When I last time did LAN port isolation, it seemingly ended with a success. And yes, I have ran with that config for a while without problems. However, at one point, I decided to implement bandwidth limits per port using queues. However, a speed test has shown that while download speed looking from WAN side was throttled, my maximum upload speed wasn’t observed.
I won’t get too much into why it is so. It’s sufficient to say you cannot set upload speed on interface if it is a slave. Guess what, interfaces belonging to a bridge are slaves. It doesn’t matter if you place each interface in its separate bridge – as was my first attempt – while your upload will be throttled, your download limiting will not work.
The only configuration I’ve found working was to have each interface manage its own network – thus each being the master.
The easiest way to configure this is to enter commands into New Terminal from WinBox. I will write commands assuming all bridges, their ports, and each mentioned section are completely empty as we start.
First we need to give a separate IP to each interface facing our internal LAN:
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 disabled=no
add address=192.168.2.1/24 interface=ether3 network=192.168.2.0 disabled=no
add address=192.168.3.1/24 interface=ether4 network=192.168.3.0 disabled=no
add address=192.168.4.1/24 interface=ether5 network=192.168.4.0 disabled=no
Next we define multiple DHCP pools – in this case 4 of them:
add name=pool1 ranges=192.168.1.10-192.168.1.99
add name=pool2 ranges=192.168.2.10-192.168.2.99
add name=pool3 ranges=192.168.3.10-192.168.3.99
add name=pool4 ranges=192.168.4.10-192.168.4.99
Of course, adding a separate DHCP server for each of these pools is needed:
add name=server1 interface=ether2 address-pool=pool1 disabled=no
add name=server2 interface=ether3 address-pool=pool2 disabled=no
add name=server3 interface=ether4 address-pool=pool3 disabled=no
add name=server4 interface=ether5 address-pool=pool4 disabled=no
DHCP network for each follows:
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24
add address=192.168.3.0/24 gateway=192.168.3.1 netmask=24
add address=192.168.4.0/24 gateway=192.168.4.1 netmask=24
Quick stop to verify routes is in order. Assuming you all is done correctly four new dynamic routes should appear (it is ok for disconnected ports to have distance 255):
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.0.1 1
1 ADC 192.168.1.0/24 192.168.101.250 ether2 0
2 DC 192.168.2.0/24 192.168.102.250 ether3 255
3 ADC 192.168.3.0/24 192.168.103.250 ether4 0
4 ADC 192.168.4.0/24 192.168.104.250 ether5 0
5 ADC 192.168.0.0/24 192.168.0.14 ether1 0
Assuming you don’t have NAT masquarade setup from before, let’s setup one now. If you do have it already in IP Firewall NAT, simply skip this step:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 disabled=no
After all this we can finally add traffic limiting queues. In my case the first two ports didn’t have any limits, third had 1 Mbit/s upload and download, and the last interface had 128 kbits/s upload and 256 kbits/s download:
add name=queue1 target=ether2 max-limit=0/0
add name=queue2 target=ether3 max-limit=0/0
add name=queue3 target=ether4 max-limit=1M/1M
add name=queue4 target=ether5 max-limit=128k/256k
To isolate LAN ports we again use the firewall rules allowing the new connections only toward ether1 (WAN) interface:
/ip firewall filter
add action=accept chain=forward connection-state=established comment="Allow established"
add action=accept chain=forward connection-state=related comment="Allow related"
add action=accept chain=forward out-interface=ether1 comment="Allow WAN"
add action=drop chain=forward comment="Drop everything else"
PS: There is quite nice guide at Networking For Integrators. They use a quite similar approach for the purpose of segregating multiple networks.