Im trying to deal with a large number of RESERVED lanside IPs.
What is the quickest or easiest way to transfer a whole wack of devices with specific IPs from my current router to the mikrotik.
I understand the basic method of adding a DHCP lease and making it static which is the process I believe similar to Reserving an IP.
I am looking for something more efficient for a large number of them.
Looking for what I think is the right text for a Lease Script. The purpose is reverse the default order of assigning IPs on the LAN. Right now it starts at the end with .254 whereas I want it to start at ,02 for example.
Finally, if I want to remote into the mikrotik from another location what is the best way
a. can I https into the router?
b. can winbox be used in a secure fashion?
It depends on what’s large number. If you have many thousands of them, in database or somewhere, it might be worth to write a program to add them using API, or RouterOS script to read them from exported csv, or something like that. If it’s less, then it’s probably better to just prepare the config (semi)manually. It again depends on what you have now, but if you’d have e.g. csv like:
in the matter of seconds using text editor (something better than Notepad). It would work for many thousands too, so the only reason for any automated solution is if you’d need to do it repeatedly or for many devices.
Why? The order in which addresses are assigned is just cosmetic, with zero functional impact.
3a) Yes. You need to get certificate and enable www-ssl in /ip services.
3b) I don’t know if MikroTik publishes details about protocol used by WinBox, but it should use encryption. Advanced stuff, e.g. how it deals with possible MITM attacks, that’s a question. If you don’t trust it, you can use some VPN to connect to router and only use WinBox over VPN.
I agree it may be cosmetic but there has to be a way to reverse the order.;… or don’t anyone dare tell me about the granularity of this router. ’
What is the lease script area at the bottom of the page good for???
(thanks for the remote login tips)
Concur on your suggestion of address objects but can you show me the code example that would make each address a STATIC lease???
I didn’t test it, but you may try multiple single-address pools with next-pool options linking them together. If you start with lowest address and continue higher, it may do what you need. If you actually try it, I’ll believe that it’s really important for you.
Lease script is, to quote manual: “Script that will be executed after lease is assigned or de-assigned.” You’ll find more details there, but it doesn’t look like it could help you with what you want.
The “/ip dhcp-server lease add ” is how you define static lease. I don’t know in what format you have the input, and I’m not good with RouterOS scripting anyway. But if it was csv like in my example, all you need is some regular expressions search & replace. Search for “^([^;]+);([^;]+);([^;]*)$” and replace with “add server=dhcp1 address=\1 mac-address=\2 comment=\3”. I usually use UltraEdit text editor or quick php script, but there are many different ways how to do it (other editors, Unix fans can run it through sed command, etc…).
Okay the ip address list has been converted for leases via vba macro all is good!
Now applying firewall rules is next.
Requirements
Block LAN1 to DMZ (in effect block Home_bridge access to DMZ-bridge)
Block DMZ to LAN1 (in effect block DMZ-bridge to Home_bridge).
Given I have an address list consisting of a number of IP addresses/devices on LAN1 called “badboys”
3. Block badboys from accessing any other LAN devices on LAN1 (devices on Home-bridge).
In a basic approach is this optimal…
/ip filter
add a forward chain with drop, source address 192.168.0.0/24, destination address 192.168.2.0/24, in-interface home_bridge
add a forward chain with drop, source address 192.168.2.0/24, destination address 192.168.0.0/24, in-interface DMZ-bridge
add a forward chain with drop, source address list ‘badboys’, destination address 192.168.0.0/24, in-interface home_bridge
Is the forward chain the correct one to use and if not then input?
Where should the rules be placed for example before the forward accept rules right??
I have seen recent examples where the person did not use subnet address in source or destination address but instead used address list method.
ex. vice 192.168.0.0/24 in source address, they used “lanrange” in source address list (as defined in address lists as lanrange = 1921.68.0.1-192.168.0.254)
Which is better and why??
1,2) You can use what you posted, or you can use just interfaces without addresses, there are different ways as usual.
When some of your badboys want to connect to other device in same LAN, they will connect directly, they won’t send anything to router.
It’s simple, forward = what goes through router, input = what goes to router itself.
Rules are processed in order, from first to last. Processing stops when first matching rule is found. So remembering this, place it in a way to do what you need.
It depends. If you want to have it defined in single place, e.g. because you expect to change it in the future and don’t want to hunt for it in several places, then address list is better. But if you just want to set it and let it work, then it doesn’t matter.
