Page 1 of 1
set RB450 as managed switch
Posted: Mon Sep 13, 2010 8:29 am
by namo
I have Mikrotik v4.11 with hotspot on intel PC.
I mention in previous post that I want set RB450 as managed switch which
do client isolation and block arp-scan that steel the ip and mac address of other clients Or
do not allow two computer with same ip and mac address (We know that the second device with the same ip and mac address is for the unauthorized user since I disable cookies and unauthorized can not login first ). I have set client isolation in the APs and now I can not see the client that connected to the same AP but I can see the ip and mac of the client that connected to other AP.
I run the fallowing script on RB450:
/interface bridge add name=bridge
/interface bridge port add bridge=bridge interface=ether1 horizon=1
/interface bridge port add bridge=bridge interface=ether2 horizon=2
/interface bridge port add bridge=bridge interface=ether3 horizon=3
/interface bridge port add bridge=bridge interface=ether4 horizon=4
/interface bridge port add bridge=bridge interface=ether5 horizon=5
Also I create a different vlan for each port but I still able see other client IP and mac address with arp-scan tools as it was with normal setting. What is wrong?
Re: set RB450 as managed switch
Posted: Mon Sep 13, 2010 10:54 am
by mrz
You can set bridge filters to drop communication between bridge ports.
Other than than RB450 cannot be configured as managed switch.
Re: set RB450 as managed switch
Posted: Mon Sep 13, 2010 6:10 pm
by namo
You can set bridge filters to drop communication between bridge ports.
Other than than RB450 cannot be configured as managed switch.
how to set bridge filters and do I need the vlan
Re: set RB450 as managed switch
Posted: Tue Sep 14, 2010 8:15 am
by mrz
No you don't need vlan.
/interface bridge filter
add in-interface=ether2 out-interface=ether3 action=drop
Do the same for every interface combination.
Re: set RB450 as managed switch
Posted: Tue Sep 14, 2010 11:19 am
by namo
No you don't need vlan.
/interface bridge filter
add in-interface=ether2 out-interface=ether3 action=drop
Do the same for every interface combination.
should I also filter port 5 if it is the one connected to the router?
Re: set RB450 as managed switch
Posted: Fri Sep 17, 2010 12:49 pm
by namo
/interface bridge add name=bridge
/interface bridge port add bridge=bridge interface=ether1 horizon=1
/interface bridge port add bridge=bridge interface=ether2 horizon=1
/interface bridge port add bridge=bridge interface=ether3 horizon=1
/interface bridge port add bridge=bridge interface=ether4 horizon=1
/interface bridge port add bridge=bridge interface=ether5
/interface bridge filter
add in-interface=ether1 out-interface=ether2 action=drop chain=forward
add in-interface=ether1 out-interface=ether3 action=drop chain=forward
add in-interface=ether1 out-interface=ether4 action=drop chain=forward
add in-interface=ether2 out-interface=ether1 action=drop chain=forward
add in-interface=ether2 out-interface=ether3 action=drop chain=forward
add in-interface=ether2 out-interface=ether4 action=drop chain=forward
add in-interface=ether3 out-interface=ether1 action=drop chain=forward
add in-interface=ether3 out-interface=ether2 action=drop chain=forward
add in-interface=ether3 out-interface=ether4 action=drop chain=forward
add in-interface=ether4 out-interface=ether1 action=drop chain=forward
add in-interface=ether4 out-interface=ether2 action=drop chain=forward
add in-interface=ether4 out-interface=ether3 action=drop chain=forward
I didn't add port 5 because it is the uplink. Is this correct for switch client isolation?
Re: set RB450 as managed switch
Posted: Tue Sep 28, 2010 11:48 am
by Chupaka
or, in shorter form,
/interface bridge filter
add chain=forward in-interface=!ether5 out-interface=!ether5 action=drop
Re: set RB450 as managed switch
Posted: Tue Sep 28, 2010 5:17 pm
by Feklar
Another option that takes fewer rules is to set the Horizon option on each port to the same number, and leave horizon=none on the uplink port. This prevents any traffic coming in on a port with the same horizon number going out another port with the same horizon number.
Keep in mind however, this is in no way shape or form a real switch it is a router, don't expect it to handle VLANs the same way as a switch will. As far as it's concerned, whenever you add in a VLAN it's just another physical interface that it can use.
Re: set RB450 as managed switch
Posted: Wed Sep 29, 2010 9:29 am
by namo
will I have better options and setting if I used RB493AH as a router and switch instead of of having Intel PC as router and RB450 as switch?
Re: set RB450 as managed switch
Posted: Wed Sep 29, 2010 6:11 pm
by Feklar
It all depends on your setup and what your goals are. Having a 493 handle everything definitely makes your life easier since there is only one thing to manage, and hence only one thing to go wrong. You won't have any extra options in this case however, but the setup is definitely less complex. Keep in mind that the RouterOS is for making devices routers, not switches. You can make them act like a layer 2 device to a certain extent, but they really aren't designed for it.
If you plan on a network that requires a switch, invest the money in a decent managed switch, you'll save yourself a ton of time, money, and headaches in the long run by investing in the proper hardware to run your networks now.
Re: set RB450 as managed switch
Posted: Fri Oct 01, 2010 10:39 am
by namo
It all depends on your setup and what your goals are. Having a 493 handle everything definitely makes your life easier since there is only one thing to manage, and hence only one thing to go wrong. You won't have any extra options in this case however, but the setup is definitely less complex. Keep in mind that the RouterOS is for making devices routers, not switches. You can make them act like a layer 2 device to a certain extent, but they really aren't designed for it.
If you plan on a network that requires a switch, invest the money in a decent managed switch, you'll save yourself a ton of time, money, and headaches in the long run by investing in the proper hardware to run your networks now.
I want exact module for a good 12 port or more switch that can do client isolation. Will this prevent:
1-people from stealing Mac address and ip of active users? (if AP is already set to client isolation)
2- doesn't allow two users with the same mac and ip address