Guest wifi security configuration

RouterOS General
1

QUESTION: Is this a secure way to configure a guest wifi network (CORP-Guest) that prevents access to the corporate network (CORP)?

Add a bridge interface “Bridge_Public” and assign an IP address:

/interface bridge
add name=Bridge_Public
/ip address
add address=10.10.10.1/24 interface=Bridge_Public network=10.10.10.0

Add a virtual wireless interface “wlan3-public” and add it to the new bridge interface “Bridge_Public”:

/interface wireless
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:35:EC:CB master-interface=wlan1-CORP multicast-buffering=disabled name=wlan3-public ssid=CORP-Guest wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=Bridge_Public interface=wlan3-public

Configure a DHCP Server “DHCP_Public” with IP pool “pool_Public” and assign it to the new bridge interface “Bridge_Public”:

/ip pool
add name=pool_Public ranges=10.10.10.101-10.10.10.199
/ip dhcp-server
add address-pool=pool_Public disabled=no interface=Bridge_Public name=DHCP_Public
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8 gateway=10.10.10.1

Add filter rules to prevent guest wifi users from communicating to corporate network

/ip firewall filter
add action=drop chain=forward in-interface=Bridge_Public out-interface=Bridge_CORP
add action=drop chain=forward in-interface=Bridge_CORP out-interface=Bridge_Public

QUESTION:[/b ]Is it appropriate to use a single masquerade rule from the default configuration; such as:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
2

Everything correct except the firewall rules - the two rules you’ve posted are fine as such, but if they are the only rules in the filter, it makes a security hole at least in terms of the guests not being prevented from accessing the management services of the router itself. So post the complete anonymized export, see my automatic signature below.

In general, it is much safer to build the firewall as “deny everything except what you explicitly permit” than “permit everything except what you explicitly deny” because if you forget to permit something, your legal users will quickly notify you; if you forget to deny something, your illegal users will never let you know.

3
4

if you forget to permit something, your legal users will quickly notify you; if you forget to deny something, your illegal users will never let you know.


Effing brilliant. Luv it. Every IT person should have this over the entryway to their office.

5 
/interface bridge
add admin-mac=FF:FF:FF:FF:FF:FF auto-mac=no comment=defconf name=Bridge_CORP
add name=Bridge_Public
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - gateway"
set [ find default-name=ether2 ] name="ether2"
set [ find default-name=ether3 ] name="ether3"
set [ find default-name=ether4 ] name="ether4"
/interface wireless
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=xxxxxx wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=xxxxxxxxx supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan1-CORP security-profile=xxxxxxxxx ssid=CORP wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=FF:FF:FF:FF:FF:FF master-interface=wlan1-CORP multicast-buffering=disabled name=wlan3-public ssid=CORP-Guest wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool_Public ranges=10.10.10.101-10.10.10.199
/ip dhcp-server
add address-pool=default-dhcp interface=Bridge_CORP name=defconf
add address-pool=pool_Public disabled=no interface=Bridge_Public name=DHCP_Public
/interface bridge port
add bridge=Bridge_CORP comment=defconf interface="ether2"
add bridge=Bridge_CORP comment=defconf interface="ether3"
add bridge=Bridge_CORP comment=defconf interface="ether4"
add bridge=Bridge_CORP comment=defconf interface=ether5
add bridge=Bridge_CORP comment=defconf interface=sfp1
add bridge=Bridge_CORP comment=defconf interface=wlan1-CORP
add bridge=Bridge_CORP comment=defconf interface=wlan2
add bridge=Bridge_Public interface=wlan3-public
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=Bridge_CORP list=LAN
add comment=defconf interface="ether1 - gateway" list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=Bridge_CORP network=192.168.88.0
add address=192.168.1.2/24 interface=Bridge_CORP network=192.168.1.0
add address=192.168.100.10/24 interface="ether1 - gateway" network=192.168.100.0
add address=10.10.10.1/24 interface=Bridge_Public network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface="ether1 - gateway"
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8 gateway=10.10.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface=Bridge_Public out-interface=Bridge_CORP
add action=drop chain=forward in-interface=Bridge_CORP out-interface=Bridge_Public
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=xxxxxxxxxx
/system identity
set name=xxxxxxxxxxxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
6

A few errors.
(1) Missing Interface members
/interface list member
add comment=defconf interface=Bridge_CORP list=LAN
add comment=defconf interface=“ether1 - gateway” list=WAN
add Bridge_Public list=LAN

(2) Duplicate address, one needs to be removed.
/ip address
add address=192.168.88.1/24 comment=defconf interface=Bridge_CORP network=192.168.88.0
add address=192.168.1.2/24 interface=Bridge_CORP network=192.168.1.0
add address=192.168.100.10/24 interface=“ether1 - gateway” network=192.168.100.0
add address=10.10.10.1/24 interface=Bridge_Public network=10.10.10.0

(3) Dont see the purpose of this rule?? the default config does not block this traffic so you dont need one enabling it…if you get what I mean!!
add action=accept chain=input dst-port=8291 protocol=tcp

(4) Your rules will block traffic between the two subnets at Layer 3, should be fine.

(5) this can be set to NONE.
/tool mac-server
set allowed-interface-list=LAN

7

What I would do in the INPUT CHAIN

Is remove this rule… which basically says drop all traffic not coming from the LAN
(and by logic thus allow ALL USERS ACCESS TO THE ROUTER!!!)
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN

Why? Because only the admin needs full access to the router, the rest of the users need some services, typically only DNS, and perhaps NTP…
SO…

In order replace by
add chain=input action=accept in-interface=Bridge-Corp (optional src-address-list=adminaccess)****

If you are happy with all users on Bridge-Crop having access, then fine if not and you want to limit to admins devices then create a firewall address list
add IPofAdmins desktop list=adminaccess
add IPofAdmins laptop list=adminaccess
add IPof Admins Ipad list=adminaccess
add IPofADmins smartphone list=adminaccess

Where the DHCP leases for these devices are set as Static.
+++++++++++++++++++++++++++++++++++++++++++++
Then you need to add DNS service for LAN users…

add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

Finally the last rule in the input chain should be, when the others are in place (otherwise you will lock yourself out of the router)
add chain=input action=drop comment=“drop all else”

WHat this does in effect is drop all other traffic both WAN to router and router to WAN.
Only what you have stated above is permitted.