Community discussions

MUM Europe 2020
 
PTPStudio
just joined
Topic Author
Posts: 24
Joined: Wed Feb 12, 2014 4:56 pm

RB1100Hx2 basic setup

Tue Feb 11, 2020 6:32 pm

If anybody know please help me with these settings on RB1100Hx2. Here is diagram https://i.mt.lv/cdn/rb_files/Block-RB1100AHx2.pdf
I going to use those 2switches 5x5 ports for local IPs... Wan.. port 11 and port 12 for NAS... How to set it up right? 5local ports need to be on same local IP network but block traffic between those ports by firewall rules no problem I got it and another 5local ports need diferent local IP...simple I thing but I do not know how to set it up I need 1 local IP for one group then another local IP for another group..No bridge... I need setup all ports for firewall rules but if ports in bridge I cant use firewall rules to block traffic between ports on bridge...How to set up IP for group of LAN ports so I can use IP firewall to work...Thnks
 
User avatar
inteq
Member Candidate
Member Candidate
Posts: 162
Joined: Wed Feb 25, 2015 8:15 pm
Location: Romania

Re: RB1100Hx2 basic setup

Wed Feb 12, 2020 12:21 am

Believe me...I have...tried...to read....your...question 3....times...but I....was...unable....to focus...and....understand...it.
 
PTPStudio
just joined
Topic Author
Posts: 24
Joined: Wed Feb 12, 2014 4:56 pm

Re: RB1100Hx2 basic setup

Wed Feb 12, 2020 6:46 am

Believe me...I have...tried...to read....your...question 3....times...but I....was...unable....to focus...and....understand...it.
Appologize,, How to set up local IP example 192.168.0.1 for 5 local ports? Do not use a bridge mode...Is there switch mode or something? Then in firewall I can create rules to block traffic between those ports because if there are in bridge I cant do it..There are rules for bridge settings accept firewall, but I need elso those ports accept firewall rules...
 
ingus16
just joined
Posts: 21
Joined: Sun Jan 27, 2013 11:44 am

Re: RB1100Hx2 basic setup

Wed Feb 12, 2020 9:00 am

Use bridge and add ports to bridge then add network address to brdige .
Bridge use conjuction with switch chips to gain maximum toughput between same network local an devices.
Example and features https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29
 
mkx
Forum Guru
Forum Guru
Posts: 3745
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB1100Hx2 basic setup

Wed Feb 12, 2020 2:49 pm

Then in firewall I can create rules to block traffic between those ports because if there are in bridge I cant do it..There are rules for bridge settings accept firewall, but I need elso those ports accept firewall rules...

It can be done.

But, you better think (and try to explain to us, only to make things clearer for your self) why do you want to have all of those hosts in same subnet and yet block some (if not all) communication between them? I can think of a number of reasons (most are either invalid or impractical), perhaps you'll enlighten us with some new?
BR,
Metod
 
PTPStudio
just joined
Topic Author
Posts: 24
Joined: Wed Feb 12, 2014 4:56 pm

Re: RB1100Hx2 basic setup

Wed Feb 12, 2020 7:52 pm

Then in firewall I can create rules to block traffic between those ports because if there are in bridge I cant do it..There are rules for bridge settings accept firewall, but I need elso those ports accept firewall rules...

It can be done.

But, you better think (and try to explain to us, only to make things clearer for your self) why do you want to have all of those hosts in same subnet and yet block some (if not all) communication between them? I can think of a number of reasons (most are either invalid or impractical), perhaps you'll enlighten us with some new?
I explain it ..no problem..I have this small local - wifi - network there is about 60 + - devices..pc phones tvs etc...On 5 local ports are 4 wifi APs then NAS on one port... access to NAS is allow from all ports but not betwen APs ports....Same subnet? because they all access to NAS from all kind devices so is it better on same subnet...right? Why block those ports? Its simple...You are network professional and security no?? Do You know if one device get infected with nasty trojan horse or virus how fast searching on neighbors pcs and devices and owner of virus pc do not know it and all network getting uknow problems.. pc windows etc...Safety first at this point...I donot like reinstall pc twice in month....I elso doing pc maintance on that network...I can save lots of time if no pc get infected of course another way they downloaded but there is no share to antoher pcs in same network...You get it? Now is time You answer me to....
 
mkx
Forum Guru
Forum Guru
Posts: 3745
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB1100Hx2 basic setup

Wed Feb 12, 2020 10:38 pm

There are a couple of ways of doing what you want:
  • set use-ip-firewall=yes and construct appropriate firewall filter rules. Be sure to disable hw-offload on all ports you want to enforce firewall or else packets will bypass firewall (you do that by setting hw=no for any port in /interface bridge port)
  • use split-horizon feature ... bridge ports with same horizon value don't communicate with each other

The second option is more resource friendly, but less tunable (communication either flows or doesn't at all ... compared to firewall way where you have possibility of fine tuning allowed communication).

Beware that this kind of traffic control affects device performance.
And that you can not control communications between devices connected to the same RB port, that communication has to be blocked in downstream devices (e.g. AP which blocks communication between its client devices or a switch with port isolation).

And no, I'm not a network professional, I'm a radio engineer / sysadmin who had to learn some networking to get around less competent networking guys (no matter which hat I wear, I always stumble upon some :wink: )
BR,
Metod
 
PTPStudio
just joined
Topic Author
Posts: 24
Joined: Wed Feb 12, 2014 4:56 pm

Re: RB1100Hx2 basic setup

Sat Feb 15, 2020 9:42 am

There are a couple of ways of doing what you want:
  • set use-ip-firewall=yes and construct appropriate firewall filter rules. Be sure to disable hw-offload on all ports you want to enforce firewall or else packets will bypass firewall (you do that by setting hw=no for any port in /interface bridge port)
  • use split-horizon feature ... bridge ports with same horizon value don't communicate with each other

The second option is more resource friendly, but less tunable (communication either flows or doesn't at all ... compared to firewall way where you have possibility of fine tuning allowed communication).

Beware that this kind of traffic control affects device performance.
And that you can not control communications between devices connected to the same RB port, that communication has to be blocked in downstream devices (e.g. AP which blocks communication between its client devices or a switch with port isolation).

And no, I'm not a network professional, I'm a radio engineer / sysadmin who had to learn some networking to get around less competent networking guys (no matter which hat I wear, I always stumble upon some :wink: )
One think in bridge in ports are all those ports in bridge but at one is rootport rootpatchost 10 rest is designated port why is this or what for is it? Thnks
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1769
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: RB1100Hx2 basic setup

Sat Feb 15, 2020 12:45 pm

@PTPStudio:
Why do you quote whole previous post? Does it makes your answer more valuable? Do you see "Post replay" button?
Real admins use real keyboards.
 
User avatar
rooted
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Tue Feb 04, 2020 5:58 pm

Re: RB1100Hx2 basic setup

Sun Feb 16, 2020 11:25 am

@BartoszP

Why do you come into threads just to chastise people's posting behavior?

Who is online

Users browsing this forum: No registered users and 40 guests