Hello,
i have the following network Topology:
I do not have access to the Router on Site1 & Site2.
"MikroTik-Router" and the "Mikrotik-Firewall" are configurable.
On the "Mikrotik-Firewall" all Interfaces are in a Bridge and Use-IP-Firewall in the Bridge-Settings is turned on.
I want the following:
Access Linux1 & Linux2 from the Windows Pc
Linux1 & Linux2 are not able to connect to each other.
This is simple, on "MikroTik-Firewall" are the following Rules:
0 chain=forward action accept connection-state=established,related
1 chain=forward action=accept src-address= 192.168.1.2
2 chain=forward action drop
Additionally i want to be sure that the request are coming from my "Mikrotik-Router".
So that somebody who unplug the "Mikrotik-Router" and give hisself the IP= 192.168.1.2 still cannot connect to Linux1 & Linux2.
How can i achieve this?
I have tried a IPsec-Tunnel between "MikroTik-Router" and "MikroTik-Firewall" but it seems like because the Linux Pc´s Gateway are not the "MikroTik-Firewall" the response will not be sended over the IPsec tunnel and so the connection can not be established.
Thanks.
Mikrotik Router as Firewall only, how to verify the source?
You do not have the required permissions to view the files attached to this post.
Last edited by reclaim on Sun Mar 17, 2024 12:08 am, edited 1 time in total.
Re: Mikrotik Router as Firewall only, how to verify the source?
On the "Mikrotik-Firewall" all Interfaces are in a Bridge…I want…Linux1 & Linux2 are not able to connect to each other.
These two choices are in conflict. The primary and original point of bridging is to create a single broadcast domain, where all hosts can see each other.
There are other purposes for bridging in RouterOS — e.g. bridge VLAN filtering — but you don't speak of these cases. Therefore, the simplest solution to this part of the problem is to take both ports off the bridge and treat them as the endpoints of two independent 2-station networks. Put a static "/ip address add" on each of these bare RouterOS interfaces, configure the Linux boxes for a compatible static address, and route the packets out to the rest of the network thereby.
If you need a bridge for some unstated reason, an alternative solution is port isolation, but I can't recommend it outright because it's available only in certain RouterOS switch models, and you don't say which MT products you're using. If you can use it, though, it operates at the switch chip level, making it more performant than your firewall rules.
You may still need a firewall rule with port isolation, though, because your 192.168.2.1 router gives a bounce path around it. If Linux1 tries to talk to Linux2, port isolation will force the packet upstream, but then the clever router says, "Oh, I know how to get a packet back to 192.168.1.0/24" and sends it right back. If your MT "bridge" router doesn't guard against this, port isolation goes for naught. To plug that hole, you need to add something like this:
Code: Select all
/ip firewall filter
add chain=forward in-interface=ether1 action=drop \
src-address=192.168.1.0/24 dst-address=192.168.1.0/24
With that addition, the hosts on the 192.168.1.0/24 side of the network are then fully isolated from each other. Best of all, this rule doesn't get invoked in the simple cases, handled by port isolation down at the switch chip level. It's a last-ditch backstop against sneaky people only.
i want to be sure that the request are coming from my "Mikrotik-Router".
That demands some type of client certificate/keypair. How you achieve it depends on the tunneling/crypto solution you choose:
- IPsec allows this via the documented eap-tls and remote-certificate settings.
- With WireGuard, the simplest way to achieve this is to create the tunnel directly between the host pairs, not from router to router. Then the only way to spoof the Windows box is to lose control of the private keys. (This solution is available in the IPsec case, too, but I think the UI for this is lacking in Windows compared to the WG GUI client's on/off checkbox. Plus, setting up something like strongSwan on the Linux side is a bear compared to setting up IPsec under RouterOS.) Add a firewall rule that drops all connections to the Linux boxes except WG's configured UDP port, and you force all comms through that WG tunnel.
- You don't speak of SSH directly, but "Linux" implies it. If you can limit your comms to SSH — which you often can due to OpenSSH's -D and -L/R options, or their equivalents under other SSH implementations — then you can restrict the server to key-based authentication. As with the WG solution, the only way to spoof the link then is to lose control of the SSH keys.
Re: Mikrotik Router as Firewall only, how to verify the source?
Thank you for the detailed Answer.
"MikroTik-Firewall" and "MikroTik-Router" are both RB5009.
The topology is simplified, in reality Linux1 & Linux2 are standing for 50 Clients each. Also IOT-Devices.
The goal is Isolate Linux1 and Linux2 from each other but allow secure connections from outside. Unfortunately the Clients are in the same 192.168.2.0/24 Network and the Gateway-Router is not configurable by us.
The "MikroTik-Firewall" would be retrofitted into an existing network to add security. For this reason i had decided a Bridge with Use-IP-Firewall is the way to go.
