Hi,

I would like to assign different subnet to devices connecting to my switch/router Mikrotik (RouterOS v6.40).

To avoid devices connected on subnet 1 to reach devices on subnet 2 and moreover to disable access to the WWW on one of those two subnet

diagram

Is it possible with RouterOS to set the DHCP server to lease two set of ip (subnet) base on a Whitelist, meaning if a device is on the white list it get subnet1 if not subnet2 ?

Or do you have more practical solutions ?

Thanks.

    • NanoooK@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Isn’t it simpler to have two bridges with their own subnet and some firewall rules to prevent interaction between the two?

      • towerful@programming.dev
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        Mikrotiks normally have hardware acceleration for VLANs and switching for only 1 bridge. Beyond that, traffic has to go through the CPU.

        Multiple bridges were one of the old ways, before hardware offloading.

        The way to do it is to have 1 bridge, register the vlans on the bridge, tag/untag all the bridge ports as appropriate, set PVIDs as appropriate. Add 2 VLAN interfaces (this gives the CPU access to the VLAN), add static IPs to the vlan interfaces, set up DHCP appropriately.
        Always worth taking a backup of the config, then enable hardware offloading last. If you end up locking yourself out, reset and reload the config, figure out what you did wrong.

        • Nogami@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          Enable safe mode too? If there’s a problem while in safe mode just power cycle the router and the last good config before safe mode enables should come back up.

          I’d still do a backup in addition to play it safe though.

      • [email protected]@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        VLANs do this but on the same device.
        Depends on what hardware you have I guess.
        Actual bridges aren’t really a thing these days, but unmanaged switches are still common, which are essentially just switches with all ports configured in the same VLAN that you can’t change.
        Whether you use dedicated physical devices or virtual LANs (VLANs) for the access ports where you connect you client devices, you’d likely still end up using different VLANs in whatever router or firewall you put inbetween those.
        Yes, you can technically configure multiple subnets on the layer 2 broadcast domain, but that would be less secure and more prone to problems.

  • Corsair@programming.devOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    25 days ago

    Thank you very much to all of you for your input !

    I see port in few of your feedback.

    I was not clear enough, let me rephrase:
    is it possible to give a subnet to a node, not based on the port of the switch/router but based on the node ? meaning that the switch/router need to recognize the node ( MAC or login? ) and then will give him access to A or B

    Thanks.