The isolation physically CANNOT be done on RB4011 when both ports are on the same switch.
...
Welp... it looks like there's no way to do a true isolation with L2 ACL and RB4011 doesn't support that.
If you want to use the SPF+ port and anther port, I don't know if it can be done on the RB4011.
Because I was curious, I just backed up my RB760iGS in my lab and initialized to "default config" with "internet" on ether 1 connected to upstream ER-X acting as the dhcp "ISP" and ether2-ether5 as part of the bridge.
The MikroTik
Switch documentation hints that this may work, but they don't mention the switch1-cpu connection.
Then when configured as follows (only changes to default config)
/interface ethernet switch port-isolation
set 3 forwarding-override=switch1-cpu,ether5
set 4 forwarding-override=switch1-cpu,ether4
So ether4 can only forward to CPU and ether5, and ether5 can only forward to ether4 (in other words, ether4 and 5 are isolated from other external ports, but can see each other and CPU, but not RPi4 on ether3)
ether1 connected to "internet"
ether2-5 part of bridge1 (Hardware switching)
ether2 no connection
ether3 connected to JonRPi4B4-1 (ip obtained with dhcp server on RB760iGS 192.168.88.252)
ether4 connected to OP380 (windows 10) (ip obtained with dhcp server on RB760iGS 192.168.88.254)
ether5 connected to TestPi3 (ip obtained with dhcp server on RB760iGS 192.168.88.253)
All JonRPi4B4-1, OP380, and TestPi3 all obtained ip addresses from dhcp server on bridge1
CPU can ping all devices on ether3-ether5
JonRPi4B4 on ether3 can get to internet but can't ping either OP380 (on ether4) or TestPi3 (on ether5)
OP380 can get to internet and TestPi3 but not JonRPi4B4-1 (on ether3)
TestPi3 on ether5 can get to internet and OP380 (on ether4) but not to JonRPi4B4-1 (on ether3)
So it seems that it does appear that port isolation "works" with the extremely limited testing I did. Whether this is a "supported" configuration, I don't know. What is odd is that /export does not include the
/interface ethernet switch port-isolation commands, so it "isn't well supported". Even verbose doesn't include it.
And I would not be surprised it port isolation broke if you touched the "bridge configuration" after adding the switch modifications. Similar to using quick config after making other changes may overwrite your other changes.
However
/interface ethernet switch port-isolation export does show info.
Evidence follows:
[demo@MikroTik] > interface/ethernet/switch/port-isolation/print
Flags: I - invalid
0 name="ether1" switch=switch1
1 name="ether2" switch=switch1
2 name="ether3" switch=switch1
3 name="ether4" switch=switch1 forwarding-override=switch1-cpu,ether5
4 name="ether5" switch=switch1 forwarding-override=switch1-cpu,ether4
5 name="switch1-cpu" switch=switch1
[demo@MikroTik] > interface/ethernet/switch/port-isolation/export
# nov/27/2022 05:23:22 by RouterOS 7.5
# software id = ****-****
#
# model = RB760iGS
# serial number = ************
/interface ethernet switch port-isolation
set 3 forwarding-override=switch1-cpu,ether5
set 4 forwarding-override=switch1-cpu,ether4
[demo@MikroTik] > interface/bridge/host/print
Flags: D - DYNAMIC; L - LOCAL; E - EXTERNAL
Columns: MAC-ADDRESS, ON-INTERFACE, BRIDGE
# MAC-ADDRESS ON-INTERFACE BRIDGE
0 D E B8:27:EB:37:89:21 ether5 bridge
1 DL DC:2C:6E:7B:10:F2 bridge bridge
2 DL DC:2C:6E:7B:10:F3 ether3 bridge
3 DL DC:2C:6E:7B:10:F4 ether4 bridge
4 DL DC:2C:6E:7B:10:F5 ether5 bridge
5 D E DC:A6:32:0A:B5:39 ether3 bridge
6 D E F8:E4:3B:5D:A2:46 ether4 bridge
[demo@MikroTik] > ip/dhcp-server/lease/print
Flags: D, B - BLOCKED
Columns: ADDRESS, MAC-ADDRESS, HOST-NAME, SERVER, STATUS, LAST-SEEN
# ADDRESS MAC-ADDRESS HOST-NAME SERVER STATUS LAST-SEEN
0 D 192.168.88.254 F8:E4:3B:5D:A2:46 OP380 defconf bound 4m12s
1 D 192.168.88.253 B8:27:EB:37:89:21 TestPi3 defconf bound 1m54s
2 D 192.168.88.252 DC:A6:32:0A:B5:39 JonRPi4B4-1 defconf bound 2m15s
[demo@MikroTik] > ip/arp/print
Flags: D, P - PUBLISHED; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
# ADDRESS MAC-ADDRESS INTERFACE
0 DC 192.168.101.1 F0:9F:C2:DF:89:91 ether1
1 DC 192.168.88.254 F8:E4:3B:5D:A2:46 bridge
2 DC 192.168.88.253 B8:27:EB:37:89:21 bridge
3 DC 192.168.88.252 DC:A6:32:0A:B5:39 bridge
[demo@MikroTik] > /tool/ping 192.168.88.254 count 2
Columns: SEQ, HOST, SIZE, TTL, TIME
SEQ HOST SIZE TTL TIME
0 192.168.88.254 56 128 1ms592us
1 192.168.88.254 56 128 1ms302us
[demo@MikroTik] > /tool/ping 192.168.88.253 count 2
Columns: SEQ, HOST, SIZE, TTL, TIME
SEQ HOST SIZE TTL TIME
0 192.168.88.253 56 64 871us
1 192.168.88.253 56 64 683us
[demo@MikroTik] > /tool/ping 192.168.88.252 count 2
Columns: SEQ, HOST, SIZE, TTL, TIME
SEQ HOST SIZE TTL TIME
0 192.168.88.252 56 64 615us
1 192.168.88.252 56 64 506us
[demo@MikroTik] >
--------------------------------------------------------
pi@TestPi3:~ $ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=53 time=18.6 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=53 time=17.6 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 17.671/18.182/18.694/0.528 ms
pi@TestPi3:~ $ ping 192.168.88.1
PING 192.168.88.1 (192.168.88.1) 56(84) bytes of data.
