hAP ac² multiple networks isolation problem

RouterOS General
1

Hello,

For some time now I have been struggeling with my router to find the correct settings to isolate my home, guest, iot and public networks from eachother. I have been trying for a year now to fix it, but my ESET Internet Security Network Inspector seems to still find the isolated devices in the IoT, Public and Guest network.

For example when using port scanners, ping and other software to directly scan some device from the network then I can get no answer. So I would say that my firewall settings are correct. But for some reason ESET still get’s through somehow.

I have tried disabling IPv6 from my computer network adapter but that didn’t really fix the issue. ESET still finds other devices.

The point of isolating those networks is that if someone connects an infected device for example to my network then it doesn’t move across the network to my other devices.

The router code is as below. I have removed some things not really important to this issue.

/interface bridge
add fast-forward=no name=bridge_guest
add fast-forward=no name=bridge_home
add admin-mac=B8:69:F4:26:5B:F4 auto-mac=no fast-forward=no name=bridge_iot
add fast-forward=no name=bridge_iptv protocol-mode=none
add admin-mac=B8:69:F4:26:5B:F5 auto-mac=no fast-forward=no name=\
    bridge_public
/interface ethernet
set [ find default-name=ether1 ] comment=WAN loop-protect=on mtu=1518
set [ find default-name=ether2 ] comment="TV" loop-protect=on \
    mtu=1518
set [ find default-name=ether3 ] comment=AP loop-protect=on mtu=1518
set [ find default-name=ether4 ] comment=TV Box loop-protect=on mtu=1518
set [ find default-name=ether5 ] comment="Unmanaged Switch" \
    loop-protect=on mtu=1518
/interface vlan
add interface=ether3 mtu=1518 name=vlan10_guest vlan-id=10
add interface=ether3 mtu=1518 name=vlan20_iot vlan-id=20
add interface=ether3 mtu=1518 name=vlan30_public vlan-id=30
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=pool_home ranges=192.168.1.150-192.168.1.200
add name=pool_guest ranges=192.168.2.150-192.168.2.200
add name=pool_iot ranges=192.168.3.150-192.168.3.200
add name=pool_public ranges=172.16.71.50-172.16.71.250
/ip dhcp-server
add add-arp=yes address-pool=pool_home bootp-support=dynamic interface=\
    bridge_home lease-script=":local recipient \"email removed\"\r\
    \n/ip dhcp-server lease\r\
    \n:if (\$leaseBound = 1) do={\r\
    \n  :if ([:len [/ip dhcp-server lease get [find address=\$leaseActIP] comm\
    ent]] = 0) do={\r\
    \n    :do {\r\
    \n      :tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC\
    : \$leaseActMAC]\" body=\"The following MAC address [\$leaseActMAC] receiv\
    ed an IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName].\
    \"\r\
    \n      :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\
    \n    } on-error={\r\
    \n      :log error \"Failed to send alert email to \$recipient\"\r\
    \n    }\r\
    \n  } else={\r\
    \n    :log info \"Ignoring MAC \$leaseActMAC with IP \$leaseActIP due to a\
    n existing comment.\"\r\
    \n  }\r\
    \n}" lease-time=1w3d name=dhcp_home
add address-pool=pool_guest interface=bridge_guest lease-script=":local recipi\
    ent \"email removed\"\r\
    \n/ip dhcp-server lease\r\
    \n:if (\$leaseBound = 1) do={\r\
    \n  :if ([:len [/ip dhcp-server lease get [find address=\$leaseActIP] comm\
    ent]] = 0) do={\r\
    \n    :do {\r\
    \n      :tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC\
    : \$leaseActMAC]\" body=\"The following MAC address [\$leaseActMAC] receiv\
    ed an IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName].\
    \"\r\
    \n      :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\
    \n    } on-error={\r\
    \n      :log error \"Failed to send alert email to \$recipient\"\r\
    \n    }\r\
    \n  } else={\r\
    \n    :log info \"Ignoring MAC \$leaseActMAC with IP \$leaseActIP due to a\
    n existing comment.\"\r\
    \n  }\r\
    \n}" lease-time=1w3d name=dhcp_guest
add address-pool=pool_iot interface=bridge_iot lease-script=":local recipient \
    \"email removed\"\r\
    \n/ip dhcp-server lease\r\
    \n:if (\$leaseBound = 1) do={\r\
    \n  :if ([:len [/ip dhcp-server lease get [find address=\$leaseActIP] comm\
    ent]] = 0) do={\r\
    \n    :do {\r\
    \n      :tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC\
    : \$leaseActMAC]\" body=\"The following MAC address [\$leaseActMAC] receiv\
    ed an IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName].\
    \"\r\
    \n      :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\
    \n    } on-error={\r\
    \n      :log error \"Failed to send alert email to \$recipient\"\r\
    \n    }\r\
    \n  } else={\r\
    \n    :log info \"Ignoring MAC \$leaseActMAC with IP \$leaseActIP due to a\
    n existing comment.\"\r\
    \n  }\r\
    \n}" lease-time=1w3d name=dhcp_iot
add address-pool=pool_public interface=bridge_public lease-script=":local reci\
