Community discussions

MikroTik App
 
User avatar
kiler129
Member
Member
Topic Author
Posts: 352
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Devices isolation WITHIN vlan without killing the performance

Sat Nov 26, 2022 5:40 am

I thought I have a simple case, but I wasn't able to achieve any sensible config. In short I want to isolate devices inside of a IOT VLAN. A part of my network looks close to this diagram:
Untitled Diagram.drawio.png
Currently the access point connected to port 8 is able to isolate all clients from themselves. In addition the AP is able to firewall clients from accessing nothing but the gateway (RB4011). However, everything breaks when I try to isolate ethernet clients (e.g. untagged IOT device on port 7) from other ethernet connected devices (e.g. server on SFP port). The inter-VLAN filtering is simple with IP firewall. However, I don't seem to find a way to isolate ethernet clients within the VLAN, as the switch chip in RB4011 will freely forward packets within a given VLAN.

Ideas:
  1. Use IP firewall on bridge: this will absolutely kill the performance for the all VLANs on ALL bridges
  2. Bridge filter firewall: better than IP firewall as it's a per-bridge setting (fast-forward=off). While I wasn't able to use it successfully this also doesn't seem to be an option as I cannot separate a single physical port into two bridges, so again it will kill the performance for all VLANs
  3. Switch ACL in /interface/ethernet/switch/rule: not supported on RB4011
Is there any other way without changing hardware? So far 2. seems like the least evil option, if I can make it work. However, I'm not sure if it will not force all packets from the AP on eth8 to go via CPU?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Devices isolation WITHIN vlan without killing the performance

Sat Nov 26, 2022 6:22 am

RB4011
one bridge
all vlans associated with bridge
each vlan has its own ip pool, dhcp-server, dhcp-server network, ip address.

Assuming the AP is s stupid ubiquite which wants the base or management vlan (where it gets its IP) untagged ................

Hence.
/interface bridge ports
add bridge=bridge interface=sfp frame-types=admit-only-tagged ingress-filtering=yes
add bridge=bridge interface=ether2 frame-types=admit-priority-and-untagged ingress-filtering=yes pvid=200
add bridge=bridge interface=ether8 pvid=200

/interface bridge vlans
add bridge=bridge tagged=bridge,sfp,eth8 vlan-ids=100
add bridge=bridge tagged=bridge,sfp,eth8 untagged=eth7 vlan-ids=200
add bridge=bridge tagged=bridge,sfp untagged=eth8 vlan-ids=300


Firewall rules required.
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN { all subnets get internet }


As far as isolating clients/devices from each other on the same vlan, well thats a self defeating prophecy.
Dont put devices that should not see each other on the same vlan. That is what vlans are for............. to separate them.
If you need to create another vlan for untrused IOT devices that is separate from the regular IOT devices......


/interface bridge ports
add bridge=bridge interface=sfp frame-types=admit-only-tagged ingress-filtering=yes
add bridge=bridge interface=ether2 frame-types=admit-priority-and-untagged ingress-filtering=yes pvid=200
add bridge=bridge interface=ether8 pvid=200

/interface bridge vlans
add bridge=bridge tagged=bridge,sfp,eth8 vlan-ids=100,400
add bridge=bridge tagged=bridge,sfp,eth8 untagged=eth7 vlan-ids=200
add bridge=bridge tagged=bridge,sfp untagged=eth8 vlan-ids=300

In this case move trusted IOT devices to vlan400.
One simple addition allows you to send tagged traffic to both SFP and ether8 for vlan400 (trusted).
Assumes of course you can add another virtual WLAN on the AP device.
Furthermore you can still give one way access from trusted IOT vlan to untrusted VLAN if need be.

add action=accept chain=forward in-interface=vlan400 out-interface=vlan200 { src or dst address or lists optional }
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Devices isolation WITHIN vlan without killing the performance

