Have to think my way through this - not easy while sitting down. Too much pressure on the brain.
If it matters I'm using a Hex S / RB760iGS as my gateway router. Port 1 is from my ISP. Port 2 goes to my VoIP server. And SFP1 goes to other networking devices starting with a CRS.
Port 1 is presently by itself - all other ports are in a bridge. As is typical, right?
This Hex S provides DHCP service for my LAN. However...that VoIP server on port 2 is a little badly behaved - it's offering DHCP as well (for a different subnet). I want to block that. At the moment I can't turn that off. So...how to accomplish that? If I write rules that target the interface - there will be an issue because the interface is in a bridge. If I block DHCP on the bridge - I'll lose DHCP service altogether.
So I'm thinking I should remove the port from the bridge. Reasonable - as this port shouldn't need to talk with the rest of my LAN. But - how then do I allow it to communicate with the Internet? As my existing NAT rules reference IP's, not interfaces, (except for my last src-nat rule for default Internet using eth1) - do I just remove the port from the bridge and everything will magically work?
I should mention the VoIP server has a manually assigned IP address so...I think...it's not dependent on a DHCP broadcast from my router. Although if it did...I guess I could create a dedicated DHCP server on the router just for that port?