Config help req.: configuring permeable LAN, and remote management access between two local subnets

bajzaadmin · January 22, 2018, 11:12am

Hey there you lovely peeps!

I was given the task to allow remote management and utility for our security contractor from the internet, whilst providing access from our machines, to the CCTV subnet.

We have two independent LANs:

One is used by the CCTV/Alarm/Firealarm system. The lan resides on 192.168.3.0/24
The other LAN is used for everything else in the workplace. The lan resides on 192.168.248.0/22

I could place their point of access on a different ethernet connector (as I have 6 free eth slots left, so no need for trunking).

I'd like to provide remote management and NTP access for these guys, meanwhile segregating their network from ours, as much as possible.
They'd still use the same broadband connection that we do.

Can you guys help me out with the config?

Thanks in advance!

Kind regards,
IBR

Here is the current (very basic) config I have on my device; Its an RB2011:

jan/04/2018 15:49:58 by RouterOS 6.41

software id = 5IAZ-WMI5

model = 2011UiAS

serial number = 724F066F9C98

/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=*************
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch port
set 6 !egress-rate !ingress-rate
set 7 !egress-rate !ingress-rate
set 8 !egress-rate !ingress-rate
set 9 !egress-rate !ingress-rate
set 10 !egress-rate !ingress-rate
set 12 !egress-rate !ingress-rate
/ip pool
add name=dhcp_pool_1 ranges=192.168.249.1-192.168.251.254
/ip dhcp-server
add address-pool=dhcp_pool_1 disabled=no interface=ether5 lease-time=2d10m
name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.248.1/22 interface=ether5 network=192.168.248.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.248.0/22 dns-server=193.110.57.4,8.8.8.8 gateway=
192.168.248.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=
192.168.248.0/22
/ip service
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.248.0/22
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=MF-M-GW
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org,3.hu.pool.ntp.org

sebastia · January 22, 2018, 6:41pm

Hi

The sec contractor need to access “3” net right, and you all too?

Then:

define new “3” net on the router
setup vpn for sec contractor, a separate net, say “5”
deny access from “3” to anything else in forward, except ntp on firewall
grant access from “5” to “3” (+established / related) in forward
grant access from “248” to “3” (+established / related) in forward

bajzaadmin · January 23, 2018, 4:08pm

Thanks mate, I’ll head to try this config tomorrow!

bajzaadmin · January 26, 2018, 10:45am

Hey there!

Turns out, they won’t use a VPN.

Instead, we are thinking about some sort of destination NAT and DDNS for my router’s outside IP (as unfortunately, we do not have a static address yet).
I was told that I should try to use RAW firewall instead of filter rules (to conserve CPU/RAM).

Could you help me on what the altered config should look like?

Thanks in advance!

Best regards,
– IBR

sebastia · January 26, 2018, 9:46pm

That dnat will be wide-open to anyone on internet. So depending on what will be dnat-ed, it might be an issue. Does the contractor use a fixed ip? If so that dnat rule could be quite selective => safe.

/ip firewall nat
add action=dst-nat chain=dstnat comment="Dnat" dst-address-type=local dst-port=<some> \
    in-interface-list=EXT protocol=tcp src-address=<a.b.c.d> to-addresses=<internal ip>

If no fixed ip, but if you have authentication available on the target device and you feel comfortable with it sitting in the internet (what it effectively is), then why not.

RAW firewall: → plain forwarding with NO connection tracking / NO state-full firewall
(RAW only allows configuration in output & prerouting chains)
which means:

no selective forwarding between subnets: like 3 & 248 → every ip from 3 will have access to every ip from 248

Are you planning on running more than say 50k concurrent connections through that router? If not I wouldn’t worry about conntrack. Also remember you can FastTrack connections selectively reducing the impact on routing.