Sat Nov 26, 2022 7:38 am

I thought I have a simple case, but I wasn't able to achieve any sensible config.
Many things look simple until you try to do them.
As far as isolating clients/devices from each other on the same vlan, well thats a self defeating prophecy.
Dont put devices that should not see each other on the same vlan. That is what vlans are for............. to separate them.
If you need to create another vlan for untrused IOT devices that is separate from the regular IOT devices......
There are layer 2 switch ASIC solutions to isolating clients on the same (v)lan from each other, but it is not going to be a simple config, if it is even possible on the RB4011. Using vlans will work, but it doesn't scale as well as port-isolation does. How many "isolated" devices will you have?

What version of ROS are you using, because recent versions of v7 have much better support for the RTL8367 switch ASICs used in the RB4011. But there are three cpu ports (one for SFP+, and two for the connections to the two RTL8367 switch ASICs. This note in switch features Setup Examples seems to indicate that the RB4011 does not support using vlans when using switch features. But I haven't ever tried.

Devices with MT7621, RTL8367, 88E6393X, 88E6191X switch chips support HW offloaded vlan-filtering in RouterOS v7. VLAN-related configuration on the "/interface ethernet switch" menu is not available.

See the RB4011 block diagram.
So anything going to the SFP+ port is going to require CPU intervention. And without resorting to a cat 5 jumper between ports on the two RTL8367, any traffic between the first 5 and second 5 Gb ports is going require the CPU as well.

My only MikroTik router is the RB760iGS and it has everything going through a single switch and I haven't tried using port isolation with it, because I have switches with port isolations features (the RB260GS aka CSS106-5G-1S has quite flexible port isolation features).
 
User avatar
kiler129
Member
Member
Topic Author
Posts: 352
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: Devices isolation WITHIN vlan without killing the performance

Sat Nov 26, 2022 8:13 am

Assuming the AP is s stupid ubiquite which wants the base or management vlan (where it gets its IP) untagged ................
Close, Ruckus - cannot have it's web UI on a VLAN port because... because no and that's it. It surely can have it's internal management network on a VLAN one but not the UI itself :D I vehemently hate hybrid ports.

Hence.
/interface bridge ports
(....)
Firewall rules required.
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN { all subnets get internet }
Ya, that's pretty much my config and it's working well. Limiting routing isn't an issue - limiting L2 is.

As far as isolating clients/devices from each other on the same vlan, well thats a self defeating prophecy.
Dont put devices that should not see each other on the same vlan. That is what vlans are for............. to separate them.
If you need to create another vlan for untrused IOT devices that is separate from the regular IOT devices......
Yes and no - isolating devices is a standard thing on WiFi for e.g. guest networks. I can hack it around using a range of VLANs where each ethernet device gets its own VLAN. In such a case IOT becomes not 200 but like 200-299 for example - this will force it via CPU and firewall.
IoT devices by definition are untrusted, as "S" in IoT stands for security. That's why I want to keep them as far away from each other as possible. Currently there's a lot of multicast from them and some other ones randomly scan the whole subnet (?!)

Assumes of course you can add another virtual WLAN on the AP device.
Now the AP advertises 3 SSIDs and properly isolates IOT devices from each other. The issue starts with multiple APs and IOT devices which are ethernet-based.

There are layer 2 switch ASIC solutions to isolating clients on the same (v)lan from each other, but it is not going to be a simple config, if it is even possible on the RB4011.
Something dedicated outside of MT or basically any switch with ACLs? With RB4011, playing with ports to make sure I have them set up on separate switch chips (red gateway on port4, AP on 10) I was able to get it working by I feel brutforce.
/interface bridge filter
add action=accept chain=forward comment="Accept traffic from server" in-interface=sfp1-server mac-protocol=vlan src-mac-address=\
    AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF vlan-id=200
add action=accept chain=forward comment="Accept traffic to server" dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF \
    mac-protocol=vlan out-interface=sfp1-server vlan-id=200
add action=drop chain=forward comment="Drop tagged WiFi IOT intraVLAN traffic" in-interface=ether10-access-point log=yes mac-protocol=\
    vlan vlan-id=200
Technically I can just remove the "in-interface=ether10-access-point" matcher and it will block all fwd traffic on bridge. This way IOT will only be able to use INPUT and OUTPUT, which is L3. However, I'm not sure if this works within the same switch chip. I always used switch ACLs for that, which don't work on RB4011.

