I just bought my first RouterBoard (RB 3011) and couldn’t find any answers to this simple, beginner task:
(Smart Home environment)
I configured 4 separate networks for different purposes.
10.0.1.0/24 - general purpose
10.0.2.0/24 - smart home
10.0.3.0/24 - voip
10.0.3.0/24 - restricted
All these networks have their own ip range, dhcp server, etc.
RouterOS connects all subnets by default via dynamic routes (which works fine).
But I didn’t get the following:
What is the difference between a “Route” (dynamic or static) and a “Bridge”? When do I have to use a bridge to connect two networks? Defining a route seems to do the same job for me here?
How do I do a proper separation and securing of these networks? Simply by defining more Firewall rules? Or what is the “best practice” to do this (e.g. restricted network only can access WAN, not other nets, .. general purpose can only access several ports/ips within voip … and so on)
Thanks for your help with these absolutely beginner questions
The same ip networks - is it mistake?
Firewall rules can’t be used with bridge (with some exceptions).
I.e. “bridge” simulates usual L2 switch. Like you just take cables from each network and plug into the same switch. Simple but no security.
Router - is more clever device and you can set rules for access (and not only). But more complex in setup.
Pretty easy with a few firewall rules. I’m doing a similar thing. In my case I replaced multiple consumer grade routers with one MikroTik. The MikroTik is set up to emulate the individual routers. Each LAN is isolated from the others, and routes to the internet via a different public IP (just as they had with the individual consumer routers). Here is a few lines from my firewall rules. The comments and interface names should give a pretty good idea what I’m doing.
add action=drop chain=forward comment=
“Block all traffic on .201 from accessing .204” in-interface=E3-p5_201
out-interface=E4-p7_204
add action=drop chain=forward comment=
“Block all traffic on .204 from accessing .201” in-interface=E4-p7_204
out-interface=E3-p5_201
add action=drop chain=forward comment=
“Block all traffic on .201 from accessing .205” in-interface=E3-p5_201
out-interface=VLAN_205
add action=drop chain=forward comment=
“Block all traffic on .205 from accessing .201” in-interface=VLAN_205
out-interface=E3-p5_201
add action=drop chain=forward comment=
“Block all traffic on .204 from accessing .205” in-interface=E4-p7_204
out-interface=VLAN_205
add action=drop chain=forward comment=
“Block all traffic on .205 from accessing .204” in-interface=VLAN_205
out-interface=E4-p7_204
Before those rules is another couple rules that allow specific privileged IPs access from one LAN to another.
@BlackVS Yes, 2 same networks (10.0.3.0/24) is a mistake. I set 4 different networks (.1 to .4)
@k6ccc:
Thanks for you firewall rules. This seems pretty straight forward for me. In my case I only have 1 WAN interface and therefore only 1 public ip address (which shouldn’t matter for the concern of separation of the networks from each other).
I guess for granting access e.g. from my “general purpose” network to the “smart home” control system, it is the best practice to allow this specific IP/port and drop all other traffic?
My general question was about the best practice for network separation with RouterOS. As I read from your answers: Doing L3 routing + setting up proper firewall rules is the way to go?
Once I got the hang of it, it was pretty simple. Remember that everything is allowed unless you deny it. So essentially you want to allow the specific stuff you want and they deny everything else.
