Network Isolation

yerzhl · November 20, 2017, 1:03pm

Hi guys, I’d like to ask how to make network isolation.
I’ve searched the solution for months but nothing work.

Below is the configuration for the network
config.jpg
The main problem is I still can get access to another subnet, let say for example I still can cast from my smartphone to my TV (192.168.1.0/24) even I connected through guest network (192.168.2.0/24 use hotspot)
What I want, devices which inside the guest network can only access the internet.
I have add another router to solve this problem, before I only have 1 modem + 1 mikrotik (192.168.1.0/24) + 1 linksys (192.168.2.0/24) [TV and Guest are in the same network].

I tried 2 methods for this problem:

I have Bridge (WLAN1, eth1, eth2, eth3 and eth4) with IP 192.168.1.0/24 and eth5 [no master] with IP 192.168.2.0/24.
With configuration:
Firewall

/ip firewall filter
add action=accept chain=forward comment="Allow mainnetwork access guestnetwork" \
    in-interface=bridge out-interface=ether5
add action=drop chain=forward comment="Isolate guest test"  \
    in-interface=ether5 out-interface=!ether1
add action=drop chain=input comment="Hotspot Isolate guest to main" connection-type=\
    "" dst-address=192.168.1.0/24 src-address=192.168.2.100-192.168.2.254
add action=reject chain=input comment="Hotspot Isolate Self" dst-address=\
    192.168.2.2-192.168.2.254 reject-with=icmp-admin-prohibited src-address=\
    192.168.2.100-192.168.2.254

Route Rules

/ip route rule
add action=drop comment="Isolate guest" dst-address=192.168.1.0/24 \
    src-address=192.168.2.0/24

I have Bridge (WLAN1, eth1, eth2, eth3 and eth4) with IP 192.168.1.0/24 and Guest Bridge [eth5] with IP 192.168.2.0/24.
With configuration:
Bridge

/interface bridge port
add auto-isolate=yes bridge=Guest comment=GuestBridge interface=ether5

Firewall

/ip firewall filter
add action=drop chain=input comment="Hotspot Isolate to main" connection-type=\
    "" dst-address=192.168.1.0/24 src-address=192.168.2.100-192.168.2.254
add action=reject chain=input comment="Hotspot Isolate Self" dst-address=\
    192.168.2.2-192.168.2.254 reject-with=icmp-admin-prohibited src-address=\
    192.168.2.100-192.168.2.254

Route Rules

/ip route rule
add action=drop comment="Isolate guest" dst-address=192.168.1.0/24 \
    src-address=192.168.2.0/24

None of them can solve my problem.

Can you help me please?
Thanks in advance

cdiedrich · November 20, 2017, 2:14pm

Rebuild your first two firewall rules:

/ip firewall filter
add chain=forward action=accept src-address 192.168.2.0/24 dst-address=192.168.1.0/24 connection-state=established, related comment="allow answers to main"
add chain=forward action=drop src-address 192.168.2.0/24 dst-address=192.168.1.0/24 connection-state=new,invalid comment="block new connections into main"

You don’t need the route rules for this.

-Chris

yerzhl · November 20, 2017, 2:26pm

cdiedrich:

Rebuild your first two firewall rules:

/ip firewall filter
add chain=forward action=accept src-address 192.168.2.0/24 dst-address=192.168.1.0/24 connection-state=established, related comment="allow answers to main"
add chain=forward action=drop src-address 192.168.2.0/24 dst-address=192.168.1.0/24 connection-state=new,invalid comment="block new connections into main"

You don’t need the route rules for this.

-Chris

Hi Chris,
Thank you for your reply.
I’ve followed your way, but I still can see my TV from guest network.
For information, I can’t connect to TV by IP and application, but it still there if I open my phone cast menu (to mirror my phone display to TV).

Any other idea? Is it the only way to make my guest network as a bridge?
I have tried all possible rules but none work.

Thanks and best regards,
Jeremiah

cdiedrich · November 20, 2017, 2:28pm

Now this is odd.
I don’t see anything that would allow the TV to be discoverable from your guest network.
Could it be the entry is cached on our phone?
Did you probably forget about a static DNS entry on your router which points to the TV?
Or could it be cloud-based? So that the TV connects to a server in the internet to share its address and availability and your phone app is checking this server as well?
Or do you have PIM and/or IGMP proxy running?

-Chris

yerzhl · November 20, 2017, 2:39pm

Yes theoretically, the logic for rules are correct.

Could it be the entry is cached on our phone?

No, because it’s a new phone and never have access to the TV.
TV is Sony Bravia, maybe around 2013-2014 (maybe it could help if I mentioned)

Did you probably forget about a static DNS entry on your router which points to the TV?

Do you mean at DHCP Server setting?
I just flush all IP and resetting because for TV network it was in the same router as the guest (use 192.168.2.0/24).
And now I separate them and follow the configuration like the picture on my first post.

Or could it be cloud-based? So that the TV connects to a server in the internet to share its address and availability and your phone app is checking this server as well?

No. The TV only available in my phone cast/screen mirroring menu. It can’t be discovered if I accessed from Sony apps Playstore.

cdiedrich · November 20, 2017, 2:43pm

No, I didn’t mean DHCP settings, but probably a static entry for the tv in /ip dns static
Did you enable UPnP on your router?
Try disabling it.

Sorry, I’m only guessing - I have absolutely zero experience with Chromecast or any other related devices

-Chris

yerzhl · November 20, 2017, 2:52pm

Ah I see. No, no DNS related to the tv.
I tried also to disable UPnP on my router (linksys E1000) but still can see the tv.

Sorry, I’m only guessing - I have absolutely zero experience with Chromecast or any other related devices

No problem. I’m very thankful for your help
I think the protocol is a little bit different if cast to dongles (like Chromecast, Ezcast, etc) and cast direct to tv (using its feature)