How to secure the environment?

At the risk of quickly being in way over my head, I wonder if someone could help me figure out the smartest way to secure my environment.

I have 8 different locations connected via Wireguard. Each location has its own Internet access connection.

The locations have 7 different /24 networks (2 locations are connected with Cubes and share 192.168.20.0 – If it’s smarter, I can easily make location 8 192.168.25.0):
192.168.0.0
192.168.1.0
192.168.2.0
192.168.20.0
192.168.30.0
192.168.40.0
192.168.70.0

Management takes place 90% of the times from 192.168.2.0 and 192.168.0.0, 5% of the time from an iPhone using cellular data, and 5% of the time from one of the other locations.

Each location has wifi (mostly wifiwave2, but not all) for access to users that I trust as well as to strangers/guests.

The guests only need Internet access.

The trusted users should have greater access.

I run quite a few IoT devices at all locations, many of which need cloud access and access to the Home Assistant server at 192.168.0.103

I set up SSID “2point4” for the IoT (yes, 2.4ghz only); and SSID “Guest” for guests. (I also have other SSIDs for me and the trusted users.)

But, there is no VLAN or SSID-base-firewall set up. So, a guest on any network can see all the hosts/devices on all 7 networks.

I have tried to understand and implement VLANS but failed. I read the advised forum posts, watched videos, read other articles, and it’s just beyond me at the moment.

Is there an easier way to secure my environment?

What details, info and choices have a I left out that would help understand and advise?

Thank you.

If you have seen this topic: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 and find it over your head, you should consider getting external help. As, based on your information, you might not be the man for the job.

My tip (if you still want to do it yourself):

• get a Routerboard device just to play with it.
• give the VLAN setup, which can be found in de link above, a try.
• learn a lot

I have indeed read (multiple times) PCunite’s wonderful post. And many others. And I indeed have come here for external help. And I might not be the man for the job. But, I will continue to try.

At my 192.168.2.0 location, I have an RB5009 in use.

I also have a RB750Gr3 hEX (that the RB5009 replaced).

I wired physical port 5 on the hEX to physical port 8 on the 5009, and the configured the hEX as follows (including only what I think are the relevant portions):

/interface bridge
add admin-mac=18:FD:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge

/interface ethernet
set [ find default-name=ether5 ] comment=RB5009

/interface vlan
add interface=bridge name=BackupPC vlan-id=100
add interface=bridge name=GUEST vlan-id=200

/ip pool
add name=BackupPC-Pool ranges=10.10.10.1-10.10.10.253

/ip dhcp-server
add address-pool=BackupPC-Pool interface=BackupPC name=BAckupPC-DHCP-server

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add disabled=yes interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add disabled=yes interface=212-Wireguard list=MANAGE

/ip address
add address=192.168.2.7/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.10.254/24 interface=BackupPC network=10.10.10.0

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.254

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback allow" dst-address=127.0.0.1
add action=accept chain=input comment="Allow Authorized" src-address-list=\
    Authorized
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow LAN to WAN" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat log=yes

I then configured a Windows PC wired to a switch that is wired to the RB5009 (i.e., the only physical connection between the Windows PC and the hEX is through the switch and then the RB5009) and assigned the nic in the Windows PC to VLAN 100. The Windows PC with DHCP enabled successfully gets 10.10.10.100 assigned to it from hEX.

At that time, the only network connectivity the Windows PC has is to the hEX. That is, the Windows PC physically connected to the same 192.168.2.0 network does not see any of the many devices on that network. (Well, it sees the switch at 192.168.2.3). So, I think the VLAN is working.

That’s as far as I’ve gotten. I don’t know how to take this to the next level of usefulness toward meeting my needs.

Not sure what you are attempting but if you want to use the hex as a switch follow this guide.

The only vlan you need to identify is the trusted or managment vlan where the hex will get its LAN IP address.
This is the only vlan that needs to be tagged to the bridge, the rest flow from ether1 to the etherports.

https://forum.mikrotik.com/viewtopic.php?t=182276

The objective with the hEX was just to experiment and learn.

I also figured out that adding an ALLOW FORWARD rule from the 10.10.10.0 network (defined in Address Lists) will allow traffic between 192.168.2.0 and 10.10.10.0. I don’t know if it is normal behavior for a router’s firewall rule to overrule the VLAN separation.

One of my overall goals is to keep users/devices who gain access via specific SSIDs (“2point4,” “Guest,” etc.) from having access to all other devices across all locations.

