Community discussions

MikroTik App
 
CinciTech
just joined
Topic Author
Posts: 9
Joined: Wed Sep 05, 2018 6:56 pm
Location: Cincinnati, Ohio
Contact:

/32 Subnet

Sat Jun 07, 2025 9:46 pm

I think I'm either close to having this figured out and am missing something important, or I'm trying to do something that isn't as simple as I thought it would be. Either way, help!

I have a wAP ax with the latest RouterOS (7.19.1). I have a 10.1.10.0/24 subnet for PCs and devices that may talk to them. I have a 10.2.10.0/24 subnet for guests' phones and smart devices (wifi enabled light switches, Ring cameras, etc), which I want separated in case a device were to get compromised. (I think) I want to change this to 10.2.10.0/32, to further prevent devices from talking to one another, while still allowing them to connect to the internet.

Pieces I've been editing, from my config:
/ip pool
add name=dhcp ranges=10.2.10.180-10.2.10.199
/ip dhcp-server network
add address=10.1.10.0/24 comment="Home Network" dns-server=10.1.10.251 \
    gateway=10.1.10.1 netmask=24
add address=10.2.10.0/32 comment="Home Automation" dns-server=1.1.1.1 \
    gateway=10.1.10.1 netmask=32
/ip route
add comment="Subnet for internet devices " disabled=no distance=1 \
    dst-address=10.2.10.0/24 gateway=bridge routing-table=main \
    suppress-hw-offload=no
add comment="Subnet for isolated internet devices" disabled=no distance=1 \
    dst-address=10.2.10.0/32 gateway=bridge routing-table=main \
    suppress-hw-offload=no
With this config, I connect my phone to the WiFi and it gets a 10.2.10.### IP. Phone says Connected, No Internet. If I change the following it works as expected:
add address=10.2.10.0/24 comment="Home Automation" dns-server=1.1.1.1 \
gateway=10.1.10.1 netmask=24

What else do I need to change to make this work?
 
User avatar
grusu
Member Candidate
Member Candidate
Posts: 168
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: /32 Subnet

Sat Jun 07, 2025 10:28 pm

You can use .../datapath/client-isolation=yes
 
jaclaz
Forum Guru
Forum Guru
Posts: 3104
Joined: Tue Oct 03, 2023 4:21 pm

Re: /32 Subnet

Sat Jun 07, 2025 10:42 pm

How many addresses are available in a /32 network?

Hints:
in a /24 there are 256 addresses of which 254 usabile;
in a /30 there are 4 of which 2 usable.
 
millenium7
Long time Member
Long time Member
Posts: 639
Joined: Wed Mar 16, 2016 6:12 am

Re: /32 Subnet

Sun Jun 08, 2025 1:12 am

/32 addressing works for point-to-point interfaces but not all devices support it. It's not the right way to go about it with end user PC's it'll cause problems
You instead should be looking at isolation/horizon. If all of them are wifi and only connecting to that 1 AP then the solution above is what you want, just turn on isolation on the AP

If you have multiple AP's as well as hardwired devices, you need to use port isolation everywhere that isn't 'upstream'
i.e. if you had 2 desktop PC's on that isolated subnet connected to ether2 and ether3 as well as wifi clients locally, and there's another AP on ether4. All of those interfaces are in a LAN bridge and you'd need to set 'horizon=10' (or any number) on the bridge ports, as well as isolation on the wifi itself

Note this will isolate 'all' layer2 traffic so if you have 2 or more subnets and you don't want them isolated. You'll need to break things out into separate VLAN interfaces and use another bridge so i.e. ether2/3/4/wifi1/wifi2 go into the LAN bridge. You create VLAN10 on all of those interfaces, then create another 'IsolatedLAN' bridge and put all of the ether2.10/ether3.10/etc interfaces into that with horizon=10
 
millenium7
Long time Member
Long time Member
Posts: 639
Joined: Wed Mar 16, 2016 6:12 am

Re: /32 Subnet

Sun Jun 08, 2025 1:26 am

How many addresses are available in a /32 network?

Hints:
in a /24 there are 256 addresses of which 254 usabile;
in a /30 there are 4 of which 2 usable.
This only holds true up to /30 but /31 and /32 are entirely valid addressing schemes
https://datatracker.ietf.org/doc/html/rfc3021

/31 simply sends to 'the other' address in that subnet, it doesn't need to use a broadcast address at all
/32 sends to 'the interface' its on with no regard for subnet

Most but not all routers support it. I use /32 addressing handed out via DHCP for public customer addresses which means I can use all 256 addresses for 256 customers anywhere in the network and waste none of them. For those that don't support /32, they can use PPPoE which is inherently a /32 anyway but its assumed in the protocol
 
jaclaz
Forum Guru
Forum Guru
Posts: 3104
Joined: Tue Oct 03, 2023 4:21 pm

Re: /32 Subnet

Sun Jun 08, 2025 12:44 pm

Sure :) , noone ever said that /32 (or /31) are not valid address schemes.

