Got 4 microtik sfp+ router what i try to accomplish is 0 trust on RJ45. Somehow i manage to make it work but only between ports is blocking connection. I am not a networking guy know what i should know but more like full stack dev.
Lets say i have 300 devices and what i try to accomplish to block ports: 22 139 to each user i don't care about performance security is more important.
On hyper-v isolation some turtoial say create own router but i have microtik why i need to create virtualization router.
What i do on first router: drop - forward on ports (that works between ports)
Second approach was use different network like .33 and .22 but then realize on production that dosnt work on same port.
I was try to use Mangle on prerouting src address .33 or .22 was new connection mark but that was still fail but use it for bandwidth limit.
so is there any way to do it as it is requirement for me for government contract
Maybe something VLAN devices just need have access to internet and from few IP outside router somebody have to connect sometimes
Just got many mikrotik routers to block traffic between
(router 1)
CRS309-1G-8S+IN
port 1 hyperv
port 2 hyperv
port 3 esxi
(router 2)
CRS326-24G-S2+
port 1 (30 devices)
port 2 (100 devices) 10mbps/max device
port 2 (50 devices) 10mbps/max device
...
one one router was trying use two network one for manage 192.168.33.0 one for devices 192.168.22.0 but that was only of my approach to block this some ports. no vlan
Wish to block traffic between users:
Lets say User3 get compromised open adobe PDF computer get compromised. Let call him "haxor" try to scan network - can't access to different devices on different router as its blocking it by firewall. Then he try scan same network found some ssh and do brute force found some samba port found microtik manage port check for outdated version.
Frankly speaking I do not understand your language
You should remeber that all devices that are connected at the L2 level do communicate directly with no router's actions taken.
On the other hand, how do you know that traffic from, let's say, computer A to port 139 of device B is the compromised traffic? What is the difference of traffic "norma" vs "compromised" connection when A asks B for login to get an access? How do you want to classfy/differentiate it?
Assuming that all trafic goes via router, when and how the router decides "it's the compromised traffic"?
It's time someone got hired.
I can't understand what you're writing, and if your ideas are as confusing as your writing,
well, you'd better hire a consultant who knows what they're doing.
Perhaps post the configuration, since there is some ambiguity on how the IP addresses/ports[/bridge] are configured.
But in theory you should just need a /ip/firewall/filter to drop the desired src-address/src-port etc. Now if all this is flowing through a bridge (and you're just multihoming the IP address on the bridge), you could use the bridge filters to drop traffic since traffic may not be going through the firewall – thus some config :export help.
If you want to get help in the right direction follow the simple steps!!
Draw a detailed network diagram ( ISP, vlans between devices etc.)
Post your config for all MT devices.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dhcp lease lists
Describe the requirements (not solutions) in the following manner:
a. Identify all the user(s)/device(s) including you, the admin.
b. Identify/Describe all the traffic needs of those indentified in a.
Ensure you describe any servers being used, and how they are accessed (internally, externally)
Ensure you describe any services being used on the Router ( VPN etc )
Ensure you describe in detail if you are using more than one ISP (multi-wan_
-primary/failover
-load balancing
-incoming only on one ISP
-outgoing dedicated to one WAN
You should remeber that all devices that are connected at the L2 level do communicate directly with no router's actions taken.
I think this is final answer i read in different topic on mikrotik forum about this issue.
Guys i run tomato router for 8 years without issue
Just mikrotik is super powerfull so for years i was not do any changes simple rule "If is work don't touch"
Was thinking to use MAC-Based VLANs but i see its port base
Have you considered Dot1X, and then configure the client devices to use 802.1X? But all devices need to be on MikroTik ports controlled by Dot1X. See: Dot1X - RouterOS - MikroTik Documentation
Anyway, since no one knows the topology of the devices nor your desired scheme either, it's a bit hard to help.
I think i was not clear why my question:
firewall between ports work great just on same port devices there is a wild west west.
lets say on port 3 i got hyper-v and on port 4 i got esxi and when scan network from port 3 with nmpa i can see all ssh 22 port open on port 3 but not on port 4 as is blocked by firewall.
Dot1X interesting but for me too complicated
but now i am puzzled how mikrocata2selks works when we cant block port on same port
Is a simple firewall that works green, yellow, blue are rules to block access to other microtik devices
Terminals located on the same network segment and using the same interface are running at Layer 2. Depending on your network topology, communication between them may not need to go through the interface you configured, thus rendering your firewall rules ineffective.
Yeah traffic is not going to hit the router firewall, unless it crosses a IP subnet (in which case the traffic is routed). But if IP address are in same subnet, then ARP will resolve it on the VM hypervisor.
A few possible approaches:
Use a IP subnet for each VM client. So you assign each VM guest its own unique subnet, and assign the default route on router. Since each device will have to use routing to get to another device, it will go through the firewall. But you can't use DHCP (or at least you'd need to associate MAC address as static leases. Also, you'll have a bunch of IP subnets configured in a few spots. And, since all hosts are on same bridge, broadcast and L2 remain open... so possible to block ports like SSH but "less secure" than 2 or 3.
On VM host side, wire each VM guest as a port to CHR. On VMWare, you need a vSwitch per device (IDK Hyper-V terms, but also needs similar). And similar to 1, since each need their own IP subnet, although port isolation in bridge). But this forces all L2 and L3 traffic to CHR's firewall
On VM host side, set a unique VLAN per VM guest, and set CHR as a trunk port to vSwitch. Here you'd need a n VLAN matching VM guest network VLAN ID. Also need IP subnets configured like 1.
I like idea keep it simple stupid it is possible as you say but it require little too much complication. As you mention before even with Dot1X
I think like on windows create simple bat file to block bulk access to: IP List with local firewall
on mac i found pf.conf -->> "block drop from any to 192.168.88.XX"
and still between ports firewall work awesome
maybe i juts maybe in future i will create virutal router for hyperv or esxi
