Backstory: I have been tasked with getting some payment processing units online, and I would like to ensure that ONLY authorized devices can use this new network. is there an easy way inside the RouterOS or SwitchOS for me to either lock a port to a specific mac address or to have the system automatically add a designated Mac Address to a vlan and all others to the black hole? I am already planning on disabling every port not in use, just looking for as many different ways to secure the system as possible, Thanks in Advance. I will be using several CRS112-8P-4S-IN switches connected to a CRS310-1G-5S-4S+IN, then into a Fortigate firewall for access to the internet
You can use dot1x if the device can authenticate itself. Either to a RADIUS server or I think UserManager will also handle it. You can instead do MAC authentication using dot1x in a similar way but the device doesn't need to know how to authenticate. Another option is to turn off MAC learning on a port (bridge > Ports > Learn=no) and set them statically in Bridge > Hosts. It's worth mentioning that MAC addresses are easily spoofable though.
What is not clear to me is what is the fear.............
So you have payment process devices that will be plugged into the switches?
These will be locked down by VLAN.
Are you concerned someone would take the payment device out and plug in their computer ???
Prior to implementing what is probably a more robust and proper networking security approach I can offer some temporary thoughts:
For example why not have a faux IP POOL for that vlan subnet .100-.254
Assign the actual payment devices prior to deployment starting at an IP of .10 - .150 with static lease and mac address.
/address list
address=192.168.68.100-192.168.68.254 list=Blocked
/forward chain
add chain=forward action=drop in-interface=vlanPAY src-address-list=blocked
anybody plugs in, they get an IP that is essentially going nowhere.
I would certainly add logging and emailing to catch anytime dhcp is assigned on the vlan as it would happen only in such events.
For icing on the cake maybe
/routing table add fib name=hotpotatoe
/firewall mangle
add chain=forward action=mark-routing in-interface=vlanPAY src-address-list=Blocked
new-routing-mark=hotpotatoe passthrough=no
/ip route
add blackhole dst-address=0.0.0.0/0 gateway=192.168.68.1 routing-table=test
Sends any request from those IPs into the darkness......
+++++++++++++++++++++++++++++++++++++++
basically my boss is very paranoid and I want to be able to say that even if someone tries to physically plug in to the payment network they will not be able to do anything. I know MAC’s are spoofable, I’m just investigating my overall options.
see above for some quick ideas but sadly I realize you are using the fortigate as the firewall/dhcp router and thus would have to setup the equivalent types of rules and not familiar with how fortigate achieves those.