BUT since the /32 doesn't work in the OP setup, then it is not appropriate in the specific case.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13812
Joined: Thu Mar 03, 2016 10:23 pm

Re: /32 Subnet

Sun Jun 08, 2025 1:05 pm

/32 sends to 'the interface' its on with no regard for subnet

Nope. It sends traffic appropriate according to network address. Which is true also when using "normal" subnet masks, like /24. The big difference is that when using "normal" subnets, the network address is calculated automatically (e.g. 192.168.88.45/24 gives network address 192.168.88.0 and netmask 255.255.255.0 ... and anything with destination address of 192.168.88.x will be eligible to be sent via such interface ... actual arithmetic is in the line of: use dst address, apply output interface's netmask and compare result to output interface's network address) ... while in case of /32 one has to set network address manually and it has to match IP address of the other end of such link (e.g. address 192.168.88.45/32 and network address 10.10.10.10 ... destination address 10.10.10.10 with applied netmask of 255.255.255.255 evaluates to 10.10.10.10 and that's equal to network address ...).
/31 addressing doesn't change the arithmetics, rather it also allows for automatic calculation of network address ... and due to netmask covering addresses of both ends of the link, manually setting network address is not necessary. It is possible to use /32 instead (e.g. if one end supports /31 while other end doesn't), but both addresses have to be chosen carefully sa that arithmetics on both ends mirror each other.
 
millenium7
Long time Member
Long time Member
Posts: 639
Joined: Wed Mar 16, 2016 6:12 am

Re: /32 Subnet

Sun Jun 08, 2025 1:45 pm

/32 sends to 'the interface' its on with no regard for subnet

Nope. It sends traffic appropriate according to network address.
/31 does this, /32 does not
If you statically add i.e. IP address of 10.0.0.1 with network address of 10.1.1.2 onto an interface, you will not be able to communicate. You will need to manually add a route saying that 10.1.1.2 is on i.e. ether2
Go ahead and test it. The only exception you might not have noticed is when there is also a default route that happens to be on the same interface. That would also work
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13812
Joined: Thu Mar 03, 2016 10:23 pm

Re: /32 Subnet

Sun Jun 08, 2025 2:22 pm


Nope. It sends traffic appropriate according to network address.
/31 does this, /32 does not
If you statically add i.e. IP address of 10.0.0.1 with network address of 10.1.1.2 onto an interface, you will not be able to communicate. You will need to manually add a route saying that 10.1.1.2 is on i.e. ether2
Sure ... I was talking about how L3 entity determines whether destination address is "directly attached" and can be hence sent out without using gateway. It'll involve ARP who has when L2 technology is a PtMP one (such as ethernet) anyway.
The way L3 routing is set up is slightly different. Exactly in case of point-to-point links one even doesn't have to assign address to the link interface in order to use it to route traffic towards some destination, using interface name is enough.
 
CinciTech
just joined
Topic Author
Posts: 9
Joined: Wed Sep 05, 2018 6:56 pm
Location: Cincinnati, Ohio
Contact:

Re: /32 Subnet

Wed Jun 11, 2025 3:38 pm

Thanks for all the replies! I just got back to working on this after a long weekend of other work.
How many addresses are available in a /32 network?

Hints:
in a /24 there are 256 addresses of which 254 usabile;
in a /30 there are 4 of which 2 usable.
I was under the impression that /32 (I also tried /31 & /30 with similar unsuccessful results) defined a subnet where any IP would be able to talk *only* to the gateway, and you simply needed to route the gateway traffic to the bridge for internet access. In my case 10.2.10.1 would be the gateway, and it's routed to bridge, so I expected that I could use anything from .2-.254. Clearly this was not correct.
You can use .../datapath/client-isolation=yes
I haven't been able to find where exactly to plug this setting in, but I suspect this would affect all traffic on a WiFi AP, which would not be what I'm looking to do. I want any wireless/wired device not assigned an IP from the DHCP pool to be able to connect to the internet but not anything else on the LAN. For anything that I have created a 10.1.10.0/24 entry in the DHCP pool for and assigned to its mac, I want it to be able to communicate freely with the LAN.
/32 addressing works for point-to-point interfaces but not all devices support it. It's not the right way to go about it with end user PC's it'll cause problems
You instead should be looking at isolation/horizon. If all of them are wifi and only connecting to that 1 AP then the solution above is what you want, just turn on isolation on the AP

