How to allow restricted connection from guest network to lan

thubalek · July 29, 2024, 7:14am

Hi, I’m Mikrotik newbie and I need advice. I have Mikrotik router managing my local network (both wired and wireless). I would like to create separated wireless network (similar to guest network) but with manually specified allowed connections from LAN.

Motivation is that in restricted networks are devices that I don’t trust but I need to access them from the PC at specific IP and specific port.

What is the simplest way how to achieve this configuration? I was originally thinking about firewall rules inside LAN but they don’t seem to work.

Thanks for any advice
Tom

anav · July 29, 2024, 6:00pm

Typically we use vlans to separate subnets. This takes care of clear separation at layer 2 and we use firewall rules to separate at layer 3 ( prevent router from routing between subnets since it knows they exist and where they exist).

Also its quite normal for vlan to share a printer that is on a guest or trusted network.
So if you wish to allow ONE pc in a trusted network to reach a bunch of devices in other subnet you have many options, depending upon how anal one is .

Simple
add chain=forward action=accept in-interface=VLANX srcr-address=ONEPC dst-address=subnetwithDevices
one pc has full access to an untrusted network.

add chain=forward action=accept in-interface=VLANX src-address=ONEPC dst-address-list=Devices
one pc has access to a list of devices on an untrusted network

add chain=forward action=accept in-interface=VLANX src-address=ONEPC dst-address-list=Devices dst-port=XXXXX
one pc has access to a specific port to a list of devices on an untrusted network.
/ip firewall address-list
add address=device1 list=Devices
add address=device2 list=Devices
add address=devicen list=Devices etc…

thubalek · July 30, 2024, 10:30am

Thanks a lot for your answer.

I created guest network using Quick Set. I guess approach suggested by you will not work as Quick Set doesn’t use VLAN approach for defining guest networks. Am I right?

So should I remove guest wifi and define it manually using VLAN and then use ip/firewall rules?

I tried to use Bridge/Filter to forward traffic from IP to IP but with no luck.

I’m also attaching my configuration as it may help you to understand my configuration (mostly created by Quick Set).

# jul/30/2024 12:26:58 by RouterOS 6.49.6
# software id = XWMA-3FDC
#
# model = RBD52G-5HacD2HnD
# serial number = BEEB0B5128A2
/interface bridge
add admin-mac=C4:AD:34:57:ED:AD auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="czech republic" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-57EDB1 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="czech republic" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-57EDB1 \
    wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan-848 vlan-id=848
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-848 keepalive-timeout=disabled max-mru=1492 max-mtu=1492 name=pppoe-nordic user=nordic
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=C6:AD:34:57:ED:B2 master-interface=wlan2 name=wlan3 security-profile=profile ssid=Mikrotik_guest
add disabled=no mac-address=C6:AD:34:57:ED:B1 master-interface=wlan1 name=wlan4 security-profile=profile ssid=Mikrotik_guest
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=wlan4
add interface=*E
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless access-list
add comment=Thea interface=wlan4 mac-address=A4:50:46:57:1A:E9
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.240 mac-address=E0:D5:5E:DA:17:59 server=defconf
add address=192.168.88.250 client-id=1:d0:27:24:0:77:6d mac-address=D0:27:24:00:77:6D server=defconf
add address=192.168.88.230 mac-address=40:8D:5C:CD:8D:7A server=defconf
add address=192.168.88.220 client-id=1:ac:84:c6:27:f7:6 mac-address=AC:84:C6:27:F7:06 server=defconf
add address=192.168.88.210 client-id=1:9c:ae:d3:1:85:1b mac-address=9C:AE:D3:01:85:1B server=defconf
add address=192.168.88.200 client-id=1:0:8:9b:c1:e5:d6 mac-address=00:08:9B:C1:E5:D6 server=defconf
add address=192.168.88.190 client-id=1:d8:3a:dd:2c:25:e6 mac-address=D8:3A:DD:2C:25:E6 server=defconf
add address=192.168.88.100 client-id=1:fc:ee:28:3:4d:5e comment="K1C Tisk\E1rna" mac-address=FC:EE:28:03:4D:5E server=defconf
add address=192.168.88.180 client-id=1:14:98:77:47:a3:0 mac-address=14:98:77:47:A3:00 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.20 comment="Tisk\E1rna" list=restricted_devices
add address=192.168.88.120 comment="Notebook docasne" list=restricted_devices
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=pppoe-nordic
/system clock
set time-zone-name=Europe/Prague
/system logging
add topics=dhcp
add topics=wireless
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=*D

Thanks a lot for your help
Tom