Is there a better way? Can Port-Isolation do this to?
"MikroTik-Firewall" and "MikroTik-Router" are both RB5009.
The topology is simplified, in reality Linux1 & Linux2 are standing for 50 Clients each. Also IOT-Devices.
The goal is Isolate Linux1 and Linux2 from each other but allow secure connections from outside. Unfortunately the Clients are in the same 192.168.2.0/24 Network and the Gateway-Router is not configurable by us.
The "MikroTik-Firewall" would be retrofitted into an existing network to add security. For this reason i had decided a Bridge with Use-IP-Firewall is the way to go.
Is there a better way? Can Port-Isolation do this to?
Re: Mikrotik Router as Firewall only, how to verify the source?
Port isolation works at the port level, as you should've been able to guess from the name, so no, a 9-port router isn't going to be able to isolate 100+ hosts. A cascade like this might work, though:
If you enable port isolation only on the CRS326-24Gs, the devices can talk amongst themselves via the CRS309, but if you enable it there, too, it should prevent that.
I switched your design to a CRS309 to get a bunch of fiber ports for cheap, letting us use 100% of the copper ports on the CRS326es for leaf devices. If you don't need the 10G backbone to extend down to these leaf device switches, the CRS310-1G-5S-4S+IN will do the same job for cheaper while still giving you a 10G backbone up to the core.
You'll want to switch to bridge packet filter rules instead of IP filter rules when using switches like this instead of a proper router like an RB5009, but I'm not seeing that as a fatal flaw in this plan. I might well be overlooking something, though. This is a "paper" design only, not a regurgitation of a working and tested physical installation somewhere.
This doesn't get you client identification by itself, but I refer you to the SSH/WG/IPsec client key ideas above. Do device-to-device connections instead of switch-to-switch or router-to-router, and now you have per-device authentication.
If you enable port isolation only on the CRS326-24Gs, the devices can talk amongst themselves via the CRS309, but if you enable it there, too, it should prevent that.
I switched your design to a CRS309 to get a bunch of fiber ports for cheap, letting us use 100% of the copper ports on the CRS326es for leaf devices. If you don't need the 10G backbone to extend down to these leaf device switches, the CRS310-1G-5S-4S+IN will do the same job for cheaper while still giving you a 10G backbone up to the core.
You'll want to switch to bridge packet filter rules instead of IP filter rules when using switches like this instead of a proper router like an RB5009, but I'm not seeing that as a fatal flaw in this plan. I might well be overlooking something, though. This is a "paper" design only, not a regurgitation of a working and tested physical installation somewhere.
This doesn't get you client identification by itself, but I refer you to the SSH/WG/IPsec client key ideas above. Do device-to-device connections instead of switch-to-switch or router-to-router, and now you have per-device authentication.
Re: Mikrotik Router as Firewall only, how to verify the source?
Sorry, I was probably a bit unclear. I have the 3 Ethernet Ports as shown in the Topologie that went to "Mikrotik-Firewall", one to the Router, one to the Clients Linux1 stands for and one to the Clients Linux2 stands for.
Replacing every switch was not planned.
I will try out Port isolation, but i think as soon as i enable hardware offload on the Bridge-Ports the IP filter rules will not working anymore.
I also will try WG/IPsec for authentication, but as i said there are iot-devices in this network that are not able to create or join a vpn-tunnel. so router-to-router is the only option. But than i have the problem again that "Mikrotik-Firewall" ist not configured as the default gateway on the devices and i don´t know how to overcome this issue.
Replacing every switch was not planned.
I will try out Port isolation, but i think as soon as i enable hardware offload on the Bridge-Ports the IP filter rules will not working anymore.
I also will try WG/IPsec for authentication, but as i said there are iot-devices in this network that are not able to create or join a vpn-tunnel. so router-to-router is the only option. But than i have the problem again that "Mikrotik-Firewall" ist not configured as the default gateway on the devices and i don´t know how to overcome this issue.
Re: Mikrotik Router as Firewall only, how to verify the source?
Replacing every switch was not planned.
Port isolation isn't a proprietary MikroTik technology. Your existing switches may support it.
as soon as i enable hardware offload on the Bridge-Ports the IP filter rules will not working anymore.
Yes, which is why I referred you to the bridge packet filter above. Its capabilities are not identical to the Linux kernel's IP filter, running on the CPU, but it's more efficient, and for many applications, they overlap sufficiently.
there are iot-devices in this network that are not able to create or join a vpn-tunnel
I did not overlook that, merely chose not to try designing around that restriction. The only identifiers a dumb IoT device presents (MACs and IPs) are spoofable, giving us no reliable way to do host identification. Any attempt to get by with what you've got gives you the same security as switching to "My Name Is…" party stickers for your corporate ID card standard.
