Hello, i want to ask to Your recommendation how to secure hAP ax lite LTE6 if I will use lte1 interface to access internet on the go.
I would like to keep this topic within general discussion and reflection for now, so I am not sharing my settings here yet.
Could you advise me from your experience? Do you recommend using VLANs more or maybe VRF or something else?
My way of using this device (hAP ax lite LTE6) is simple. I want to use it for travel, where it will allow me to connect anywhere there is a cell/mobile signal and I need to know that this connection will be secure.
Note for sure:
The device will not be used for any illegal activity, but I want it to be sufficiently secure because of the devices that will be connected to this network (mobile , company laptop..) could contain sensitive corporation data.
Is it at all possible to secure this device so that data cannot be obtained/monitored by an operator or attacker e.g. via wireshark?
So far, I have a preliminary draft of this. Using Vlan for Wifi and ethernet interfaces. Port knocking for login, disable network discovery (and login via MAC interfaces) → But I have no idea how to secure the lte1 interface…
Rename default admin account to something else.
Put strong login password.
Put strong wifi password.
Don’t expose your router (management of it) to the internet without some kind of VPN. But if you use it as a travel router I don’t see the need for remote management.
Allow management only from the trusted side (LAN).
Allow network discovery only from trusted side.
Have good firewall rules in place. (Default one should be good enough)
Disable unused IP services (for eg. Web management page if not used)
I don’t think that you need multiple VLAN’s on a travel router..
i would try be more complex. Yes router would be used to travel, but when i come back home it would be work like ordinary “home” router. So Vlan for iOT devices, public wifi for guests and MGNT is already set up.
you’re definitely right that:
Disabled service ports what i dont needed is already done too.
Allow management only from the trusted side (LAN). → i want do it after i solve everything else= in the end → I dont want kill access with some mistake.
Allow network discovery only from trusted side. → here to i think that it is only few click on winbox.
Have good firewall rules in place. (Default one should be good enough) → i dont using default configuration I’m going back to Mikrotik after some time, so I want to refresh what I forgot and especially learn something new. So I’m going to make my own Firewall
So, did i understand correctly that VRF (from my point of view) is not appropriate to use in such cases? The problem with VRF is that even though I have watched a lot of videos and instructions I still can’t understand the issue and create something on the test environment that works including LTE connectivity. I would therefore like to completely separate the connectivity I have on the lte1 interface from the rest of the VLANs and Guest / iOT / MNGNT networks.
It’s very likely that we are stuck on something that doesn’t make sense… I should go further e.g. with FW rules but I still must think about VRF .. Do you have any suggestion how to understand VRF on Mikrotik on a more elementary level? Whenever I’ve done some tests I’ve come across that I’ve lost out on internet connectivity on the devices. Thanks for some direction.
If you already have some configuration in place they I suggest you to post it here so maybe more members get involved into this topic and so we can see what did you already did.
Regarding VRF I’ve never used it so I can’t give you an advice on that one. That’s why you should post your configuration without sensitive data so other members can get involved.
Hello, Than koy ufor reply. And sorry for delay. (i must completly rewrote and edit settings) → so it take some time. I don’t think anyone here is interested in my names and naming, including my notes, so I had to redo the whole thing and generalize it into some form. So in attachment is full export of commands. I hope I didn’t forget to change something, but the configuration should be working. Whether it is correct and safe I don’t know, maybe someone here can now help me to make it even more secure, or advise if it makes sense (and especially how) to use VRF. For now, the configuration is set up to connect to the wifi with hidden SSID: SSID_MGMT and here it should be possible to log in via winbox. Port Knocking is also active…
So here is my creation. I will be glad for any comments and suggestions for improvement. Hopefully I will now receive more replies and advice. Thank you exportENcommands.rsc (6.7 KB)
I would have a home MT router, and use the travel router to use the MT router internet via a wireguard tunnel.
There is no special sauce be it on the road or at home to keep the traffic as secure as possible.
A layered approach works, so if you dont vpn into home use a vpn on the connected devices, and/or the browser etc
Thank you Guys for reply, but what you’re suggesting is not currently possible. I don’t have a second MTK device now which I would leave at home and connect to it via travel and VPN Wireguard tunnel. I don’t even have internet at my apartment after all, this mikrotik I have is supposed to be something like a universal router for travel and home → depending on where I’m going to be. So I’m looking for other possible ways to further secure this device. I chose this particular device because of the USB c port and its scalability. I don’t plan on getting another MTK and internet for the home. This device have to replace everything.
There is nothing about setting up a router for security that is different at home or if travelling.
So ensure on your PC you use vpn for internet and if not at least VPN on the browser or AV software.