Community discussions

MikroTik App
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 270
Joined: Thu Aug 01, 2019 2:13 pm

Port Isolation

Wed Jun 09, 2021 5:25 am

Is there a way to be able to allow traffic to initiate from one port to another and get the response back, but still not allow traffic to be allowed in from another port.

Computer on port 2 can RDP into computer on port 3, but port 3 cant do anything with port 2.

Thats what im trying to understand if you can do .
All on switch os as well.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port Isolation

Wed Jun 09, 2021 9:01 am

Switches don't have notion of connections ... they only see frames. So with switch it's not possible what you're after. Some switches support ACLs where you can select certain L3/L4 properties of frames which should be dropped. You can try to use that functionality to mimic connection-awareness. For example: RDP uses TCP port 3389 on server side while client side uses random port. If you construct ACL triggering on IP protocol TCP and IP dst combination of <server IP>:3389 and set that to be allowed while dropping all other traffic in same direction ... Keep in mind that connection tracking is the most resource expensive operation of a statefull firewall you'll understand that it's almost impossible to mimic it using simple ACLs.

Routers have notion of connections and firewalls can deal with such situations. If both ports serve same L3 subnet, then you would have to go with bridge setting use-ip-firewall=yes ... but beware that this means all traffic of that bridge has to pass CPU which most of times means massive performance hit. If ports belong to different subnets, then what you're after is almost trivial to do.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port Isolation

Wed Jun 09, 2021 10:23 am

As mkx write,
"simply" NOT
You need at least RouterOS, if you device can boot on both, you can do it, else not.

Who is online

Users browsing this forum: No registered users and 11 guests