    pient \"email removed\"\r\
    \n/ip dhcp-server lease\r\
    \n:if (\$leaseBound = 1) do={\r\
    \n  :if ([:len [/ip dhcp-server lease get [find address=\$leaseActIP] comm\
    ent]] = 0) do={\r\
    \n    :do {\r\
    \n      :tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC\
    : \$leaseActMAC]\" body=\"The following MAC address [\$leaseActMAC] receiv\
    ed an IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName].\
    \"\r\
    \n      :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\
    \n    } on-error={\r\
    \n      :log error \"Failed to send alert email to \$recipient\"\r\
    \n    }\r\
    \n  } else={\r\
    \n    :log info \"Ignoring MAC \$leaseActMAC with IP \$leaseActIP due to a\
    n existing comment.\"\r\
    \n  }\r\
    \n}" lease-time=2d name=dhcp_public
/routing bgp template
set default disabled=no output.network=bgp-networks
/interface bridge port
add bridge=bridge_home ingress-filtering=no interface=ether3
add bridge=bridge_home ingress-filtering=no interface=ether2
add bridge=bridge_home ingress-filtering=no interface=ether5
add auto-isolate=yes bridge=bridge_guest ingress-filtering=no interface=\
    vlan10_guest restricted-role=yes restricted-tcn=yes
add auto-isolate=yes bridge=bridge_iot ingress-filtering=no interface=\
    vlan20_iot restricted-role=yes restricted-tcn=yes
add auto-isolate=yes bridge=bridge_public ingress-filtering=no interface=\
    vlan30_public restricted-role=yes restricted-tcn=yes
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict tcp-syncookies=yes
/ip address
add address=192.168.1.1/24 interface=bridge_home network=192.168.1.0
add address=192.168.2.1/24 interface=bridge_guest network=192.168.2.0
add address=192.168.3.1/24 interface=bridge_iot network=192.168.3.0
add address=172.16.71.1/24 interface=bridge_public network=172.16.71.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server config
set store-leases-disk=never
/ip dns
set allow-remote-requests=yes cache-max-ttl=10m cache-size=512KiB
/ip firewall filter
add action=drop chain=forward comment="Drop public network to home network" \
    dst-address=192.168.1.0/24 src-address=172.16.71.0/24
add action=drop chain=forward comment="Drop public network to IoT network" \
    dst-address=192.168.3.0/24 src-address=172.16.71.0/24
add action=drop chain=forward comment="Drop public network to guest network" \
    dst-address=192.168.2.0/24 src-address=172.16.71.0/24
add action=drop chain=forward comment="Drop home network to public network" \
    dst-address=172.16.71.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop home network to guest network" \
    dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop home network to IoT network" \
    dst-address=192.168.3.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop guest network to home network" \
    dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=drop chain=forward comment="Drop guest network to public network" \
    dst-address=172.16.71.0/24 src-address=192.168.2.0/24
add action=drop chain=forward comment="Drop guest network to IoT network" \
    dst-address=192.168.3.0/24 src-address=192.168.2.0/24
add action=drop chain=forward comment="Drop IoT network to home network" \
    dst-address=192.168.1.0/24 src-address=192.168.3.0/24
add action=drop chain=forward comment="Drop IoT network to guest network" \
    dst-address=192.168.2.0/24 src-address=192.168.3.0/24
add action=drop chain=forward comment="Drop IoT network to public network" \
    dst-address=172.16.71.0/24 src-address=192.168.3.0/24
add action=accept chain=input comment="Allow established, related" \
    connection-state=established,related
add action=accept chain=input comment=\
    "Allow LAN connection to router - DO NOT DISABLE" src-address=\
    192.168.1.0/24
add action=accept chain=input comment=\
    "Accept ping" \
    disabled=yes protocol=icmp
add action=drop chain=input comment=\
    "Drop everything else to router - DO NOT DISABLE"
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge_home log=yes log-prefix=\
    !public_from_LAN out-interface=!bridge_home
add action=drop chain=forward dst-address-list=not_in_internet in-interface=\
    bridge_guest log=yes log-prefix=!public_from_LAN out-interface=\
    !bridge_guest
add action=drop chain=forward dst-address-list=not_in_internet in-interface=\
    bridge_iot log=yes log-prefix=!public_from_LAN out-interface=!bridge_iot
add action=drop chain=forward dst-address-list=not_in_internet in-interface=\
    bridge_public log=yes log-prefix=!public_from_LAN out-interface=\
    !bridge_public
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.1.0/24 port=port
set www-ssl certificate=*1E
set api disabled=yes
set winbox address=192.168.1.0/24 port=port
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote host-key-size=4096 strong-crypto=yes
/ip upnp
set show-dummy-rule=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Thank you!

