MikroTik

I have a RouterBoard with the following interfaces and addresses:

* eth0 (WAN) - static public IP assigned by ISP

* eth1 (LAN) - 192.168.1.0/24. This port is connected to external Cisco switch. All LAN computers are connected to the same switch.

* eth2 (DMZ) - 192.168.2.0/24. HTTP/HTTPS server.

The routes are set to default. Traffic from eth2 to eth1 is blocked for the obvious reason (DMZ).

I would like to create firewall rules to filter traffic between PC within LAN (connected to Cisco switch), eg. to isolate traffic between each PC in LAN.

As far as I know, forward chain requires to pass traffic through at least two interfaces to process firewall rules. So in this scenario I have only one inteface (eth1) split between all PCs in LAN by using external Cisco switch.

I know, that I can connect every PC to separate port on RouterBoard, but there is no sufficient ports on RB.

Any idea how to mark individual traffic within LAN to appply firewall rules?

Hi AlAraf,
it really depends on external cisco switch model and RouterBOARD model, if the switch supports VLAN you can group PCs together, assign a VLAN and trunk the traffic to the RouterBOARD.
The RouterBOARD will then have vlan interfaces where you can apply firewall rules.

Type of RouterBOARD will determine if you will use VLAN on switch level (hardware based therefore high throughput) or on router level (CPU based therefore low throughput).

HTH

What he said^^

If your switch supports VLANs, you can segregate them by however many VLANs (separations) you need.


If you're looking for a swiss army knife of mikrotiks, you may want to look at the CRS125-24G-1S-IN. 24 ports. Can be configured as a switch, router, or a combination of both. All ports accessible to be a DMZ or different subnets as needed.

While it may not be the fastest router, it sounds like it may work in your situation.