Ok so I have a RB450G 3.21 This is my first Tik

eth1 is connected to the isp and the remaining ports are

eth2 10.0.10.0/26
eth3 12.0.12.0/24
eth4 20.0.20.0/24
eth5 192.168.10.0/24

ports 2 thru 5 are masqueraded.

My problem is that the network connected to eth 3 can reach the network connected to eth5. this applies to eth2 thru eth5, they all can see each other.

My goal: to have eth2 thru eth5 isolated from each other but still connect to the internet via eth1

What do I need to do to accomplish this?

Thanks,

Add firewall rules in the forward chain that block traffic between those networks.

One easy way to do that is to build an address-list of the local networks that contains 10.0.10.0/26, 12.0.12.0/24, 20.0.20.0/24, 192.168.10.0/24:
Then add a filter rule that drops all traffic sourced from those networks going out any interface that isn't the WAN:
Another way is a forward chain that accepts established and related traffic, accepts traffic going out the WAN interface and drops everything else.

顺便说一下,为什么you masquerading the two public IP blocks?

Isn't VLAN is supposed to do that ?

Tagged different VLANs to all ports. They will be isolated if theres no routing. Layer 2 isolation.

Firewall rules which is similar to ACL in Cisco is the more complex but more complete way since it deals with traffic at layer 3.

VLANs don't introduce anything different to the situation. The RouterOS device will by default route traffic between all connected networks, be they physical or virtual, unless you block that traffic via the firewall.

Thanks fewi. That firewall rule is exactly what I was looking for. And you are right about the VLAN as well.

谢谢你！
Josh

Thanks fewi. That firewall rule is exactly what I was looking for. And you are right about the VLAN as well.

谢谢你！
Josh

Thanks I learn something new today. Mikrotik is not exactly full VLAN support if what fewi said is true

The RouterOS device will by default route traffic between all connected networks, be they physical or virtual, unless you block that traffic via the firewall.

RouterOS only support transparent VLAN since its a Router and will not bother to look deeper into VLAN tag. Am i right ?

Thanks fewi. That firewall rule is exactly what I was looking for. And you are right about the VLAN as well.

谢谢你！
Josh

Thanks I learn something new today. Mikrotik is not exactly full VLAN support if what fewi said is true

RouterOS fully implements 802.1q.

The RouterOS device will by default route traffic between all connected networks, be they physical or virtual, unless you block that traffic via the firewall.

RouterOS only support transparent VLAN since its a Router and will not bother to look deeper into VLAN tag. Am i right ?

No. VLANs are only separated from each other if they're layer 2. What you said is true for, say, a router that has 5 fast ethernet interfaces (or one interface with 5 dot1q sub-interfaces), but the router doesn't have any IP addresses on the interfaces. In that case the networks are completely isolated from each other. The moment you take a Cisco 7200 and slap 5 interfaces on it (physical or VLAN) and put IP addresses on the router on each interface - making the networks layer 3 from the viewpoint of the router - it will by default route all traffic between all interfaces. To block the traffic, you'd implement an ACL.
The same is true for a Mikrotik RouterOS device.

Thanks fewi. That firewall rule is exactly what I was looking for. And you are right about the VLAN as well.

谢谢你！
Josh

Thanks I learn something new today. Mikrotik is not exactly full VLAN support if what fewi said is true

RouterOS fully implements 802.1q.

The RouterOS device will by default route traffic between all connected networks, be they physical or virtual, unless you block that traffic via the firewall.

RouterOS only support transparent VLAN since its a Router and will not bother to look deeper into VLAN tag. Am i right ?

No. VLANs are only separated from each other if they're layer 2. What you said is true for, say, a router that has 5 fast ethernet interfaces (or one interface with 5 dot1q sub-interfaces), but the router doesn't have any IP addresses on the interfaces. In that case the networks are completely isolated from each other. The moment you take a Cisco 7200 and slap 5 interfaces on it (physical or VLAN) and put IP addresses on the router on each interface - making the networks layer 3 from the viewpoint of the router - it will by default route all traffic between all interfaces. To block the traffic, you'd implement an ACL.
The same is true for a Mikrotik RouterOS device.

Yes you are right. I think I misunderstand jspool question.
What he/she states are all network addresses on ether2 to ether5.
eth2 10.0.10.0/26
eth3 12.0.12.0/24
eth4 20.0.20.0/24
eth5 192.168.10.0/24
So i logically presume he/she has a router elsewhere and not assigning ip addresses to ether2 to ether5.
Thats why if VLAN tagged, the traffic will be logically segmented into different broadcast domains.

Anyway, its clearer now. Thanks.

Gotcha! I see how that could be confusing.

Fewi, so to separate VLANs you would create a couple of Routing Rules to drop the packets assuming the VLANs are now configured on the Router on a single ethernet port?

But if I wanted a single IP in VLAN2 to access another IP in VLAN3, I would have to create a 'lookup' rule for this and then a drop rule for the entire IP range?

exactly, you would add exception rule that will accept packets that come from one address and goes to other one in other network. And place that rule just before drop rule.

also note than 12.0.0.0/8 and 20.0.0.0/8 are public ip addresses, and if you use those and they are not assigned as your address range, your customers might not access these hosts with addresses in these ranges.

here is the list of addresses for private use:
http://en.wikipedia.org/wiki/Private_ne ... ress_space
using these you wont risk to block some host coincidently.

exactly, you would add exception rule that will accept packets that come from one address and goes to other one in other network. And place that rule just before drop rule.

谢谢你,这工作像一个魅力。我忽略了interface option and just dropped from one IP range to another.

If I wanted to make sure that someone doesn't bypass this rule by changing their IP, could I simply create a rule to drop everything from say vlan20 to vlan30? I don't see how to do this in the routing rules but perhaps in the firewall filter?

A combination of the two? Drop entire vlans via the firewall filter and then allow specific IPs via the routing rule?

I wouldn't do this with routing rules at all, but then again I'm a firewall guy. Routing rules would work, I suppose. Below the relevant configuration parts for two physical interfaces (inside and outside), and 4 VLAN interfaces stacked on the inside interface (Wired, Wireless, DMZ and Admin):
By default all those networks could pass traffic to one another.

And the firewall section to prevent that. Only the relevant parts of forward chain are shown:
Every network can now pass traffic to 'outside', 'Wired' can initiate connections to 'DMZ' (and since related/established is allowed, DMZ can pass back traffic for those connections. 'Wired' and 'Admin' can initiate connections bi-directionally.

Hope that helps.

Thanks very very much Fewi. Greatly appreciated.