NZ Tik

To achieve similar functionality to Cisco's private VLANS, where all ports are on the same L2 segment, but cannot exchange packets, you can use Mikrotik's Bridge Horizon feature. Basically, every port in a bridge is assigned a horizon value, and RouterOS will only forward frames to other interfaces in the bridge that have different horizon values. This means that you assign the same horizon value to the interfaces that you don't want to be able to communicate. For example, you want to bridge all your customers and use a single /24 subnet and the same gateway. Typically this is bad and poses a huge security risk, not to mention performance issues. If you assign the same horizon value to the customer interfaces, then the router will not forward traffic between customers. Customer A will not be able to ping Customer B. If you had a server, such as an IP-PBX that all customers needed to access, and you were lazy and added it to the bridge, then you would assign a diff...

The laptop at 192.168.1.10 wants to communicate with the web server on 192.168.1.10 via the external IP address of the Mikrotik router at 1.1.1.1. Say you have a service such as webmail, which has a nat rule to allow access from an external network... /ip firewall nat add chain=dstnat action=dst-nat dst-address=1.1.1.1 protocol=tcp dst-port=888 to-port=80 to-address=192.168.1.10 This works fine of course, so users set up the shortcut to http://1.1.1.1:888 Problem is when they are on the internal network it doesn't work, because the Mikrotik router won't send the reply data back out the same interface. A work-around is to create a src-nat rule directly below the dst-nat rule like this. /ip firewall nat add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.10 Goes something like this.. 1. Client initiates http request to 1.1.1.1:888 2. MT receives and translates destination to 192.168.1.10 as per 1st rule 3. MT then translates the...