Isolated network

ajtudela · February 23, 2016, 8:55pm

Hi, I’m trying to make my own private wireless network for domotic devices and without connection to internet and without connection to others devices of the house.

So,

I created a Virtual AP (wlan2-private)
I created a bridge-private and I added to port
I created a DHCP server for that bridge-private
I block bridge-local and bridge-private, dropping packages in both ways.

How I block bridge-private to internet?

A lot of thanks!

/interface bridge
add comment="Bridge invitados" name=bridge-private
add comment="Bridge local" name=bridge-local

/interface wireless
add comment=Wifi-Private default-ap-tx-limit=10000000 \
    default-client-tx-limit=5000000 disabled=no mac-address=D6:CA:6D:67:C0:71 \
    master-interface=wlan1 name=wlan2-private security-profile=nopassword ssid=\
    Wifi_devices wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=dhcp_private ranges=192.168.4.2-192.168.4.254

/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add auto-isolate=yes bridge=bridge-private interface=wlan2-private

/ip address
add address=192.168.4.1/24 comment="Wifi Private" interface=bridge-private \
    network=192.168.4.0
    
/ip firewall filter
add chain=input comment="Acepta conexiones desde la LAN IPTV " in-interface=\
    vlan2
add chain=input comment="Acepta conexiones establecidas" connection-state=\
    established
add chain=input comment="Acepta conexiones relacionadas" connection-state=\
    related
add chain=input comment="Permite el protocolo ICMP" protocol=icmp
add chain=input comment="Permite VPN mediante el protocolo L2TP/IPSec" \
    dst-port=500,1701,4500 in-interface=pppoe-out1 protocol=udp
add chain=input in-interface=pppoe-out1 protocol=ipsec-esp
add chain=input in-interface=pppoe-out1 protocol=ipsec-ah
add action=drop chain=input comment="Bloquea el resto" in-interface=\
    pppoe-out1
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="Aisla bridge-local y bridge-private" \
    in-interface=bridge-private out-interface=bridge-local
add action=drop chain=forward in-interface=bridge-local out-interface=\
    bridge-private
add chain=input comment="Permite a wifi-private avanzar hacia el router" \
    connection-state=new in-interface=bridge-private
add chain=forward connection-state=new in-interface=bridge-private
add chain=forward comment="Permite avanzar conexiones ya establecidas" \
    connection-state=established
add chain=forward comment="Permite avanzar conexiones relacionadas" \
    connection-state=related
add action=drop chain=forward comment=\
    "Descarta paquetes que avanzan invalidos" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Enmascara las conexiones hacia WAN" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=\
    "Enmascara las conexiones hacia el puerto WAN" out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat comment=\
    "Enmascara las conexiones hacia IPTV" out-interface=vlan2
add action=masquerade chain=srcnat comment=\
    "Enmascara las conexiones hacia VOIP" out-interface=vlan3

kiaunel · February 24, 2016, 4:30am

You have to create two dhcp-server, one for local and one for private, assigned to separate bridges, two ip pools one for each dhcp server, then restrict your masqurade rule to only specific subnet allowed to internet.

TomosRider · February 24, 2016, 7:53am

This…without NAT Masquerade rule on your private subnet, you wont be able to go on internet…

ajtudela · February 24, 2016, 9:51am

Sorry, I didin’t post it. Yes I have to DHCP servers.

/ip dhcp-server
add address-pool=dhcp_local disabled=no interface=bridge-local name=\
    dhcp_local
add address-pool=dhcp_guest bootp-support=dynamic disabled=no interface=\
    bridge-guest name=dhcp_guest

ajtudela · February 24, 2016, 9:52am

I don’t know why but without NAT masquerade I have internet connection in the private subnet, that is annoying meand i don’t know how to fix it.

kiaunel · February 25, 2016, 4:34am

/ip firewall nat
add action=masquerade chain=srcnat comment=
“Enmascara las conexiones hacia WAN” out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=
“Enmascara las conexiones hacia el puerto WAN” out-interface=
ether1-gateway
add action=masquerade chain=srcnat comment=
“Enmascara las conexiones hacia IPTV” out-interface=vlan2
add action=masquerade chain=srcnat comment=
“Enmascara las conexiones hacia VOIP” out-interface=vlan3

you have to delete theese tree and add only one:

ip firewall nat add chain=srcnat src-address=192.168.4.0/24 out-interface=pppoe-out1 action=masquerade

This will allow only 192.168.4.0/24 to connect to internet

ajtudela · February 25, 2016, 10:34am

Thanks, It works!

ZeroByte · February 25, 2016, 2:33pm

The best way to do this would be to use the forward chain in the filter rules.

Using a bridge for the isolated network (name=bridge-isolated) you would add these two simple rules:
/ip firewall filter
add chain=forward in-interface=bridge-isolated action=drop
add chain=forward out-interface=bridge-isolated action=drop

Then you don’t even need to modify your NAT rules, and fyi - the packets are still actually forwarded with the NAT disabled, and this actually leaves the network open to send things to the Internet that don’t need replies - like SNMP and DNS cache poison packets, DDoS flood traffic, etc.