Hi, I need some guidance with next network configuration. I have for different subnets and they have to be configured so clients from different subnets are not allowed to see each other. All client from all subnets should have the same gateway (Mikrotik Router 751U-2HnD) with pppoe dial up on wan interface. And here is an schematic:

WAN Internet provider (dynamic DHCP over PPPOE)
l
l
Mikrotik router 751U-2HnD

l l l l -managed switch

10.10.1.0/24 10.10.2.0/24 10.10.3.0/24 10.10.4.0/24

These subnet are also configured on manage switch (group of ports managed for each subnet) but the forth subnet should be accessible for other three subnet (4th subnet are for printers) so all client from other subnets (1,2,3) should be able to print (subnet 4).

Please help.

You will need to firewall them off, and the easiest, best, cleanest, and most secure way is to do this with different routed interfaces for each subnet. You can either remove all ports from the switch chip and make each port it's own routed interface (set master-port to none) and set up a different subnet on each interface, or use VLANs and set up a different subnet on each VLAN. This means that this needs to propagate out to the rest of the layer2 network, so it's looking like VLANs are the way to go for you with your managed switches assuming they support them.

Yes you can assign all subnets to the same routed interface and set up a firewall to prevent people from talking to other devices on different subnets through the router itself, but that has never, nor will it, ever prevent someone from running a program like netcut and seeing what your other subnets are, and changing their configuration to match if they all share the same layer 2 network.

Hi, finally I ve received all hardware and I can start configuring network. So I have manage switch TP-Link TL-SL3428 (24port+4G) Mikrotik RB450G.

I ve configured switch like this:

Switch TL-SL3428
Port 1 2-3 4-8
Link Type TRUNK GENERAL GENERAL
Egress Rule TAG UNTAG UNTAG
PVID 1 2 3

on mikrotik I ve created (port1 on sw with interface ether2-master-local):
/interface vlan
add name=VLAN2 vlan-id=2 interface=ether2-master-local disabled=no
add name=VLAN3 vlan-id=3 interface=ether2-master-local disabled=no

/ip address
add address=10.10.20.1/24 interface=VLAN2
add address=10.10.30.1/24 interface=VLAN3

and dhcp server for each VLAN:
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 default ether2-mas... default-dhcp 3d
1 dhcp-... VLAN2 dhcp_pool1 3d
2 dhcp-... VLAN3 dhcp_pool2 3d

So the problems are:
DHCP server does not distribute on VLANs. When I put static IPs on each Host form different VLANs:
host1: 10.10.20.100/24 gw: 10.10.20.1 (port2)
host2: 10.10.30.100/24 gw: 10.10.30.1 (port4)
they can see Mikrotik and have access on Internet but also the see each other (which I don’t want to).

Any suggestions?

1.) DHCP does go over the VLANs, you need to place a DHCP server on each VLAN interface itself however, not the physical interface. Each VLAN is treated as it's own separate routed interface.
2.) By default the router will route between all attached subnets without any further configuration, it basically setup to be an accept all. In order to prevent it, you need to setup the firewall filter to prevent it from happening. Because you have no filter setup, that is why you are seeing that behavior.

Well I have DHCP servers created on each VLAN but I doesn’t generate address pools on those VLAN-s over manage switch. Like it doesn’t recognize that his port should act as trunk port connected on switch trunk port.

Run torch on your physical interface and choose to see VLANs, that way you can see exactly what is coming into the interface and with what tags they are coming in with, and what is leaving that interface and what VLAN tag they leave with.

Thx for help. After rebooting router everything started to work as it should. But I ve tried to connect on port 2 on router and everything also worked. Now I am confused why it is working on port 2,3,4 (interfaces 2,3,4), as on 1st, if I made VLANs on 1st interface (port1)?

Did you remove the ports out of the switch chip? (set master-port=none)

No I didnt so that was the problem thx.