I just bought a RB4011iGS appliance to use at work for a bit of a special case. This is an industrial manufacturing facility (but the router is in the nice clean server room)
We have a handful of VLANs on a air-gapped physical network. The VLANs do not talk to each other, and there is no routing between them currently.

We wanted to have a NTP server to help keep some of the RTCs aligned across various equipment and services (cameras, control systems, loggers, etc).

We have installed a GPS based timeclock system for the most critical VLAN, and it is working great. However, we would now like to offer the time syncing function across all the VLANs.

Enter RB4011iGS. I would like to use it's 8 ports to service the various VLANs (through untagged ports/cables) for the purpose of NTP only. I do not want any routing functions.
I simply want the mikrotik device to grab the time, and then handle requests from the devices on each individual VLAN.

I have just spent an hour cruising around the WebUI trying to figure it out, and I'm in way over my head.

It looks like i need to assign an IP to each interface (IP in each VLAN's subnet), and then enable the NTP Client (to grab time from my GPS unit) and the NTP Server (to serve time up each port/VLAN via the Port's IP). We want to block all communications between the VLANs to maintain the isolation.

Could anyone point me to the simplest way to disable the routing/switching functions between the ports, and still maintain the ability to access the webUI?
My only other experience with routing was with a pfSense install at home and it starts up with routing disabled (or no rules to allow it anyway).

So basically use the RB4011 as a switch??
No routing just switching?
How do you propose to use NTP if it has no way to influence vlan traffic??
all it can do is
a. assign base or trusted vlan IP to the RB4011
b. take trunk port in from source ( carrying all vlans)
c. distribute vlans as required.

Without control of the subnets, it has no way to tell subnets to do anything/
It can certainly be a client using provided NTP from an upstream server.
It can certainly act as an NTP server for any of its own subnets ( none its a switch )

That is my understanding but I am not expert, hopefully someone will confirm or provide better info.

I do not need it to operate as a switch either, that would allow devices on the VLANs to potentially speak to each other (if their IPs were configured appropriately).

The only traffic it needs to handle is the NTP requests from client devices. It's sole function will be to act as a NTP Server. I just don't want a device on eth1 to be able to talk to devices on any other eth2-10 ports.

Management would like to keep each VLAN on a single cable coming to the router, so there is no need to actually handle any VLAN processing/tagging - it should just appear as a normal subnet.

I know it's an odd use of the device, so it's a bit confusing. Hopefully I can/have explained it well enough someone will understand what i'm trying to accomplish.

By default packets will be forwarded between subnets. As there isn't an option to change the firewall policy you could either add a firewall filter rule to drop any forwarded packets with /ip firewall filter add action=drop chain=forward or even disable all forwarding with /ip settings set ip-forward=no

So basically use the RB4011 as a switch??

Nope, @OP wants to have a multi-homed NTP server.

@XplodingData, just create an address list like 'VLANS_NO_ROUTING'. Then, create a forward rule that drops all traffic coming and going to any address in the list for each corresponding VLAN address range. You can do this in WinBox/WebUI under IP > Firewall > Address Lists and IP > Firewall > Filter. If you prefer, use ROS commands like in the example code box below.

This'll block all traffic between VLANs, but it'll still allow stuff like NTP to and from the router for each VLAN. If you're using ROS commands, make sure to move the filter rule into a correct position afterward using WinBox/WebUI.

Commands to be executed in the terminal ie ROS code

/ip firewall address-list
add address=192.168.240.0/24 list=VLANS_NO_ROUTING
add address=192.168.241.0/24 list=VLANS_NO_ROUTING
add address=192.168.242.0/24 list=VLANS_NO_ROUTING

/ip firewall filter
add action=drop chain=forward src-address-list=VLAN_NO_ROUTING dst-address-list=VLAN_NO_ROUTING 

This should be quiet easy..

• Reset to blank config (no routing, no switching)
• Do NOT create bridge
• Asign desired IPs to ports
• Create interface list "NTP-only" (...or something)
• Create input firewall rule to allow incoming traffic from created list on port 123 and drop everything else

Ofc, this is just shortcut, you will have to handle traffic on eth1, NTP service, etc..

@neki, your suggestion won't prevent routing between subnets (i.e VLANs). And why reset the entire config?

As the OP doesn't want any routing functions and just wants to have the box acting as a multihomed NTP server, isn't it enough to disable IP forwarding (/ip settings/ip forward=no)?

isn't the bridge responsible for the switching? so if you don't have bridge you have no switching? ...reseting seems faster then deleting everything individually

@mbovenka; Yeah, it should work unless routing to other subnets on the plant is needed.

@mbovenka; Yeah, it should work unless routing to other subnets on the plant is needed.

Not even then, I think; it should act like a host and be able to accept a default gateway/route.

No routing whatsoever between routable interfaces, not even to default gateway if I recall correctly.

