How do I create a subnet with client isolation on a hEX router? Is that even possible?

I want to have one normal subnet for the office and another subnet with client isolation (clients on the subnet cannot talk to each other, can only access the internet); both subnets firewalled from the internet and each other, allowing only outbound connections. Our WiFi routers (not MikroTik devices) support guest networks (separate VLAN) but not client isolation. I was thinking I could give each client a /127 prefix, but I don't know how to set that up; it seems the DHCP server is designed to work with one pool of addresses in a given subnet, not manage multiple subnets.

What do you recommend?

Client isolation is a layer2 functionality - i.e. it's not the router's function but the switches. This is true for IPv4 and IPv6.

Even if you put everyone into /127 networks (not a good idea), clients would still be able to see each other on link-local addressing (fe80::) and would be able to multicast-discover each other (ff02::1, for instance). If your switches and WAPs don't support client isolation, then there's not much you can do with a Mikrotik.

Now a Mikrotik does have these types of functions when it is being used as a layer 2 device - for instance, you can use split horizon bridging and/or bridge firewall rules, but this only blocks traffic which actually flows through the Mikrotik - so if you have two switches and are using the Mikrotik as the "root" switch, then hosts on switch 2 cannot talk to hosts on switch1 if you use such techniques, but hosts on switch1 can still talk to each other w/o the Mikrotik being able to interfere... unless that switch has client isolation functionality.

Thanks, ZeroByte.

Our APs support client isolation and I can connect them directly to the hEX, putting guest traffic on a separate tagged VLAN, and while I see how to separate the subnets (well, sort of, see additional questions below) I don't see how to keep the hEX from letting the guests talk to each other. Would that just be a firewall rule dropping traffic where the src and dst addresses are both on the guest network (or VLAN)?

Either way, I'm sure we can at least keep the guests from talking to our printers & servers & such by putting them on separate subnets and dropping traffic between the subnets, but that leads to the next problem, which is we have a dynamic IPv6 prefix. How do I dynamically generate subnets and hand out prefixes according to which VLAN they are on?

If the APs are connected directly to the Mikrotik, then you can create a bridge (name=guest in this example) and that will be the "guest" network interface.
That's the layer3 point of configuration where you apply the IPv4 and IPv6 addresses, firewall rules, etc.

Since the waps are tagging, you'll need to create a vlan subinterface for guests on each interface - suppose ether2 and ether3, and guest vlan=100

/interface vlan
add name=e2v100 vlan-id=100 interface=ether2
add name=e3v100 vlan-id=100 interface=ether3
/interface bridge port
add bridge=guest interface=e2v100 horizon=1
add bridge=guest interface=e3v100 horizon=1

Note the horizon=1 - this causes the bridge to use split-horizon filtering such that ports e2v100 and e3v100 cannot talk to each other. They may still communicate with any other port that is not also on horizon 1. (the number is fairly arbitrary, I just always use 1)

I would suggest that you do the same thing for the main LAN network and configure the WAPs to do vlan tagging on that vlan as well because bridging the native interfaces together will cause possible weird side effects if the vlan sub-interfaces are also bridged. So if the LAN is vlan-id=50, you would create e2v50 and e3v50 and add them as ports to the LAN bridge.

As for dynamic prefix, you need to make the dhcpv6 client place the prefix(es) it learns into a pool (call it ISP or something) and then for each layer3 interface where you want to assign a /64 prefix from the pool, you will set from-pool=ISP - be sure that your ISP is assigning a shorter prefix than /64 (at least it needs to be a /63 so you can have 2 lan segments) - a /62 or shorter will give increasing amounts of /64 segments for your use. Note that you don't need to assign one to the WAN interface itself. The router will use link-local (fe80::) addressing on the WAN quite happily.

I think I understand the DHCPv6 and subnetting now. We'll have to see how it goes when leases expire.

This VLAN stuff doesn't work. I'm using a hEX RN750Gr3 and it barely supports VLANs. Deal killer is that it cannot add VLAN tags on egress, so traffic from the internet cannot be sent to the WAP on the guest VLAN.