Using vlans will work, but it doesn't scale as well as port-isolation does. How many "isolated" devices will you have?
Does port isolation even applies here as trunk ports are used? Currently I have wifi AP with tagged VLAN for separation, a server with another tagged port, and a one gateway. Planned 2-3 more.

What version of ROS are you using, because recent versions of v7 have much better support for the RTL8367 switch ASICs used in the RB4011. But there are three cpu ports (one for SFP+, and two for the connections to the two RTL8367 switch ASICs. This note in switch features Setup Examples seems to indicate that the RB4011 does not support using vlans when using switch features. But I haven't ever tried.
That realtek is really bad. It seems to be doing VLAN in hardware, but with 2 separate switch chip + SFP hanging off the CPU the performance will be meh either way. Trying to use any switch chip features results in a lovely "Couldn't add New Switch Rule - not supported for this switch (6)". The port isolation doesn't have "add" action on RB4011.

My only MikroTik router is the RB760iGS and it has everything going through a single switch and I haven't tried using port isolation with it, because I have switches with port isolations features (the RB260GS aka CSS106-5G-1S has quite flexible port isolation features).
I may actually have RB260 somewhere in a drawer. However, this will cause a bottleneck as well as it only has one SFP, so I realistically cannot plug a server and uplink to it ;)
So the easiest way would be moving to RB5009 or grabbing some dedicated switch... that way I can have ACLs... but I'm not sure it's worth it in this case.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Devices isolation WITHIN vlan without killing the performance

Sat Nov 26, 2022 10:26 am

IMO you still may want to consider to go with multiple VLANs for different IoT groups of devices. I guess you'll want to allow communications between select devices (e.g. switches and lightbulbs will work best if in same VLAN, likewise you can group cameras and NVR into one VLAN, etc.) and as soon as you will start to create some groups of devices administering ACLs will become a nightmare. You can still use single SSID for IoT and use access-list (vlan related properties) on APs to map devices into different VLANs. Using VLANs (as opposed to switch ACLs) also allows to use (3rd party) switches in the network as long as they speak VLANs.
 
User avatar
kiler129
Member
Member
Topic Author
Posts: 352
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: Devices isolation WITHIN vlan without killing the performance

Sun Nov 27, 2022 3:26 am

IMO you still may want to consider to go with multiple VLANs for different IoT groups of devices. I guess you'll want to allow communications between select devices (e.g. switches and lightbulbs will work best if in same VLAN, likewise you can group cameras and NVR into one VLAN, etc.)
That's a good point - separate NVR network is actually something I already use anyway but as I don't use any WiFi cameras I never thought about doing "split SSID" and dynamic VLAN assignment. This also requires RADIUS.... I see another weekend project ;)

(...)and as soon as you will start to create some groups of devices administering ACLs will become a nightmare. (...) Using VLANs (as opposed to switch ACLs) also allows to use (3rd party) switches in the network as long as they speak VLANs.
Unless I'm missing something, dynamic VLANs will not solve the issue for ethernet clients. To isolate them from each other I would essentially need to set a different VID for every device, as no IOT can use 802.11x. For wifi - yes, that will work.

----------

Also, if I understand the docs correctly:
Switch chips with a VLAN table support (...) can override the port isolation configuration when enabling a VLAN lookup on the switch port (...) If additional port isolation is needed between ports on the same VLAN, a switch rule with a new-dst-ports property can be implemented. Other devices without switch rule support cannot overcome this limitation.
The isolation physically CANNOT be done on RB4011 when both ports are on the same switch.