2

Anyone?

3

IMHO the config is a bloated mess, more concerned with stopping traffic than simply only allowing needed traffic.
The first place to start though is a one bridge concept and all vlans, bridge does no dhcp.

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

4

Your answer didn’t give me any explanation what so ever. Tutorials have used DHCP for bridges so why can I not use it?
You say my config is a bloated mess but give no reason.

Why I have all those FW rules is just because something gets through the FW, they seem to be isolated but ESET somehow get’s through.
I was trying different rules from different places, nothing worked.

5

Regardless, keep the firewall rules as is, if you are happy with performance.
However, the multiple bridge approach is really not used anymore, if it ever was.

Please use the linked article to reduce your bridges to one.
It reduces complexity of the config so that any errors are easier to spot. ( same with clean firewall rulesets but thats a non-starter here ).

All I will say, is that I have no intention of scrutinizing your FW rules.
I will say from a conceptual standpoint its much easier to simply put at the end of the input and especially (if only doing this on one chain), the FORWARD CHAIN, to put as the last rule!
add chain=forward action=drop comment=“Drop all else”

Above this last rule, are the default rules one should keep, followed by Admin rules for traffic which should be allowed.
No need for block rules, as the last rule drops everything else!!.

Ex…
{ Default rules to keep }
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related,untracked”
connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
_add action=accept chain=forward comment=“internet access” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { disable if not using port forwarding }

add action=drop chain=forward comment=“drop all else”_

*********************** Any other allow rules, admin to all vlans, all vlans to a shared printer, one subnet to wireguard interface, etc etc..

I believe this should help answer your question about achieving network isolation.

6

Thank you for the answer. I was deleting most of the stuff from my router as per your suggested link. I will try again later. The link you provided seems to be really good actually so thank you for that. Will delete most of the old garbage and start with the settings on the link. Just needs some more tinkering to get the exact result I want.

7

Awesome! The effort now will be worth it in the long run.

8

Hi,

I’ve reconfigured my router setup as described here.
Also I’ve added an attachment which I modified for my use case but is not created by me, but the information is in the rsc file.
This rsc file is not my complete router setup but should be enough if someone encounters something similar than I had.

Before the reconfiguration my router restarted for like 2-3 minutes.
After the reconfiguration my router restarted for like 30 seconds.
Also the connection between each VLAN is truly seperate now. ESET doesn’t find any other devices and vice versa.
Before the reconfiguration I had no performance issues because my network is not that big and not many devices are connected, but after I saw how fast the router restarted I knew that my setup was from the year 2016 which was not ideal anymore.

Thanks for the info and help @anav
router.rsc (5.66 KB)