Hi,
I plan to buy Mikrotik devices to control which LAN/WLAN-devices in my home network can communicate with each other.
Scenario:
For example, my vacuum robot should be able to access the internet, but it should not be able to connect to devices in my LAN, except for the server on port 53 (DNS). It may also answer to other LAN devices if they sent commands to it (like „start cleaning“).
Another example ist the Phone of my wife. Again, it should have access to the internet. And so, access to my server on Port 53 is ok. It should also be able to access home assistant (Port 8123 on server). But she should not be able to connect to other ports on my server or to my NAS.
I already achieved both by using my own Raspi-based WiFi AP running iptables to control the traffic.
However, I want to remove the additional Wifi of the Raspi and apply iptable rules to some of my other LAN devices as well.
For example, my TV should also not be able to connect to any LAN device, except the server on Port 53.
The Zigbee bridge should not be able to connect to any LAN device or the internet. However, it should be able to respond to requests by home assistant running on the server.
The plan is to use the Mikrotik RB260GS switch and a hAP ax³ router.
The first idea was to use the rule tables of the switch chips to control the traffic.
But while the former comes with a QCA8337 switch chip, which in general has rule table, the latter has a IPQ-6010 chip, which has no rule table at all, according to this page: https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features
So my next idea is to use the RB260GS in private VLAN mode, where packets of all ports are forwarded through one uplink port to the hAP ax³, where I do filtering using iptables.
The LAN ports on the hAP ax³ would be added to a bridge to allow filtering using iptables.
I think, this is not the most efficient way, but for packets of Wifi devices I have to filter it anyway this way (CPU), right?
From my understanding the hAP ax³ should be powerful enough, however what would be the downsides?
- Limited throughput? According to (https://mikrotik.com/product/hap_ax3#fndtn-testresults) the router should achieve more than 2 Gbps when using 25 filter rules. 2 Gbps is probably enough for my case.
- Higher latency? To which extend? 1ms? 10ms? 100ms?
- Anything else?
Or is my approach bad? Is there a better solution for my case?
Best regards