But, the VLANs only responsible for L2.
Now I need to setup L3 restrictions using IPv4 Firewall.
I want that *some* (NOT all) of the VLANs will be able to communicate with themselves.
In other words, a client which is associated with VLAN#3 will be able to communicate with other clients which are also associated with VLAN#3.
IP traffic between devices within a layer2 network, be it physical ethernet or a VLAN, will not necessarily reach the IP firewall. It depends on the network topology, if you have other switches in the network to which the devices are attached the Mikrotik will not even see the traffic.
If the devices are attached to individual ports on the Mikrotik you can use bridge filters / switch rules for simple cases, otherwise the bridge settings
use-ip-firewall=yes and
use-ip-firewall-for-vlan together with disabling switch hardware offload can be used to force bridged packets through the IP firewall.
My network topology is the same as the scenario of "Router-Switch-AP (all in one)", as described in
the post.
So it is the simplest network topology, only one device.
I want Mikrotik's sniffer to be able to capture all traffic.
I will enable the options "use-ip-firewall=yes" and "use-ip-firewall-for-vlan=yes" in menu "/interface bridge settings".
This is also required for QoS (i.e. Queues), as written in the specs:
https://help.mikrotik.com/docs/display/ ... geSettings
I looked for the "hardware offload" feature, though I only found a similar feature called "L3 Hardware Offloading".
Found it in the specs here:
https://help.mikrotik.com/docs/display/ ... Offloading
I assume these two are identical?
Apparently my Mikrotik device doesn't support "L3 Hardware Offloading" (I don't find these option in the menu).
Therefore, I assume that it doesn't exist, so I don't need to disable it - correct?
I also found "Bridge Hardware Offloading" in this link:
https://help.mikrotik.com/docs/display/ ... Offloading
My switch model is "IPQ-PPE".
So, according to the table in the specs, its default mode is non-HW offloading - quote from specs:
Currently, HW offloaded bridge support for the IPQ-PPE switch chip is still a work in progress. We recommend using, the default, non-HW offloaded bridge (enabled RSTP).
Please let me know if I misunderstood or missed something.
NO!
They are in the same vlan they are connected at layer2, No firewall rules are required.
On the flip side you cannot use firewall rules to break up folks within a vlan as they are already connected at layer2................
There are always ways but in general..............
It sounds like this is a known issue in networking.
What is the subject that I should search in Google to learn/read more about it?
Just to make sure that my understanding is solid.