I am trying to figure out the easiest way to do layer 3 isolation across 2 bridges. They seem to be isolated doing nothing but my understanding is that having 2 bridges only guarantees isolation at layer 2. I’ve seen some other posts addressing this but frankly they were over my head. Basically I have Ether1 configured as the WAN with internet access. Ether 2 is on one bridge and has WAN access, DHCP server. Ports 4&5 are on a second bridge. They are part of an isolated LAN that should have no internet access (essentially air gapped). I have an IP assigned to the second bridge so that the isolated network has access to an NTP server I have configured in the router.
I have pasted the whole config of my router below. I have tried 2 methods but none of them seem to do anything and the networks seem isolated whether they’re there or not. Any help appreciated.
If you want the isolation air-gapped, as you expressed yourself, just use the ncr_bridge as only in-interface, resp. out-interface selector in the two rules:
In general, the standard firewall rules are useful for one LAN and simple setup.
Once you go beyond that one has to slighly rejig the firewall rules, to ensure only the admin has access to the input chain for config purposes and that the forward chain ensure subnets access to the internet and each other is controlled.
There is no need to use raw rules as they are powerful but crude weapons of security and should only be used if the standard firewall rules are inadequate, which is NOT the case here.
This rule is a security infraction and should be limited at least to the LAN interface only.
add action=accept chain=input comment="Allow Winbox" dst-port=8291 protocol=\
tcp
Modify ruleset to the following ( get rid of raW RULES )
/ip firewall address-list ( static leases set )
add address=admin-address1 list=TRUSTED comment="admin desktop local wired"
add address=admin-address2 list=TRUSTED comment="admin laptop/ipad local wifi"
add address=admin-address3 list=TRUSTED comment="admin smartphone local wifi"
/ip firewall
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=TRUSTED
add action=accept chain=input comment="Users to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="Users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { put this rule here but last of all rules }
AND FORWARD CHAIN AS FOLLOWS
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface=bridge out-interface=WAN
add action=accept chain=forward comment="admin access" src-address-list=TRUSTED out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disable=yes
(enable if required or remove)
add action=drop chain=forward comment="drop all else"
Not sure why you have any route rule? not required!!!
By the way your subnet 192.36 is NOT a private range you should be using ?????
My intention for using two bridges was to maintain the “air gap” between the 2 LANs. As far as the route rule goes, I’m a little out of my element there and saw it another post. That’s why I’m asking questions.
The 192.36. network goes back nearly 30 years and was set up by a consultant at the time for an in house only, no internet connected LAN for our ERP system written in COBOL :). We have probably 100 pc’s with static ip’s for this LAN. I know it’s not right but at this point it’s not worth the aggravation.
There’s nothing fundamentally wrong with using two bridges. Depending on your exact device, other configurations may be more efficient.
Routing rules (or other modifications to routing) are only necessary if you want to have overlapping subnets (addresses) on your two networks. Otherwise just delete them.
Raw rules are unnecessary. Remove them.
You will have to configure your firewall correctly. The forward chain is the one that applies to packets that go through the router (i.e. come in, go out) and input is what applies to packets destined for the router. E.g. the following firewall rules block packet forwarding between your two bridges:
BTW, don’t be ashamed of your COBOL system and its old-timey network. I’ve handled plenty of these, and they work just fine. You’re absolutely on the right track with isolating it from the general Internet and basically everything else that doesn’t absolutely has to have access to it.
Thanks for the explanation on what the routing rules are for @lurker888. I have deleted them along with the raw rules and added firewall filter in the forward chain:
Glad to help. Just keep in mind that the two rules that I gave were only as an illustration.
To arrive at a correct final solution, you will have to carefully map what networks should have access to what others, and construct an appropriate set of firewall rules. So basically create a sort of table with your networks (for you currently: [some wider network], bridge, ncr_bridge) as row and column headers, and consider the cells at each intersection of labels: should these have access to each other? should both be allowed to initiate this access, or only one side?
For another viewpoint, in my forward chain rules, besides mostly all the default rules, I have a drop all else rule at the end, so anything not explicitly allowed above, is not passed.
In this construct your two rules would not be required because they were not allowed. Cleaner and m,ore efficient IMHO.