If you have multiple AP's as well as hardwired devices, you need to use port isolation everywhere that isn't 'upstream'
i.e. if you had 2 desktop PC's on that isolated subnet connected to ether2 and ether3 as well as wifi clients locally, and there's another AP on ether4. All of those interfaces are in a LAN bridge and you'd need to set 'horizon=10' (or any number) on the bridge ports, as well as isolation on the wifi itself

Note this will isolate 'all' layer2 traffic so if you have 2 or more subnets and you don't want them isolated. You'll need to break things out into separate VLAN interfaces and use another bridge so i.e. ether2/3/4/wifi1/wifi2 go into the LAN bridge. You create VLAN10 on all of those interfaces, then create another 'IsolatedLAN' bridge and put all of the ether2.10/ether3.10/etc interfaces into that with horizon=10
As a semantic matter, my wAP ax only has ether1 (WAN) and ether2 (LAN), but I do have a switch attached to ether2 and a couple other routers on the network (one is a Mikrotik using CAPsMAN; both act as wireless AP). I do intend for both wireless and wired devices to be able to be added to either the group that connects to the internet and not each other or the group that talks freely to the internet and each other. If someone wants to plug in a PC or join their phone to my WiFi, I want them to get internet, but in order for them to be able to pull files from a VM on my network I'd like to have to assign their mac address an IP.

Do you have a link to a guide for setting up this port isolation/horizon method? It sounds a bit daunting.
 
User avatar
grusu
Member Candidate
Member Candidate
Posts: 168
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: /32 Subnet

Wed Jun 11, 2025 3:44 pm

Captură de ecran 2025-06-11 154325.png
You do not have the required permissions to view the files attached to this post.
 
CinciTech
just joined
Topic Author
Posts: 9
Joined: Wed Sep 05, 2018 6:56 pm
Location: Cincinnati, Ohio
Contact:

Re: /32 Subnet

Wed Jun 11, 2025 3:57 pm

Captură de ecran 2025-06-11 154325.png
Ah, I see. So it is located as a tab under WiFi (I don't have anything there yet). Am I correct in thinking this would isolate all devices connected to the interfaces in the Interface List (in your screen clip, LAN)? I would want to be able to only enable it for unrecognized devices.
 
User avatar
grusu
Member Candidate
Member Candidate
Posts: 168
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: /32 Subnet

Wed Jun 11, 2025 4:06 pm

Set a separate SSID for untrusted devices and a datapath for them where you set client isolation.
 
CinciTech
just joined
Topic Author
Posts: 9
Joined: Wed Sep 05, 2018 6:56 pm
Location: Cincinnati, Ohio
Contact:

Re: /32 Subnet

Wed Jun 11, 2025 4:14 pm

Gotcha. Thanks for the tip!
 
lurker888
Member
Member
Posts: 427
Joined: Thu Mar 02, 2023 12:33 am

Re: /32 Subnet

Wed Jun 11, 2025 4:18 pm

@CinciTech: I would like to make an attempt at clearing up the concepts discussed. An attempt - not guaranteeing success :-)

The /30, /31 and /32 addresses work fine, and they are for specific situations. Their discussion deserves merit, but for your scenario, it's pointless.

In your case, you want to hand out addresses normally, so probably a /24, absolutely in the usual fashion.

Isolation between the connected devices is achieved via a concept called PVLAN (Cisco terminology, but universally understood). To avoid even further confusion: this stand for Private VLAN, but does not actually involve VLANs at all. (The naming came about because the first Catalyst managed switched made by Cisco internally used the ASIC's VLAN machinery to achieve this - so it's a name that incorrectly exposes an implementation detail for hardware that you can no longer buy :-) ) This means that packets are not bridged (switched, L2 forwarded, etc.) between the devices.

For wifi interfaces, this is the "client isolation" setting.

For bridges (so if you want to include wired devices in the mix), the term is split-horizon bridging, which is achieved by assigning the same non-zero (e.g. "1") value to the bridge ports - simply, packets are not bridged between ports that have the same non-zero horizon value.

Note: for hardware-based switching, the "port isolation" feature can be used instead, because this is done in hardware, while split-horizon is restricted to software processing.

The above achieves isolation between the devices. If you only want isolation between *some* devices, local-proxy-arp should be enabled, and then IP firewalling can take care of what exactly to allow and what to block. (local-proxy-arp means that the router itself will answer all ARP requests within the subnet with its own MAC address, and therefore all data will be transmitted to it, instead of directly to the destination, which then it can selectively choose to forward.)