The best you can do is keep them from interfering with one another and with the rest of the network. Shoving all non-WG traffic into a separate IPsec tunnel at the router level is a decent way to do that.
"Mikrotik-Firewall" ist not configured as the default gateway on the devices and i don´t know how to overcome this issue.
Do they not use DHCP? There's nothing wrong with running a local DHCP server to bring a bunch of foreign devices into line with a special IP scheme, as long as you're careful not to let that server be seen by hosts that need to go on using the site's existing DHCP setup.
Re: Mikrotik Router as Firewall only, how to verify the source?
It seems like the Bridge Filters also only work if Hardware Offload is turned off. No Packets are getting recognized if HW is on. If I disable HW on ether4 Packets counting up, and the connection break as expected. Also on the first look there is no established, related option. Any way to do this?why I referred you to the bridge packet filter above.
Do they not use DHCP?
unfortunately not, no. All static IP-Addresses.
You do not have the required permissions to view the files attached to this post.
Re: Mikrotik Router as Firewall only, how to verify the source?
It seems like the Bridge Filters also only work if Hardware Offload is turned off.
I expect that to depend on the switch model.
That table does remind us that there's also the option of switch chip rules. This is even lower-level, and some switch chips put a sharp limit on the number of active rules, but it might suffice.
All static IP-Addresses.
You might end up needing to play ugly srcnat games, then.
Re: Mikrotik Router as Firewall only, how to verify the source?
Thank you, i think i got it to work.
My problem was that the IPsec policy for outgoing traffic from the 192.168.2.0/24 network was not applied because of "MikroTik-Firewall" was not the default-gateway for this clients.
The response of those Clients was not sendet over IPsec and so the connection can not be established.
Now I have created a dstnat Bridge rule on "MikroTik-Firewall" that will redirect Traffic with the dest. 192.168.1.2 to "MikroTik-Firewall" and it works. The response will be sent over IPsec.
I think with this rule "MikroTik-Firewall" will be used as Default-Gateway when the dest. is 192.168.1.2.
Here is the Configuration for "MikroTik-Firewall":
Here is the Configuration for "MikroTik-Router:
Note: "MikroTik-Router" does not have any Firewall rules because this was only a test environment. Also No Input Rules on "Mikrotik-Firewall" because of this reason.
Do you see any downsites with this Bridge Nat rule or any security risks with this configuration?
My problem was that the IPsec policy for outgoing traffic from the 192.168.2.0/24 network was not applied because of "MikroTik-Firewall" was not the default-gateway for this clients.
The response of those Clients was not sendet over IPsec and so the connection can not be established.
Now I have created a dstnat Bridge rule on "MikroTik-Firewall" that will redirect Traffic with the dest. 192.168.1.2 to "MikroTik-Firewall" and it works. The response will be sent over IPsec.
I think with this rule "MikroTik-Firewall" will be used as Default-Gateway when the dest. is 192.168.1.2.
Here is the Configuration for "MikroTik-Firewall":
Code: Select all
/interface bridge
add name=bridge1
/ip ipsec peer
add address=192.168.1.2/32 name=MT-Router
/interface bridge filter
add action=drop chain=forward in-interface=ether5 out-interface=ether6
add action=drop chain=forward in-interface=ether6 out-interface=ether5
/interface bridge nat
add action=redirect chain=dstnat dst-address=192.168.1.2/32 dst-mac-address=50:00:00:02:00:03/FF:FF:FF:FF:FF:FF mac-protocol=ip
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether1
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.2.2/24 interface=bridge1 network=192.168.2.0
/ip firewall filter
add action=accept chain=forward comment="est. rel" connection-state=established,related
add action=accept chain=forward ipsec-policy=in,ipsec src-address=192.168.1.2
add action=drop chain=forward
/ip ipsec identity
add peer=MT-Router
/ip ipsec policy
add dst-address=192.168.1.2/32 peer=MT-Router src-address=192.168.2.0/24 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main suppress-hw-offload=no
/system identity
set name=MikroTik-Firewall
Code: Select all
/interface bridge
add name=bridge1
/ip ipsec peer
add address=192.168.2.2/32 name=MT-Firewall
/interface bridge port
add bridge=bridge1 interface=ether5
/ip address
add address=172.16.0.1/24 interface=bridge1 network=172.16.0.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer=MT-Firewall
/ip ipsec policy
add dst-address=192.168.2.0/24 peer=MT-Firewall src-address=192.168.1.2/32 \
tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main \
suppress-hw-offload=no
/system identity
set name=MikroTik-RouterDo you see any downsites with this Bridge Nat rule or any security risks with this configuration?
Who is online
Users browsing this forum: Bing [Bot] and 19 guests