What I'm going to do is give up on client isolation and settle for keeping the guests on a subnet that is isolated from the office. I will run the WAPs through our switch and let it send the guest VLAN out an isolated port, and then connect that to a separate port on the hEX. Then the hEX will be doing routing based on ethernet ports like it is designed to.

This VLAN stuff doesn't work. I'm using a hEX RN750Gr3 and it barely supports VLANs. Deal killer is that it cannot add VLAN tags on egress, so traffic from the internet cannot be sent to the WAP on the guest VLAN.

That's not true. VLANs are just "different" in RouterOS if you're more familiar with other vendors' implementations....

The difference is that for Mikrotik's methodology, you really need to have a firm grasp of how vlans work and how tagged vs untagged traffic is forwarded on the wire in order to effectively utilize their capabilities. This is because RouterOS's components are very 'atomic' in nature, and the way you connect things together leads to the vlan behavior that you want. You can actually do some very interesting things in RouterOS with bridges and vlan interfaces - many of them are not advisable .

Consider these two configurations:
Bridge1 (ports = ether1, ether2)
-vlan10
-vlan20

IP interfaces in this scenario are Bridge1, vlan10 and vlan20. Bridge1 = the untagged vlan on ports ether1 and ether2. In this build, any ethernet interface you add to bridge1 will be a "trunk" that carries all of the VLANs and the untagged "vlan"

vs:
ether1
-vlan10e1
-vlan20e1
ether2
-vlan10e2
-vlan20e2
Bridge10 (ports=vlan10e1, vlan10e2)
Bridge20 (ports=vlan20e1, vlan20e2)

In this case, the IP interfaces are Bridge10 and Bridge20. Each vlan can be delivered to individual interfaces independently of each other - and the tag need not even be the same on different interfaces. You could add vlan130 to ether4 and connect that vlan interface to Bridge20. Now, whatever is tagged vlan 20 on ether1 and ether2 would be vlan130 on ether4. You could even add vlan130 to ether1 or ether2 and add this to the bridge as well - meaning that ether1 now carries a single broadcast domain (vlan) but sends/receives this network on ether1 as BOTH tags 20 AND 130. (why you'd want to do this is debatable, and I'd be against such a thing - but the point is, it can be done and it would work as expected if you keep the behavior of each atomic component in mind).

In my earlier post, I recommended that you use method 2 here because it allows you to do client isolation on the guest bridge, while not doing client isolation on the main lan bridge. In method 1 above, if you put ether1 and ether2 on the same horizon, then all vlans on those interfaces will be subject to split horizon. In method 2, since each vlan is a separate bridge, you can do split horizon on one vlan, and no split horizon on the other.

Again, note that doing method 2 requires that your WAPs must tag traffic for both the guest AND the primary LAN, because the untagged "vlan" on each interface is not connected to anything - thus it won't get bridged anywhere.

Client Isolation translates to private VLANs in my book. MikroTik came up with an option to emulate it with ARP. Naturally this wouldn't work with IPv6. I'd have to really dive into ROS and see what options we have with IPv6 ND but I bet your answer is going to be in their.

Once you know that you can then set that ND setting appropriately, likely on the bridge.

That said, for guest networks I normally don't imply any privacy and segregate them at layer 3 with IP addressing. I don't let them into the corporate network and if possible NAT them out of a different public IP.

ZeroByte, I appreciate your help. Idlemind, I have come to see it your way and gave up on client isolation, settling for keeping the guests on an isolated subnet instead.

I was confused by the documentation at Wiki:Manual:Switch Chip Features and the error messages I got from . The switch chip on the hEX does not support VLAN tagging and I didn't see where else to set it. Now I see that I need to use instead of and the tagging is implied by the VLAN interface (tags are added on ingress to the VLAN and only stripped when the packet is forwarded out of the VLAN) and handled by some other hardware.

Once I gave up on true client isolation, everything got much, much easier. Starting with the default "router" config which has NAT set up, I just need to add: This sets up ether2 as a hybrid connection, carrying the Office net untagged and the Guest WiFi tagged for VLAN 100. So ether2 is all I need to connect to my L2 switch; all the WAPs can also get plugged into the switch and I can use the switch's VLAN management to keep the guest traffic isolated from the rest of the office. The firewall rules are needed because both subnets need to be routed to the WAN port, at which point the router will route the traffic from one subnet to the other.

