Community discussions

MikroTik App
 
Matthiastik
newbie
Topic Author
Posts: 40
Joined: Wed Apr 25, 2018 1:31 am

separate traffic in differrnet bridges ...

Fri Apr 28, 2023 6:12 am

Good evening,

Got my WAN failover to work and created 3 different bridges, LAN1(Guest lan), LAN2(VoIP LAN), LAN3(Work LAN) bridges that seems to be pefered creating bridges rather than asign it tothe interface if i remeber it correctly ...

now i want to protect LAN1 from LAN2 but upon creating filewall rule like so, "chain forward src address 192.168.200.0/23 dest address 192.168.0.0/24 action drop" DNS server have ip 192.168.0.1 same as router but here comes the strange thing and i am sure i am doing somethiung wrong ...

computers in network 192.168.0.0/24 having issues to talk to printer on the very same network and ping from 192.168.200.x still can ping 192.168.0.x without any problem as well so it seems strange
thinking it might have something to do with in what place in the ip -> firewall rule it is located or ? should the rule be "chain forward, in interface bridge lan1 out interface bridge lan2 action drop".

* how is the propper way to block traffic from 192.168.200.0/24 to 192.168.0.0/24 ( is it advisable to use connection states in the rule really just a matte of just an matter of oreferance)and vice versa and not cause issues in network 192.168.0.x nor issues with DNS server on 192.168.0.1 ...

* If ia create VLAN will it be same mess protecting each network as bridge or are there an auto isolation feature available

Now it comes to mind what if i creat trunks on router and access ports on switch for using VLAN and in the futurr the router get damaged and we have no backup router and i choose to connect to ISP router will i need to reset switches or it works anyway, we recenly purchased Managed TP link switches, anoither Mikrotik is not a prioroty to them to purchase and power outtage is common and it will damage it sooner or later so i need to be prepared in my mind of worst case scenario

thank you all for your input and experience in this matter i am newbie in this field but feel the need to merge to VLAN ...

cheers
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: separate traffic in differrnet bridges ...  [SOLVED]

Fri Apr 28, 2023 3:42 pm

You should use a single VLAN-aware bridge. Before bridge VLAN filtering was introduced the only method was to use multiple bridges but there are many pitfalls, see https://help.mikrotik.com/docs/display/ ... figuration.

What you are seeing is standard linux behaviour - all traffic to local addresses on the Mikrotik are handled by the input firewall chain not forward, see https://help.mikrotik.com/docs/display/ ... n+RouterOS. This applies even if the source and destination addresses are not in the same subnet.

Who is online

Users browsing this forum: Bing [Bot], tongtong and 45 guests