Hello, all... thank you for your help in advance.
I have two networks running on a Mikrotik RB450G. Here's what I wanted to accomplish:
Two subnets on two different interfaces:
eth1: WAN
eth2: LAN
eth5: LAN2
(ports 3 and 4 will be used later for switching)
eth2: LAN subnet: 10.10.23.0/24
eth5: LAN2 subnet: 172.16.23.0/25
Both of these subnets are in the firewall address list under a single name so they may share the firewall filter and nat rules.
I set up separate pools/dhcp servers for both interfaces. It all seemed to go well except for the fact that I could ping between the subnets! I was always under the impression they would not be able to communicate.
For example, a machine connected to eth5, received an IP of 172.16.23.124 and was able to ping every address on the other subnet residing in eth2 (10.10.23.0/24). In short, I was able to get to any machine on the other interface.
The way I solved it is that I simply added a firewall filter entry that will drop any connection attempt on the input chain that is from interface LAN2 with a dst address of 10.10.23.0/24, and in the forward chain with an input interface of LAN2 and output interface of LAN.
Still with me? Thanks! :)
This solved the entire problem. Neither subnet can communicate with the other, which is what I wanted. Both interfaces can access the internet and the dns server on the 450G is serving them both well.
My question is... (FINALLY!): Was this the proper method of accomplishing what I set out to do? I really thought that if there were two interfaces running two different subnets they should inherently not be able to talk to each other. Did I simply patch a hole without addressing another bigger issue, or is this the way it is supposed to work?
Thoughts/comments are appreciated.
Some firewalls allow inter-vlan traffic by default, some don't.
Adding/modifying the security rules is the proper method.