----------

Using bridge filters, of any kind, causes a steep CPU penalty on all traffic (not just filtered one). RB4011 it's unable to achieve more than ~880-900Mb/s bidir when any bridge filter is added, pegging two cores of the CPU to 100%. I could use a trick with VLAN-per-ethernet-device may actually be better: it will penalize only the IOT traffic and in practice only a small subset, as only a small device-to-device traffic is allowed in IOT. However, this will not work with router-provided services like DHCP as I would need as many DHCP servers as these hacky VLANs (which is obviously stupid).

Welp... it looks like there's no way to do a true isolation with L2 ACL and RB4011 doesn't support that.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Devices isolation WITHIN vlan without killing the performance

Sun Nov 27, 2022 11:05 am

If you want things dynamic, then yes, RADIUS it is. If your network is a tad more static (i.e. vast majority of devices are known, wired devices don't move a lot), then you can configure things statically:
  • static access-list entries on APs (or in CAPsMAN) for managing VLAN membership of wireless devices
  • static assignment of PVID on switch ports ... you only have to connect wired devices to the right port
    This doesn't work if one port of managed switch connects multiple devices (e.g. through dumb switch).

In small network (hone or small business) it's manageable. In a slightly bigger setup one needs appropriate tools obviously.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Devices isolation WITHIN vlan without killing the performance

Sun Nov 27, 2022 1:57 pm

The isolation physically CANNOT be done on RB4011 when both ports are on the same switch.
...
Welp... it looks like there's no way to do a true isolation with L2 ACL and RB4011 doesn't support that.
If you want to use the SPF+ port and anther port, I don't know if it can be done on the RB4011.

Because I was curious, I just backed up my RB760iGS in my lab and initialized to "default config" with "internet" on ether 1 connected to upstream ER-X acting as the dhcp "ISP" and ether2-ether5 as part of the bridge.

The MikroTik Switch documentation hints that this may work, but they don't mention the switch1-cpu connection.

Then when configured as follows (only changes to default config)

/interface ethernet switch port-isolation
set 3 forwarding-override=switch1-cpu,ether5
set 4 forwarding-override=switch1-cpu,ether4

So ether4 can only forward to CPU and ether5, and ether5 can only forward to ether4 (in other words, ether4 and 5 are isolated from other external ports, but can see each other and CPU, but not RPi4 on ether3)

ether1 connected to "internet"
ether2-5 part of bridge1 (Hardware switching)

ether2 no connection
ether3 connected to JonRPi4B4-1 (ip obtained with dhcp server on RB760iGS 192.168.88.252)
ether4 connected to OP380 (windows 10) (ip obtained with dhcp server on RB760iGS 192.168.88.254)
ether5 connected to TestPi3 (ip obtained with dhcp server on RB760iGS 192.168.88.253)

All JonRPi4B4-1, OP380, and TestPi3 all obtained ip addresses from dhcp server on bridge1
CPU can ping all devices on ether3-ether5
JonRPi4B4 on ether3 can get to internet but can't ping either OP380 (on ether4) or TestPi3 (on ether5)
OP380 can get to internet and TestPi3 but not JonRPi4B4-1 (on ether3)
TestPi3 on ether5 can get to internet and OP380 (on ether4) but not to JonRPi4B4-1 (on ether3)

So it seems that it does appear that port isolation "works" with the extremely limited testing I did. Whether this is a "supported" configuration, I don't know. What is odd is that /export does not include the /interface ethernet switch port-isolation commands, so it "isn't well supported". Even verbose doesn't include it.

And I would not be surprised it port isolation broke if you touched the "bridge configuration" after adding the switch modifications. Similar to using quick config after making other changes may overwrite your other changes.

However /interface ethernet switch port-isolation export does show info.