By default packets will be forwarded between subnets. As there isn't an option to change the firewall policy you could either add a firewall filter rule to drop any forwarded packets with /ip firewall filter add action=drop chain=forward or even disable all forwarding with /ip settings set ip-forward=no

This looks like what I'm probably looking for. So long as the device still answers on each port's assigned IP address (which is what I'll point the NTP client requests at) then this will be perfect.

This should be quiet easy..

• Reset to blank config (no routing, no switching)
• Do NOT create bridge
• Asign desired IPs to ports
• Create interface list "NTP-only" (...or something)
• Create input firewall rule to allow incoming traffic from created list on port 123 and drop everything else

Ofc, this is just shortcut, you will have to handle traffic on eth1, NTP service, etc..

The "bridge" seems to be auto generated when resetting the config. I already locked myself out once by accident and had to factory reset, and the bridge is already there. The device seems to come out of the box ready to go as a home style router with a WAN port pre-set for eth01. Otherwise, there is no config on the unit so a reset is totally fine and has no consequences (it's just sitting on my bench for play/testing right now anyway)

@mbovenka; Yeah, it should work unless routing to other subnets on the plant is needed.

This is not needed at all. There is zero need for the assorted subnets to talk to each other.

No routing whatsoever between routable interfaces, not even to default gateway if I recall correctly.

This is correct. I wish to have the unit behave as if it were 10 physically separate devices, with the only common connection being to the GPS NTP unit.
I had originally pitched the idea of just buying more of the same GPS NTP devices (easiest to keep the network segregation), but with a couple of the VLANs having multiple subnets on them, it was going to get expensive and messy (plus take up a lot of space) since the devices don't support multiple IP addresses.


I see your detailed reply further up with the rules and I will read it again after this afternoon when I hopefully have some time to sit back down with the router and try again.
I do appreciate your input.




Thank you everyone for your help - I will report back with my successes/failures after I get a bit of time to try the config options and gather a few laptops to test with.

You have to reset with "No default configuration", then you will have clear config without bridge and any other default configuration. But as you can see, guys here are suggesting otherwise.. Anyway I still believe that without bridge you have no switching....

I wish to have the unit behave as if it were 10 physically separate devices, with the only common connection being to the GPS NTP unit. I had originally pitched the idea of just buying more of the same GPS NTP devices (easiest to keep the network segregation), but with a couple of the VLANs having multiple subnets on them, it was going to get expensive and messy (plus take up a lot of space) since the devices don't support multiple IP addresses.

If your GPS/NTP device supported it, VLANs would be the way to go. But since it's IP-based you'll need layer 3 (IP) segregation instead using a filter in the router's 'forward' chain. Try to be clear about what you want your network to do on both layers.

Btw, you could technically simulate the device supporting multiple IP addresses using network address translation (NAT) but I don't see any real advantage to that in this situation.

The GPS NTP Device does not support VLANs or multiple IP Addresses or I would take advantage of that. Small oversight when originally ordering.

Try to be clear about what you want your network to do on both layers.

I was trying to be clear but I understand my lack of knowledge is probably leading to some misused terms/descriptions.
Sorry for any confusion so far.

I would like:

• No layer 2 or layer 3 traffic passing between any of the ports

• Port 10 connected directly to the GPS NTP Time Clock with the mikrotik requesting NTP Updates once an hour (Point to Point direct cabled)

• Port 9 assigned IP 192.168.88.1 for config access via WebGUI/WinBox (Port will be left empty unless physically in the room trying to make changes)

• Ports 1-3 to have 1 (or more) IPV4 Address(es) static assigned that will:
  • Each be physically connected to a unique VLAN via dedicated cable. Untagged. No VLAN config required @ mikrotik. These cables are going to an existing core switch with port ranges already dedicated to the assorted VLANs
  • Accept, and respond to, NTP Client Requests
  • Respond to Pings
  • Allow me access to the GUI (or WinBox) via the port's assigned IP(s)
  • Ports 4-8 not used at this time and can be disabled or left in the 192.168.88.x range

Does that help make the requirements more clear or am i still missing any key details to help with understanding my goals?

I still think you are asking to go to the moon, on an electric scooter but what do I know................... ( answer not much about basic networking so dont listen to me)

I really don't think I am. Quite the opposite really. What I am looking to do is go to the grocery store with a rocket ship.
A router that simply has all ports configured to not pass traffic to any other ports, but will respond to NTP requests directly. That's it.

I think I've almost got it figured out now. It has been too busy at work to get much play time.
But essentially if I add each port to the interface list (on LAN), disable the bridge, disable IPV4/IPV6 Forwarding, and setup the NTP Server/Client, it appears to be basically doing what I want.
At least that's where I was at yesterday afternoon before I got pulled in another direction. Will poke it some more today to see about adding multiple IPs to specific ports.

What I am looking to do is go to the grocery store with a rocket ship.

I can tell you that the grocery parking lot manager won't be happy ...