64 bytes from 192.168.88.1: icmp_seq=1 ttl=64 time=0.546 ms
64 bytes from 192.168.88.1: icmp_seq=2 ttl=64 time=0.569 ms
^C
--- 192.168.88.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1073ms
rtt min/avg/max/mdev = 0.546/0.557/0.569/0.026 ms
pi@TestPi3:~ $ ping 192.168.88.254
PING 192.168.88.254 (192.168.88.254) 56(84) bytes of data.
64 bytes from 192.168.88.254: icmp_seq=1 ttl=128 time=1.30 ms
64 bytes from 192.168.88.254: icmp_seq=2 ttl=128 time=1.25 ms
^C
--- 192.168.88.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.257/1.279/1.302/0.042 ms
pi@TestPi3:~ $ ping 192.168.88.253
PING 192.168.88.253 (192.168.88.253) 56(84) bytes of data.
64 bytes from 192.168.88.253: icmp_seq=1 ttl=64 time=0.118 ms
64 bytes from 192.168.88.253: icmp_seq=2 ttl=64 time=0.111 ms
^C
--- 192.168.88.253 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1041ms
rtt min/avg/max/mdev = 0.111/0.114/0.118/0.011 ms
pi@TestPi3:~ $ ping 192.168.88.252
PING 192.168.88.252 (192.168.88.252) 56(84) bytes of data.
^C
--- 192.168.88.252 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2097ms
pi@TestPi3:~ $ ifconfig eth0
eth0 Link encap:Ethernet HWaddr b8:27:eb:37:89:21
inet addr:192.168.88.253 Bcast:192.168.88.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19030672 errors:0 dropped:7702909 overruns:0 frame:0
TX packets:130158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1781291414 (1.6 GiB) TX bytes:35242550 (33.6 MiB)
------------------------------------------------
C:\WINDOWS\system32>ping -n 2 192.168.88.1
Pinging 192.168.88.1 with 32 bytes of data:
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Ping statistics for 192.168.88.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
C:\WINDOWS\system32>ping -n 2 192.168.88.252
Pinging 192.168.88.252 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 192.168.88.252:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
C:\WINDOWS\system32>ping -n 2 192.168.88.253
Pinging 192.168.88.253 with 32 bytes of data:
Reply from 192.168.88.253: bytes=32 time=1ms TTL=64
Reply from 192.168.88.253: bytes=32 time=1ms TTL=64
Ping statistics for 192.168.88.253:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
C:\WINDOWS\system32>ping -n 2 192.168.88.254
Pinging 192.168.88.254 with 32 bytes of data:
Reply from 192.168.88.254: bytes=32 time<1ms TTL=128
Reply from 192.168.88.254: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.88.254:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS\system32>ipconfig /all
---snip---
Windows IP Configuration
Host Name . . . . . . . . . . . . : OP380
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet 5:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : ASIX AX88179A USB 3.2 Gen1 to Gigabit Ethernet Adapter
Physical Address. . . . . . . . . : F8-E4-3B-5D-A2-46
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8fa3:eb81:7932:cab7%48(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.88.254(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, November 27, 2022 4:19:37 AM
Lease Expires . . . . . . . . . . : Sunday, November 27, 2022 5:57:41 AM
Default Gateway . . . . . . . . . : 192.168.88.1
DHCP Server . . . . . . . . . . . : 192.168.88.1
DHCPv6 IAID . . . . . . . . . . . : 821617723
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-EB-E8-D9-BC-30-5B-A4-E5-01
DNS Servers . . . . . . . . . . . : 192.168.88.1
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\WINDOWS\system32>
And here is the /export that does not include the /interface/ethernet/switch/port-isolation section.
# nov/27/2022 06:12:57 by RouterOS 7.5
# software id = ****-****
#
# model = RB760iGS
# serial number = ***********
/interface bridge
add admin-mac=DC:2C:6E:7B:10:F2 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN