general.

a. input chain rule to allow access to router if you want to config the router from here.
b. forward chain rule allow to WAn, to get updates.

Nice solution, thx. Do I have to add a fw rule to drop packets between port and the bridge? Or it is separated by design.

b. forward chain rule allow to WAn, to get updates.

What updates do you mean? Incoming traffic should be processed/droped without any need to change the default fw rules - or am I wrong?

Your firewall rules should have a drop rule at the end of each chain.
Thus any traffic not explicitly permitted is dropped at Level3.
Level2, not sure but I seem to recall that ON bridge and off bridge ( or two separate bridges) is a decent level 2 Blocker.
I prefer vlans so there is no question.