That what drop all else rule does for you, at end of forward chain.
If its not explicitly allowed, its drooped. Simple

https://forum.mikrotik.com/viewtopic.php?t=180838

I thought the VLAN provided the separation. That is, 10.10.10.x is VLAN 100. 192.168.2.0 is not on VLAN 100.

I know when I’m confused – and I’m confused.

Vlan provides separation at layer2 ( mac address )
FIREWALL RULES are for layer 3 (ip address).

I understand that.

I thought that a layer 2 (vlan) separation did not require a layer 3 (firewall) separation also.

Then you dont understand the difference between layer2 and layer3, which is not a mikrotik problem
In any case firewall rules are a L3 construct…

You are correct (unfortunately), as usual…

Isn’t there an easier way than vlans to segregate traffic by which SSID users connect to?

Sure, get seperate hardware and a second internet connection.

With how the current discussion is going about, it looks like the OP is getting “way over my head” closer.

Seriously though, the OP should consider hiring a professional for this critical endeavor of securing the network, or postpone said endeavor and take a course in networking, starting with the basics, gradually going advanced, if OP prefers this be done personally.

What a goldmine of help:

1. Double up the equipment and internet connections
2. Hire a professional despite my interest in learning and doing this myself
3. Drown
4. Dedicate non-existent free time to taking courses
5. Shut down the existing (super useful, super fun) environment

Please keep them coming – they’re lifting my spirits and are very encouraging!

I just watched a couple of videos, trying to follow along and simply copy the steps shows in my hAPax3 and hEX. One video was running 6.46, the other 7.6 but not wifiwave2 – so I could not even just copy their test-lab set up.

So I went ahead and started playing.

On the ax3 I set up with a slave wifi interface named Guest212:

/interface wifiwave2
add configuration.mode=ap .ssid=Guest212 disabled=no mac-address=\
    4A:A9:8A:0F:04:93 master-interface=wifi1 name=Guest212 \
    security.authentication-types=wpa3-psk

And put it in a VLAN interface name wvlan-guest with an ID of 100:

/interface vlan
add interface=Guest212 name=wvlan-guest vlan-id=100

And added the Guest212 VLAN interface and the wvlan-guest VLAN to the existing (1 and only) bridge (named bridge):

/interface bridge port
add bridge=bridge interface=Guest212
add bridge=bridge interface=wvlan-guest

I added the 10.10.10.0/24 block to the bridge interface:

/ip address
add address=192.168.2.5/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.10.5/24 interface=bridge network=10.10.10.0

On the hEX, I set up a VLAN interface:

/interface vlan
add interface=bridge name=Guest vlan-id=100

IP pool:

/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
add name=Guest ranges=10.10.10.1-10.10.10.253

I have a DHCP server:

/ip dhcp-server
add address-pool=Guest interface=Guest name=Guest-DHCP-server

Added interface Guest to “bridge” bridge:

/interface bridge port
add bridge=bridge interface=Guest

At this point, I can connect with my iPhone to SSID Guest212. The phone, however, gets assigned an ip in the 192.168.2.x block from the RB5009 that the hAPax3 is connected to (instead of the hEX that is also connected to the RB5009). And, I cannot ping from the iphone to the ax3’s 10.10.10.5 IP address. I can ping to 192.168.2.5 (the other IP of the ax3).

So, how deep below the surface of the sea am I?

Seriously: Thank you all for your guidance.

WIFIWAVE2 is best set by keeping the defaults. Since you only have one wifiwave2 capable device in the mix, roaming and capsman is not required.
As for the rest, the links provided are ample for your needs.

a. link to pcunites use of vlan filtering
b. link to firewalls
c. link to using an MT device as AP/switch.

If you want further assistance provide network diagrams and complete configs of all MT devices that are talking to one another. Snippets of configs are not helpful.

Attached is the (sanitized) export for the ax3 and the hex, as well as a diagram.

ax3.rsc (4.31 KB)
hex.rsc (9.16 KB)

Magical internet connection, no ISP or ISPs AND your missing 5009 config.

RB5009 ether1 connected to (Spectrum) cable modem.

config attached.
rb5009.rsc (50.2 KB)

I’ve been trying and trying and I can’t make this happen.

As an alternative solution to vlan, I even tried setting up another bridge on the ax3 with its own DHCP (172.16.0.0/24), and put the guest SSID on that bridge. Could not route between bridges.

Ugh…

I will look at it today.