Side note: It's kind of annoying that there is no symbolic way to specify the DHCP network from the IP address list; I have to enter the same information in 2 places and keep it in sync. And of course I have to do all the DHCP and firewall filters over again for IPv6. Which brings us to the question I asked elsewhere, how do I distribute my IPv6 prefix into 2 isolated subnets... I hope this helps someone. I imagine it's a pretty common setup.

Yup, I forgot to mention your struggles with the hex were similar to mine when I first unboxed it. The answer I got from MikroTik is that the switch chip is only good for accelerating l2 forwarding. In other words if you have a VLAN with 2 hosts on it, the switch chip only accelerates that communication. The minute they cross a layer 3 boundary and need to be routed it hits the CPU even on the Atheros based units that support VLANs. With that in mind the stronger CPU on the hex is supposed to give you much better intervlan-routing performance. I haven't come even close to stressing my hex out personally so I'm assuming all is well and I just use software based bridges. That said I have 4 x Cisco 2960-S doing the access layer stuff so the hex really only comes into play when I need to push packets at layer 3.

Right, Idlemind, what I didn't realize was that there were two separate VLAN implementations in RouterOS, one at the switch level and one at the router level. The more advanced chips can do not only routing but blocking, preventing traffic from the wrong VLAN from entering the switch. I am not sure what security RouterOS as a whole has against that, but it looks like if a VLAN tagged packet arrived from the WAN (which is not supposed to have any VLANs on it) the tag would be ignored and stripped. My worry (and it is too hard for me to test) is that a VLAN tagged packet could come in from the WAN, get routed to the LAN with the VLAN tag in place, and go to the wrong place via the L2 switch, creating a security problem. I'm not too worried about it, since I'm not relying on VLANs in general to provide strong security, because they don't stop anyone with, say, a packet sniffer, for example.

As for CPU, I'm slightly worried. I waited for the "r3" in hEX RB750Gr3 because we have a 300 Mbps pipe feeding people whose jobs involve watching streaming video from the internet. So far it looks about equal to the task, but not much more. 100 Mbps test traffic drives the CPU to 25%. We'll see what happens when someone VPNs in and pulls a stream down the pipe and back out (I try to avoid that, but sometimes it happens).

Yup the VPN in may stress it out. Here is a screenshot from my monitoring system. It is setup in a router on the stick fashion to a Cisco switch. The two hosts are in that Cisco switch on separate VLANs, they go up a 1gb link to the hex and right back down. It definitely maxed out one core, it put the second core around 50%. System resources on routerboard was ~48%. I was getting over 300mbps consistently between the two hosts.

I am not sure what security RouterOS as a whole has against that, but it looks like if a VLAN tagged packet arrived from the WAN (which is not supposed to have any VLANs on it) the tag would be ignored and stripped. My worry (and it is too hard for me to test) is that a VLAN tagged packet could come in from the WAN, get routed to the LAN with the VLAN tag in place, and go to the wrong place via the L2 switch, creating a security problem.

Typically, you do not have any ports slaved to the WAN interface when using hw-based switch functionality, so the hw-switch wouldn't forward such frames anywhere. If you DO have interfaces slaved to the WAN interface, then the vlan-tagged frame would be forwarded as you specify, but if your configuration has multiple wan interfaces at layer2, then you should not have anything connected to the other interfaces which is not also considering this to be "external" traffic. This would be no different than if you were to take a dumb switch and connect your ISP into that switch, and a single un-bridged WAN interface of the Mikrotik into the switch.... anything else you plugged into that switch would obviously be expected to treat it as "internet-facing."

As for the CPU-based bridging functionality, it will work in roughly the same manner as the HW switch if you connect two physical interfaces using a bridge.

In neither case, however, will the Mikrotik strip the tag and forward the frame untagged unless you have done something in the configuration to specifically define this behavior.