I have redundant Internet from my data center, they provide two links (ports) in HA-mode on their side (HSRP/VRRP). I can use their virtual IP (they failover for me) as GW all the time and I will have a static IP range assigned directly on the two ports on my switch. They require the two ports on my end (call them WAN1 and WAN2) to see each other in layer 2 and will activate the route to internet with just seconds delay on they hand.

In short, I can just hook a server to a switch, put a static public IP on the server with the VIP they provide as GW and works - on all ports.

So far, so good :) No issues. Here comes the isolation:

Since I might want some other people I don't know on same switch (that need Internet), I'm considering using the Mikrotik CRS354 I have and use the unit as a router instead. Is it somehow possible to bridge WAN1 port 1 +WAN2 port 2 and then make another new bridge against my LAN, call it DualWANBridge (ports 1,2) - LANBridgeMe (ports 3,4,5). And then a seperate bridge called DualWANBridge (ports 1,2) - LANBridgeCustomer (ports 3,4). Basically, a guest network on some ports that can not reach my servers, but that will have equal access to Internet.

All bridges/routes should be transparent, as I will use the same IP-network on both sides. So no NAT needed. And since bridge on this Mikrotik should have designated switch-chip, a bridge should work reasonable fast. I have little local traffic really, so no need for extreme speed between two local ports.

If I had more switches, I could do vlan to each group of ports. I guess I can't with single switch without doing something to all the servers individually?

Thankful for any ideas on best practice here :) I suspect even some kind of policy routing in switch-mode might even stop broadcasts or local traffic on some ports to travel across selected ports?

You have a number of conflicting statements regarding bridging and routing - you can't have the same IP network on both sides of a router, for example. Also CRS devices are intended to be L2 switches with some L3 functionality, but NOT wire-speed L3 routing/firewalling as they performance-limited by the CPU (RouterOS v7, currently in beta, will provide L3 hardware offloading on some CRS3xx devices).

If you have a single subnet and require isolation between groups of ports with hardware switching look at using switch chip port isolation.

Provide network diagrams to explain

Like below. I will have max 3 servers, customer will have 5.

"you can't have the same IP network on both sides of a router" - isn't this exactly what a bridge makes work? So I can have same IP-network on both sides. I'm pretty sure I can use a bridge WAN-LAN if I had one Internet-connection in port 1 of the router and a server in port 2. Then the router will just pass the traffic through and i would have a transparent firewall/bridge with same network on both sides. Maybe I'm confused as I'm used to use pfSense, that can be used in multiple ways.

ISP stated that each of to routers they provides (behind the scenes), will need to see each other from my equipment (like a switch) on layer 2 to provide the failover. This can be done they say, by having both their connections in a normal single switch OR two switches connected together.

What I want: Customers server can reach internet with no connection with my servers. I could solve this (hmm.. or maybe not) by subnetting into smaller ipv4-spaces, this way no broadcast traffic would be sent out on all ports. Negative side is of course less public IPs available once I split into smaller ranges. So some kind of port isolation, where I could say that customers servers are not to be trusted and to not be allowed connection to my servers (without going to WAN-side first).

"you can't have the same IP network on both sides of a router" - isn't this exactly what a bridge makes work? So I can have same IP-network on both sides.

No. Bridges handle layer2, routers handle layer3. Transparent IP filtering is possible, but rather a niche use case, and not possible in hardware on a Mikrotik.

From your picture the previous suggestion of ethernet port isolation should provide what you are looking for, although i'm not sure why you would want to prevent five or so other servers accessing yours when the entire rest of the internet can.

"you can't have the same IP network on both sides of a router" - isn't this exactly what a bridge makes work? So I can have same IP-network on both sides.

No. Bridges handle layer2, routers handle layer3. Transparent IP filtering is possible, but rather a niche use case, and not possible in hardware on a Mikrotik.

From your picture the previous suggestion of ethernet port isolation should provide what you are looking for, although i'm not sure why you would want to prevent five or so other servers accessing yours when the entire rest of the internet can.

I have seen transparent firewall filtering for 10+ years on Supermicro servers (with pfSense installed), so I know it works :) It is mostly used in data centers when you have cpanel-servers and other stuff that is tied to IP. So instead of doing NAT and having a local IP + static IP for hundreds of machines, you just have public IP directly on the server and one save so much work. Later, it has been changed to have a small transport network on the WAN-side (with big ipv4 range published on it) and then the static public ips used as if they are local on the LAN-side. Then you can NAT and also get the same task done. But wonder if there is a way to do that + do isolation on Mikrotik.

The reason to hide my servers is to avoid for instance local shares between two of my servers to be seen - or if I forget to put the software firewall on a server. If the connection comes from the WAN-side (and I have firewall active on Mikrotik), I can open up only web-ports for instance. A customer inside the same network can see both web-ports and other ports and do a sniff on the traffic. That you can't do from the Internet/WAN-side. Also, on same LAN, all broadcast traffic will reach customers servers as well and this is how they can look at interesting stuff. This broadcast traffic isn't routed over to the internet I think.

In that case pfSense will be doing bridge filtering, not routing filtering. The FreeBSD PF code used by pfSense is different to Linux netfilter as used in the Mikrotik - the bridge filtering is non-stateful, although bridged IP traffic can be forced to pass through the IP firewall chains if necessary, however the performance of either of these on a CRS will be poor as they are not intended for this use.

Ethernet switch port isolation allows all traffic between groups of ports to be blocked, alternatively it should be possible to use ethernet switch rules to block specific traffic such as multicast/broadcast between groups of ports which would prevent other servers receiving those. Not filtering unicast shouldn't be an issue as those packets are directed by the switch FDB so the other servers will not receive them anyway.

Thank you so much :) Port isolation will do the job perfectly fine yes :) I was thinking port isolation was only some fancy stuff used only for vlan or something and didn't realize it does what it is named.