Evidence follows:
[demo@MikroTik] > interface/ethernet/switch/port-isolation/print
Flags: I - invalid 
 0   name="ether1" switch=switch1 

 1   name="ether2" switch=switch1 

 2   name="ether3" switch=switch1 

 3   name="ether4" switch=switch1 forwarding-override=switch1-cpu,ether5 

 4   name="ether5" switch=switch1 forwarding-override=switch1-cpu,ether4 

 5   name="switch1-cpu" switch=switch1 
[demo@MikroTik] > interface/ethernet/switch/port-isolation/export
# nov/27/2022 05:23:22 by RouterOS 7.5
# software id = ****-****
#
# model = RB760iGS
# serial number = ************
/interface ethernet switch port-isolation
set 3 forwarding-override=switch1-cpu,ether5
set 4 forwarding-override=switch1-cpu,ether4
[demo@MikroTik] > interface/bridge/host/print
Flags: D - DYNAMIC; L - LOCAL; E - EXTERNAL
Columns: MAC-ADDRESS, ON-INTERFACE, BRIDGE
#     MAC-ADDRESS        ON-INTERFACE  BRIDGE
0 D E B8:27:EB:37:89:21  ether5        bridge
1 DL  DC:2C:6E:7B:10:F2  bridge        bridge
2 DL  DC:2C:6E:7B:10:F3  ether3        bridge
3 DL  DC:2C:6E:7B:10:F4  ether4        bridge
4 DL  DC:2C:6E:7B:10:F5  ether5        bridge
5 D E DC:A6:32:0A:B5:39  ether3        bridge
6 D E F8:E4:3B:5D:A2:46  ether4        bridge
[demo@MikroTik] > ip/dhcp-server/lease/print
Flags: D, B - BLOCKED
Columns: ADDRESS, MAC-ADDRESS, HOST-NAME, SERVER, STATUS, LAST-SEEN
#   ADDRESS         MAC-ADDRESS        HOST-NAME    SERVER   STATUS  LAST-SEEN
0 D 192.168.88.254  F8:E4:3B:5D:A2:46  OP380        defconf  bound   4m12s    
1 D 192.168.88.253  B8:27:EB:37:89:21  TestPi3      defconf  bound   1m54s    
2 D 192.168.88.252  DC:A6:32:0A:B5:39  JonRPi4B4-1  defconf  bound   2m15s    
[demo@MikroTik] > ip/arp/print
Flags: D, P - PUBLISHED; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
#    ADDRESS         MAC-ADDRESS        INTERFACE
0 DC 192.168.101.1   F0:9F:C2:DF:89:91  ether1   
1 DC 192.168.88.254  F8:E4:3B:5D:A2:46  bridge   
2 DC 192.168.88.253  B8:27:EB:37:89:21  bridge   
3 DC 192.168.88.252  DC:A6:32:0A:B5:39  bridge   
[demo@MikroTik] > /tool/ping 192.168.88.254 count 2
Columns: SEQ, HOST, SIZE, TTL, TIME
SEQ  HOST            SIZE  TTL  TIME    
  0  192.168.88.254    56  128  1ms592us
  1  192.168.88.254    56  128  1ms302us

[demo@MikroTik] > /tool/ping 192.168.88.253 count 2
Columns: SEQ, HOST, SIZE, TTL, TIME
SEQ  HOST            SIZE  TTL  TIME 
  0  192.168.88.253    56   64  871us
  1  192.168.88.253    56   64  683us

[demo@MikroTik] > /tool/ping 192.168.88.252 count 2
Columns: SEQ, HOST, SIZE, TTL, TIME
SEQ  HOST            SIZE  TTL  TIME 
  0  192.168.88.252    56   64  615us
  1  192.168.88.252    56   64  506us

