I’d like to create a pseudo-intertface on my 2011UiAS routerboard’s LAN facing interface!
The pseudo interface would work something like it on a cisco IOS “Router On A Stick” device: packets coming from LAN x and y would be segmented from each other, but the physical interface would serve as the gateway for both networks.
The reason for this is because we have a CCTV and ALARM system that is on a different network from our generic, multi-purpose LAN.
This system resides on 192.168.3.0/24, however it is interconnected with our LAN through one of the distribution switches.
The ALARM system needs to be able to communicate with its web components (for wich I have a port-forwarding config to apply), but due to management purposes it is good for us to leave the two networks on different subnets.
Theoretically you can assign more than one address to an interface in RB. For example, if you will use ether13 to connect the particular distribution switch carrying LAN x and LAN y to the router, you could add two addresses to ether13 interface.
In practice, what you do is known as security through obscurity. Even though packets from LAN x are normally not seen by devices from LAN y, anybody with basic networking knowledge and skills can see them and also join the other LAN with its own device without anybody’s knowledge. If you really want to have some secure separation between the LANs, then you’d need to switch over to VLANs. Use two VLANs, one per LAN, and have a VLAN capable managed switch in place of mentioned distribution switch. Configure upstream port on that switch as trunk and configure other ports as access ports with access to needed VLAN. In the RB you would then define needed VLAN interfaces bound to the physical interface, assign appropriate addresses to those VLAN interfaces (one address per interface) and do the same routing between them as you would do in the simplified case (without using VLANs).
I am not so convinced…
Why not just run them on separate LANs behind the router. I have done this just fine on different routers.
Concur depending upon complexity VLANs may be appropriate but in this case its just two LANs…
Just so understanding is clear, the requirements could be described as
Single Router facing the internet (WAN).
A single multi-use LAN for pcs, printers etc…
A single security LAN for CCTV and alarms
Both LANS must access the Internet
Both LANS should not see each other
The security LAN requires port forwarding and FW rules to allow incoming packets to talk to the devices or at least monitor/check devices from time to time.
Starting point,
a. leave default bridge in place and use that for the multipurpose LAN (already in place 192.168.88.1 gateway etc and default rules in place)
b. decide which etherport you will assign to the security LAN and name this interface ‘security_lan’
c. create another bridge, call it security_bridge.
d. associate etherport security_lan to the new bridge
c. assign DHCP server to the security_LAN for whatever structure you desire (192.168.3.1 gateway etc)
***** NOTE: Do not assign or associate LAN to the security interface. This will automatically LINK the two different lan structures as far as I know.
( you will see in winbox for interface)
isp - WAN
default lan - LAN
*********** The default rule, ensures devices NOT on the same LAN, will not see each other.
Chain: Input
In. Interface List: ! LAN
Action: Drop
Comment: defconf: drop all not coming from LAN
However, I am new at this equipment and maybe more direct fw rules are in order? Basically blocking LAN to LAN traffic so to speak.. Blocking all traffic from one interface to the other and vice versa or maybe better ? from one bridge to the other and vice versa, just not sure on what is best (assuming forwarding rules vice input or output rules)??
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The above does not address the Port Forwarding and FW rules you will need for the security devices.
I too will be doing PF and FW rules in the near future and dont know how to do this yet. I am not sure if its one rule or two rules or how its handled but Im sure its in the forum somewhere.
Mine is not for security but for a septic system that is externally monitored and as well a solar system that is externally monitored.
My recommendation if you have enough etherports, is to assign at least two for the default LAN and two for the security_lan, just so that you can plug your PC into both networks at the router and use winbox to see what is going on (assuming one of each will already be connected to a switch for further networking needs).
I was a little bit lazy with laying down the requirements and the current infrastructure in place, so let me elaborate:
Current working cfg:
1 WAN interface
1 generic LAN interface
Nat, routing configured, basic firewall set.
Requirements:
Adding CCTV to a new LAN port on gateway (let it be physical or pseudo interface, both are possible); lets call this interface “Security LAN”
Configuring Routing between LANs as following: allow machine with “IP Address goes here” from generic LAN to access CCTV Appliance in Security LAN.
Configure Security LAN so it can access the internet with specific port forwarding settings for certain appliances.
The two LANs should be separated otherwise.
Of these requirements, 1 and 2 are what I would like to get help with.
I have plenty of free ports on the device, so I can dedicate a physical port to Security LAN. I can also connect the Security LAN point of entry directly to that interface, leaving the distribution switches out of the game.
I’ll also add 1-1 addittional ports to each LAN as you’ve suggested, its a very good pro tip, thanks !
My guess is that most of ethernet ports on your RB2011 are now member of same bridge. You’ll need to remove the port to be used for security_LAN from bridge. There’s no need to create another bridge (as suggested by @anav in point c.) if you will only use single port on your RB2011 for that subnet. If you want to dedicate more than one RB2011 port for that subnet, then you need to remove several ports from default bridge, create a new bridge (as per @anav’s instructions) and add all ports to the new bridge.
Add appropriate IP address to security_LAN port/bridge.
At this point, your RB2011 should be able to ping all of your security_LAN devices.
Then you need to do something about security_LAN device IP configurations. Either you need to adjust static config so that your RB2011 will become default router for them or do whatever else appropriate (it’s hard to tell what as we don’t know details of your LAN layout as well as CCTV device configurability). Or you may want to run DHCP server on RB2011 on security_LAN interface with appropriate settings.
If you finished all necessary steps from the point 1, then all devices from both LANs (generic LAN and security_LAN) should be able to connect with each other, RB2011 will do the routing happily. Now you want to limit routing between the two subnets. Something like this:
/ip firewall filter
add action=accept chain=forward comment="Allow management machine to access CCTV appliances" src-address="IP Address goes here/32" dst-address="security_LAN subnet/24"
add action=drop chain=forward comment="Drop all other connections from generic LAN towards security_LAN" src-address="generic_LAN subnet/24" dst-address="security_LAN subnet/24"
The order above is important, filtering is done on first-rule-matches basis.
If you’ll only connect security devices through that single port on RB2011 (possibly with some distribution switch in between), then the setup above will suffice to separate both LANs. If not (there will be mix of security and generic LAN devices connected to the same distribution switch), then the whole setup above is invalid … again, it’s hard to tell without detailed knowledge of your intended LAN layout.
Nice MX, you nailed it. I hadn’t thought of simply not applying the bridge. In any case, both methods effectively separate the two different interfaces (those on the default bridge, and those not). This separation from my understanding will automatically block all traffic from general LAN to security LAN because of two things, the default rule then comes into affect (since the interfaces are no longer on same bridge)… AND because we have not associated the LAN interface with the security bridge.
Chain: Input
In. Interface List: ! LAN
Action: Drop
Comment: defconf: drop all not coming from LAN
Concur that the best way to accomplish what OP desired is clear and simple FW rules.
a. allow OP Ip access to security LAN from generic LAN IP specific device (or devices depending).
b. block all generic lan to security lan traffic.
I would probably go further and add
c. block all security to general lan traffic
At least no harm in locking it down as far as I can see???
