CCR1036-12G as WAN switch and remote access port

SeeSafe · December 9, 2021, 8:12am

I have made a drawing. Maybe this would help in understandig my issue.

I have made a bridge for the sfp1-4 and ether1-4. I think thats how I solve the WAN switch.
I made my ether12 to be dhcp client.
Is the remote access port totally secure from the bridge interface?

# dec/09/2021 09:07:53 by RouterOS 6.49.2
# software id = TLK6-LGFC
#
# model = CCR1036-12G-4S
# serial number = 
/interface bridge
add name=WAN-bridge
/interface ethernet
set [ find default-name=sfp2 ] advertise=10000M-full
/interface list
add exclude=all include=all name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=WAN-bridge interface=sfp1
add bridge=WAN-bridge interface=sfp2 learn=yes trusted=yes
add bridge=WAN-bridge interface=sfp3
add bridge=WAN-bridge interface=sfp4
add bridge=WAN-bridge interface=ether1
add bridge=WAN-bridge interface=ether2
add bridge=WAN-bridge interface=ether3
add bridge=WAN-bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=WAN-bridge list=WAN
/ip dhcp-client
add disabled=no interface=ether12
/system clock
set time-zone-name=Europe/Copenhagen

Tegning5.pdf (261 KB)

ConnyMercier · December 9, 2021, 8:45am

Did you Post the Full-Export ?
If yes, your Device is not Secure.

You may want to add Firewall, limit “/ip services” etc…

SeeSafe · December 9, 2021, 9:28am

/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/interface list member
add interface=WAN-bridge list=WAN
/ip dhcp-client
add disabled=no interface=ether12
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Copenhagen

The last snip–
Like this?

ConnyMercier · December 9, 2021, 10:06am

I am personally tooo Chicken to have a Public-Router without an active Firewall (Input-Chain)
But i see a lot of Mikrotik-Devices configured like yours… and they don`t report any Problems !

But maybe other Forum-Users can give they opinion !!

anav · December 9, 2021, 10:30am

I dont help people further if they dont have a proper firewall, dont want their successful and unsafe connectivity to the net to be blood on my hands…

SeeSafe · December 9, 2021, 12:18pm

What firewall rules do I need?

tdw · December 9, 2021, 2:35pm

If you do not have an IP address assigned to the WAN-bridge on the CCR a firewall isn’t actually required as there is no IP access. You appear to have disabled neigbour discovery so it will not be sending or listening for the various discovery protocols, the only remaining potential access is MAC winbox & MAC telnet.

A CCR isn’t the best choice to act a switch as all the packet handling is performed by software, there is no hardware offload - even a CRS112-8G-4S-IN would do the job.