I’ve got a Mikrotik hAP ac², and all the ethernet ports are set in bridge. So, every device in my LAN shares the same subnet.
To one port is connected an AP/swtich (say port 4), to another one my own PC (say port 2). Other devices are connected to the rest of them. ok.
Everthing has worked flawlessly so far, but now I’d like to secure my PC from any traffic going through the AP (port 4), or any unauthorized
attempt to access my PC coming from that port. You know, I set a guest-wifi on the AP mentioned above. However, I still want that my pc can still access the same AP.
Could you help figure out the best and easy way to set it in my Mikrotik’s firewall and manage it without setting up VLANs?
Thanks
The easiest way would be to set-up firewall directly on PC.
Another way would be to enable use-ip-firewall=yes on bridge, disable hw offload on port 4. Beware IP firewall for bridge traffic works slightly differently from same firewall for routed IP traffic…
By blocking incoming traffic from that swich’s IP?
Another way would be to enable > use-ip-firewall=yes > on bridge, disable hw offload on port 4. Beware IP firewall for bridge traffic works slightly differently from same firewall for routed IP traffic…
The problem is that you have the same subnet for both wifi guest and Home users going through the etherport to the Access Point.
The Access Point could have a guest wifi but that may only entail a separate SSID. To be truly guest the AP needs to feed the guest wifi into another subnet.
I think vlans in this case make sense, at least put the guest wifi on a vlan.
The question I have is your Access POint able to read vlans?
I don’t think you can use the switch chip to do this because you need access to the AP still, and don’t want VLANs.
What do you want clients connected via port 4 to be able to do? Do you want all clients on that port to be treated the same?
If you can live with all port 4 clients being blocked from access to your PC, then the simplest way would seem to be a different subnet for that. No VLAN is required if all clients connecting through on that port are treated the same. You’ll have to take that port off the common bridge.
Then, in order for traffic to pass from that subnet to your PC’s subnet, the router must route it which it will do by default. We can use the firewall to control that. Create a rule to drop traffic originating from port 4 and destined for the PC’s port (or anywhere other than WAN if you only want internet access from port 4). That rule should be placed after the ‘allow established/related’ rules. You might need another rule allowing connections from port 4 to WAN depending on your firewall arrangement.
So… traffic starting from port 4 cannot get to your PC; the firewall drops it. For connections started from the PC going to port 4, create another firewall rule to permit that (if needed according to your firewall setup). This connection will get noted by connection tracking and so the return traffic will be allowed by the established rule.
That is basically what I do here for an IoT subnetwork. Anything on that network is only allowed to be routed to WAN, but my rule to allow new connections from main LAN to IoT mean I can still make contact to configure those devices.
You’ll need to create/change DHCP for that subnet of course.
A cheap access point that works well the TPLINK eap245 carries vlans and would solve your issues, running two vlans, the home network and the guest network.
A new subnet for port 4 would be a good idea. However, I don’t want to drop all forwards between port 4 (AP) and bridge (LAN) since devices connected to the switch can sometimes use a server in my bridge (LAN) other than the WAN port for intenet connection. thanks
Once the Port 4 traffic is being routed, you can do anything you want with it in the firewall. If you know the IP or MAC addresses of the hosts that you want to access the server (or the opposite), just allow that in the FW. Of course, if ‘using the server’ means heavy data transfers, routing it through the CPU isn’t ideal even with Fasttrack. Best if you could do it with HW offload in the switch chip…
…Life would be much simpler with a kit upgrade to support VLANs.