Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

Help with PTMP Security

Post Reply
 
p3rad0x
Long time Member
Long time Member
Topic Author
Posts: 637
Joined: Fri Sep 18, 2015 5:42 pm
Location: South Africa
Contact:
Contact p3rad0x

Help with PTMP Security

Tue Jul 19, 2016 1:21 pm

Good Day,

I am asking some advice on securing ptmp connections.

Currently I have firewall rules on all AP that drops client - client connections.

Below is the rules I use.
Code: Select all
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=21 comment="Drop FTP From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=22 comment="Drop SSH From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=23 comment="Drop Telnet From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=80 comment="Drop HTTP From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=443 comment="Drop HTTPS From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=8291 comment="Drop Winbox From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=8728 comment="Drop API From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=8729 comment="Drop API-SSL From Clients to Clients"
This prevents clients from connecting to links on the network ect and If the cpe password gets leaked no one can run a ssh scrip to reset the radio's to default config. (Happend last year)

Now the only issue I have is device discovery.

If I forget to disable default authenticate one day for some reason, then someone can connect to the ap and using ip neighbors they can see the clients with discovery still enabled on the radio.

Then they can use mac telnet to log into cpe's and cause trouble.

99% of the cpe's has discovery turned off on the wlan, but some of them enables discovery on all interfaces if you update ROS.

Now the question is, Can I somehow block device discovery om my AP's? Also discovery is turned off on all ap's wlans
Top
 
User avatar
czolo
Member
Member
Posts: 423
Joined: Fri Mar 04, 2005 9:49 am
Location: Poland (Warsaw)
Contact:
Contact czolo

Re: Help with PTMP Security

Tue Aug 02, 2016 10:39 pm

On AP:
/interface wireless set default-forwarding=no

in firewall:
/ip firewall filter add chain=forward in-interface=wlan1 out-interface=!your_wan

AFAIK CDP i L2 protocol, so you can't drop it with filters in firewall? Maybe I'm wrong, but only disabling in "/ip nei dis"
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 84 guests
  4. RouterOS
  5. Wireless Networking