F5F Stay Refreshed Power Users Networks Isolation port configuration on MikroTik devices

Isolation port configuration on MikroTik devices

Isolation port configuration on MikroTik devices

D
Draconblade
Member
Find
54
11-18-2020, 03:05 PM
#1
Hello, I have a query about isolating Mikrotik RB750Gr3 ports. The configuration I have is: port1=WAN, port2=LAN, 192.168.100.0/24, port3=disabled, port4=Servers, 192.168.10.0/24, port5=Management, 10.1.0.0/24. I've applied these firewall rules with chain=forward action=drop on interfaces eth2 and eth4. However, traffic between devices is being dropped—like pings from 192.168.100.156 to 192.168.10.11 are not reaching the gateway. Similarly, 192.168.10.11 to 192.168.100.1 isn't dropping either. Any advice?
Reply
Reply
D
Draconblade
11-18-2020, 03:05 PM #1

Hello, I have a query about isolating Mikrotik RB750Gr3 ports. The configuration I have is: port1=WAN, port2=LAN, 192.168.100.0/24, port3=disabled, port4=Servers, 192.168.10.0/24, port5=Management, 10.1.0.0/24. I've applied these firewall rules with chain=forward action=drop on interfaces eth2 and eth4. However, traffic between devices is being dropped—like pings from 192.168.100.156 to 192.168.10.11 are not reaching the gateway. Similarly, 192.168.10.11 to 192.168.100.1 isn't dropping either. Any advice?

Reply
Reply
A
ACarKilledMe
Junior Member
Find
34
11-25-2020, 01:57 PM
#2
The packets reaching the router are handled through the Input chain, not Forwarding, even if the router's IP is on a different subnet. NOTE: I didn’t examine your rules closely. Dropping should be based on incoming and outgoing interfaces. For better results, consider filtering by source and destination IPs. You can add a subnet (e.g., 192.168.100.0/24) in the firewall fields. Otherwise, set drop rules directly on the input for those IP addresses.
Reply
Reply
A
ACarKilledMe
11-25-2020, 01:57 PM #2

The packets reaching the router are handled through the Input chain, not Forwarding, even if the router's IP is on a different subnet. NOTE: I didn’t examine your rules closely. Dropping should be based on incoming and outgoing interfaces. For better results, consider filtering by source and destination IPs. You can add a subnet (e.g., 192.168.100.0/24) in the firewall fields. Otherwise, set drop rules directly on the input for those IP addresses.

Reply
Reply
W
Weiii
Junior Member
Find
11
12-17-2020, 01:33 PM
#3
Okey, so which chain is this ? Also I had the rule ( chain=forward action=drop src.address=192.168.100.0/24 dst.address=192.168.10.0/24 ) but this was working same. If create Vlan for ports, then I am loosing internet connection. Also 1 more thing. I want to set gateway for Mikrotik management port5 (130.1.0.10 interface IP) can you guide me ?
Reply
Reply
W
Weiii
12-17-2020, 01:33 PM #3

Okey, so which chain is this ? Also I had the rule ( chain=forward action=drop src.address=192.168.100.0/24 dst.address=192.168.10.0/24 ) but this was working same. If create Vlan for ports, then I am loosing internet connection. Also 1 more thing. I want to set gateway for Mikrotik management port5 (130.1.0.10 interface IP) can you guide me ?

Reply
Reply
O
oryan25
Member
Find
115
12-17-2020, 03:29 PM
#4
If blocking form interfaces and network address failed, it's likely a master/slave configuration or a bridged setup. Verify if your interfaces include any master or bridge connections. Regarding the gateway, ensure Ether 5 uses Ether 1 as the gateway—this can be achieved through bridging or static routing depending on your needs.
Reply
Reply
O
oryan25
12-17-2020, 03:29 PM #4

If blocking form interfaces and network address failed, it's likely a master/slave configuration or a bridged setup. Verify if your interfaces include any master or bridge connections. Regarding the gateway, ensure Ether 5 uses Ether 1 as the gateway—this can be achieved through bridging or static routing depending on your needs.

Reply
Reply
L
Llabros
Senior Member
Find
740
12-17-2020, 03:35 PM
#5
They're simplifying things. No blocking needed for IP or VLAN. Just include these two guidelines. Anything going to the router should follow, and vice versa—drop any traffic on the output interface.
Reply
Reply
L
Llabros
12-17-2020, 03:35 PM #5

They're simplifying things. No blocking needed for IP or VLAN. Just include these two guidelines. Anything going to the router should follow, and vice versa—drop any traffic on the output interface.

Reply
Reply
S
SirKumsishon
Senior Member
Find
257
12-18-2020, 12:14 AM
#6
These guidelines would indeed prevent regular device traffic on ether2 from reaching the router. They aim to preserve the ability to communicate with the default gateway.
Reply
Reply
S
SirKumsishon
12-18-2020, 12:14 AM #6

These guidelines would indeed prevent regular device traffic on ether2 from reaching the router. They aim to preserve the ability to communicate with the default gateway.

Reply
Reply
C
CrazeB3ar
Junior Member
Find
25
12-18-2020, 01:23 AM
#7
Yes it's going to drop everything destined for the router. Depending what's connected can still reach everything else in the subnet but he will be island out. His original rules separate the networks already. If he is concerned that because he can ping the gateway of either subnet then that is another point. Original rules will separate the networks. Each gateway is the mikrotik. Just because you have a rule to prevent the networks from talking, it doesn't matter when pinging any interface on a device. If you want to prevent that you will need to stop all traffic hitting the gateway. Otherwise it's not a concern to worry about
Reply
Reply
C
CrazeB3ar
12-18-2020, 01:23 AM #7

Yes it's going to drop everything destined for the router. Depending what's connected can still reach everything else in the subnet but he will be island out. His original rules separate the networks already. If he is concerned that because he can ping the gateway of either subnet then that is another point. Original rules will separate the networks. Each gateway is the mikrotik. Just because you have a rule to prevent the networks from talking, it doesn't matter when pinging any interface on a device. If you want to prevent that you will need to stop all traffic hitting the gateway. Otherwise it's not a concern to worry about

Reply
Reply
N
NorwyTheCat
Junior Member
Find
5
12-18-2020, 08:23 AM
#8
Set gateway to 10.1.0.1 on interface port5, link it to 10.1.0.2. Use default gateway for port2.
Reply
Reply
N
NorwyTheCat
12-18-2020, 08:23 AM #8

Set gateway to 10.1.0.1 on interface port5, link it to 10.1.0.2. Use default gateway for port2.

Reply
Reply
J
JohnP1021
Member
Find
68
12-18-2020, 12:39 PM
#9
No, remove all connections I can adjust the subnet but I don’t want to change that. I only need ethers4 and ethers5 separated from ethers2(LAN).
Reply
Reply
J
JohnP1021
12-18-2020, 12:39 PM #9

No, remove all connections I can adjust the subnet but I don’t want to change that. I only need ethers4 and ethers5 separated from ethers2(LAN).

Reply
Reply