I’ve been playing arround trying to get a Routerboard Hex lite to act as a security device on my LAN rather than it’s original purpose of being an internet router. The basic idea that I want to do is to have two groups of ethernet ports, 1 & 2 and 3, 4 & 5, where anything in each of the groups can communicate freely with another device in the same group, but communications betwen the two is firewalled and preferably proxy arp(ed) so as to prevent unwanted traffic.
My inial plan was to set up a bridge for each of the two groups and then a third bridge which ran proxy arp to link the two port bridges. However the router didn’t appear to like this any no matter how hard I tried I couldn’t get any data flow between ports that weren’t on the original bridge. Any additional bridge that I created didn’t show up as having hardware acceleration so I’m guessing that this was just a limitation of the hardware (Atheros 8227), although the documentation suggests that it should have still been possible only utilising CPU time, so perhaps I’ve missed something?
Because of this I decided to have a go at using a single bridge (with ports 1 & 2 set to proxy arp) and using lists to achieve the firewalling instead. I’ve created a new interface list (called LOCAL) and added ethernet ports 3, 4, and 5 to it. I’ve then created a new firewall rule based off default rule 4 (drop all not coming from LAN) with:-
chain = input,
In. Interface list = ! (not) LOCAL (is LAN-> bridge for rule 4)
action = drop,
The intention being to prevent access to the control pages from anything other than ports 3 4 or 5 a sa simple test, However enabling this rule casues the whole shooting match to fall over with or without rule 4 enabled. For some unknown reason it’s blocking access from all ethernet ports. What’s really strange is that (having performed a complete reset) and sat watching the counters I can see regular packets being blocked as something on my computer attemptes to connect to the router (the rule allowing existing connections is my friend here) but cancelling the not on the input list stops the count going up and strangely seems to enable communications from all ports as opposed to blocking ethernet ports 3, 4 and 5 as I’d expect.
Can anybody shed any light on what’s going on or offer some advice on how I might proceed? The only other thing I can think of is playing about with VLANs but I really don’t have any experiance of these.
Is there any reason not to introduce 2 subnets? Essentially same as 2 VLANs but based on port membership. It has advantage over VLAN approach (VLANs are not HW accelerated on your device with current way of configuring it) in this particular case.
If this would be an option, then you’d create 2 bridges, one per port group. Beware that only one bridge can be HW offloaded, so you should disable hw on the other bridge (carrying less traffic). Assign IP setup to each bridge and construct regular firewall rules to govern traffic between both subnets.
If subnetting is not an option, then post full (nonworking) configuration (/export hide-sensitive) … we might spot something.
Assuming by subnets you mean why don’t I put one “group” on 192.168.89.x/24 and the other on 192.168.88.x/24 then the answer is yes and no. Basically I don’t want to rely upon subnets as security as they can be easily breached. For simplicity if we call ethernet ports 1 & 2 the insecure side and ethernet ports 3,4 & 5 the secure side. Then I want computers on the insecure side to be able to access the internet via the gateway, which has to be on the secure side due to limitations on where I can physically place hardware, and also some computers / devices on the secure side (e.g. printers).
The problem comes in that the main DHCP server is the gateway and this would be unaware of which “side” things were on. I could set up DHCP server(s) on the routerboard but my attempts at this haven’t been any more successful then the rest of my endeavors to date. As I understand it relying upon subnets to do the work would get very messy very quickly as different devices would need different IP spaces on the secure side according to if they should be visiable on the insecure side or not. I suppose I could use the router as more of a router with all “insecure side” traffic not destined for the insecure subnet sent to it but I’m not sure how broadcasts for finding printers etc would work, or how to get routerOS to forward on internet destined traffic to the gateway.
You say
if this would be an option, then you’d create 2 bridges
but I’ve already tried that and not got it to work. My initial attempt was to simply create a group of two ports and a group of three with no link between the two groups and it didn’t work, only the group of three, which utilised the original bridge worked. You then say
so you should disable hw on the other bridge
I left the HW acceleration box ticked; is that what’s caused the problem? if I’d un-ticked it would the “insecure” bridge have worked? I just assumed that routerOS, which indicated the insecure bridge wasn’t hardware accelerated would just do it in software.
If you think that the above limitations can be easily overcome using routerOS then I’m happy to do so as it was one of the ways I initially considered doing it.
Hope all of this makes sense. Please forgive my limited knowledge of IP networking but I spend my life working at layers 1 & 2. My knowledge of layers 3 and above is what I get site of as it goes flying past on the protocol analyser.
I can see a few benefits of having both device groups in the same IP subnet, but they come with some work to be done.
What you can try is to configure single bridge with all 5 ethernet ports … then set use-ip-firewall=yes and disable HW offload on ports of one “security” group (the one with less traffic). The last step is needed to force all traffic to go via RB’s CPU, where firewall rules will get applied. With HW offload traffic will get forwarded by switch chip and none of firewall filter rules will apply.
Beware that without HW offload your hEX lite will become a bottleneck of your network.
I’m not averse to the idea of using two different subnets it does in some ways have some advantages. Given what I’m trying to do the HeX is always going to be my limitation, but it’s unknown light duty traffic risk at this point. If I need to upgrade then I will.
I’ve had a play around with your proposal and hit a problem I’ve also encountered before… So I’ve
added all ethernet ports to bridge.
disabled HW acceleration on eth1 and eth2
gone to /interface bridge settings and typed “set use-ip-firewall yes”
all appears good.
As a test I thought I’d try and stop Eth2 from being able to ping the router… so I’ve inserted a firewall rule of: -
protocol ICMP
chain input
In Interface ether 2
action drop
I’m getting a response of " in/out-interface matcher not possible when interface (ether2) is slave - use master instead (bridge)"
Unless you go with two subnets tied to two bridges you won’t be able to construct firewall filters which refer to input interface. You’ll have to do it using IP addresses. Which then brings proper DHCP address assignment (if we dismiss the complication about statically set IP config on clients) into the picture.
Looks like the two subnet option is the best way forward in that case. As you say satic IPs will prove a real porbelm otherwise.
Sadly I don’t have much time to play about over the next couple of days, so I might go a bit silent. Are there any special settings I’ll need to put on the second bridge? As I say thus far I haven’t managed to make a second one work. I’m Guessing disable HW offload but what else will be required?
Theres no special magic about second bridge. Untick HW offload for ports on bridge with less expected traffic and make sure MAC addresses are all different.