[demo@MikroTik] > 

--------------------------------------------------------

pi@TestPi3:~ $ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=53 time=18.6 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=53 time=17.6 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 17.671/18.182/18.694/0.528 ms
pi@TestPi3:~ $ ping 192.168.88.1
PING 192.168.88.1 (192.168.88.1) 56(84) bytes of data.
64 bytes from 192.168.88.1: icmp_seq=1 ttl=64 time=0.546 ms
64 bytes from 192.168.88.1: icmp_seq=2 ttl=64 time=0.569 ms
^C
--- 192.168.88.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1073ms
rtt min/avg/max/mdev = 0.546/0.557/0.569/0.026 ms
pi@TestPi3:~ $ ping 192.168.88.254
PING 192.168.88.254 (192.168.88.254) 56(84) bytes of data.
64 bytes from 192.168.88.254: icmp_seq=1 ttl=128 time=1.30 ms
64 bytes from 192.168.88.254: icmp_seq=2 ttl=128 time=1.25 ms
^C
--- 192.168.88.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.257/1.279/1.302/0.042 ms
pi@TestPi3:~ $ ping 192.168.88.253
PING 192.168.88.253 (192.168.88.253) 56(84) bytes of data.
64 bytes from 192.168.88.253: icmp_seq=1 ttl=64 time=0.118 ms
64 bytes from 192.168.88.253: icmp_seq=2 ttl=64 time=0.111 ms
^C
--- 192.168.88.253 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1041ms
rtt min/avg/max/mdev = 0.111/0.114/0.118/0.011 ms
pi@TestPi3:~ $ ping 192.168.88.252
PING 192.168.88.252 (192.168.88.252) 56(84) bytes of data.
^C
--- 192.168.88.252 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2097ms

pi@TestPi3:~ $ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr b8:27:eb:37:89:21
          inet addr:192.168.88.253  Bcast:192.168.88.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19030672 errors:0 dropped:7702909 overruns:0 frame:0
          TX packets:130158 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1781291414 (1.6 GiB)  TX bytes:35242550 (33.6 MiB)

------------------------------------------------

C:\WINDOWS\system32>ping -n 2 192.168.88.1

Pinging 192.168.88.1 with 32 bytes of data:
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64

Ping statistics for 192.168.88.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\WINDOWS\system32>ping -n 2 192.168.88.252

Pinging 192.168.88.252 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 192.168.88.252:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

C:\WINDOWS\system32>ping -n 2 192.168.88.253

Pinging 192.168.88.253 with 32 bytes of data:
Reply from 192.168.88.253: bytes=32 time=1ms TTL=64
Reply from 192.168.88.253: bytes=32 time=1ms TTL=64

Ping statistics for 192.168.88.253:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\WINDOWS\system32>ping -n 2 192.168.88.254

Pinging 192.168.88.254 with 32 bytes of data:
Reply from 192.168.88.254: bytes=32 time<1ms TTL=128
Reply from 192.168.88.254: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.88.254:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\WINDOWS\system32>ipconfig /all
---snip---
Windows IP Configuration

   Host Name . . . . . . . . . . . . : OP380
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet 5:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : ASIX AX88179A USB 3.2 Gen1 to Gigabit Ethernet Adapter
   Physical Address. . . . . . . . . : F8-E4-3B-5D-A2-46
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8fa3:eb81:7932:cab7%48(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.88.254(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, November 27, 2022 4:19:37 AM
   Lease Expires . . . . . . . . . . : Sunday, November 27, 2022 5:57:41 AM
   Default Gateway . . . . . . . . . : 192.168.88.1
   DHCP Server . . . . . . . . . . . : 192.168.88.1
   DHCPv6 IAID . . . . . . . . . . . : 821617723
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-EB-E8-D9-BC-30-5B-A4-E5-01
   DNS Servers . . . . . . . . . . . : 192.168.88.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\WINDOWS\system32>
And here is the /export that does not include the /interface/ethernet/switch/port-isolation section.
# nov/27/2022 06:12:57 by RouterOS 7.5
# software id = ****-****
#
# model = RB760iGS
# serial number = ***********
/interface bridge
add admin-mac=DC:2C:6E:7B:10:F2 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: No registered users and 58 guests