Okay so how do I block lan device to lan device connectivity for devices on same LAN??
In other words only allow them internet access I suppose??
(tand remember the devices I want isolated are identified in and address list)
If you want to block some devices from connecting other devices on lan, then you need to create separate LAN for those devices and deploy appropriate firewall rules.
Separate LAN can be either VLAN or physical LAN. However, if badboys can physically access “normal” LAN ports/AP, they can connect there, use static IP address from correct subnet (DHCP denying address lease can not help you here) and then do bad things. And you can not stop them. So yes, security of your network depends on physical security of your infrastructure.
If LAN device wants to connect another LAN device, it does it directly on L2 (ethernet) and L3 (IP) gateway (your router) is completely bypassed. The only way of controlling what LAN devices do to each other is on L2 and if you insist on using RB that probably means using SW bridge of LAN ethernet ports and heavy bridge filtering.
Even if you do it, badboy could connect dummy ethernet switch on LAN connection of his object of desire and then his traffic towards his object of desire would not pass your RB.
Again: if you have physical control over your LAN, then you can create separate LAN for guests and prevent them from accessing your “real” LAN, only allowing them internet. Think of it as a DMZ. If there will be more than one device connected to guest LAN at the same time (e.g. using guest WLAN), then they will be able to poke each other, no separation between them.
Okay MX, I get it, separate interface is required (separate bridge and separate LAN) would do the trick for badboys.
YOu tweaked my interest when you said VLAN,
If I could put badboys on a VLAN running as a separate tunnel on the same lan host network would that do the trick?
Would that isolate them from the rest of the LAN?
Requirements (lets say VLAN15
a. all devices in badboy would have to be connected to managed switches ??
b. all devices would be connected to a switch ports with PVID vlan15, as all the packets coming from the devices would have to be tagged with vlan15, such that the switch knows what other ports that traffic is permitted to access and when leaving the switch to get to the mikrotik, that exit port would be Tagged “T” , so the vlan 15 marks are not stripped off upon exit, so that when it gets to the MT router, it moves that traffic accordingly (to the internet).
If that is the general idea, then I would need to
setup up VLAN on mT riding on Home-Bridge network.
I would then have to setup a route rule for that traffic right? separate from the current route rules which basically address traffic flow out my two WAN gateways.
I would then have to setup a masquerade rule for VLAN traffic out the internet.
Finally, would I need a FW rule to block VLAN to anything else traffic???
Basically you’ve got it right. There is benefit in having VLAN used only inside RB (e.g. have single ether port configured as acces port for that VLAN and then build whole routing logic on top of VLAN) but I guess it’s an over-complication. If there are other managed switches in the mix, then VLAN is worth thinking of. Specially if separate physical infrastructure (including cables, switches and APs) is not an option.
Regarding routing: you will need a few simple firewall filter rules which will prevent connectivity between different (V)LAN segments. I guess you don’t need anything in addition to whatever you’ve already got in place for internet connectivity for other (V)LANs. Unless your src-nat/masquerade rules are picky about src address and/or ingress port.
This part is almost the same regardless of LAN separation type (VLAN vs. separate infrastructure), logic is exactly the same, differences are only in details.
An illustration to my previous post about adding “badboy” VLAN to the routing/firewalling mix: at my place I’ve got 3 VLANs: one for “good boys”, one for guest WiFi and third one for ISP’s IPTV (multicasts are delivered via VLAN tagged stream, but set top box needs internet for EPG etc.) that I don’t trust and I don’t want to have it exposed to guests either. Actually there’s the fourth VLAN, but it’s used in a manner of “single ethernet port and all routing built on top of VLAN”.
I have all ethernet interfaces attached to single bridge and I do everything on VLAN basis.
/interface vlan
add interface=bridge name=vlan-40 vlan-id=40 # IP subnet here is 192.168.40.0/24
add interface=bridge name=vlan-41 vlan-id=41 # IP subnet here is 192.168.41.0/24
add interface=bridge name=vlan-42 vlan-id=42 # IP subnet here is 192.168.42.0/23
# all vlan interfaces have addresses set, "normal" LAN has IPv6 address set as well
# routing as in "/ip route" works in all driections
/ip firewall filter
add action=drop chain=forward comment=\
"don't route between public WiFi and internal LAN" dst-address=\
192.168.42.0/23 src-address=192.168.41.0/24
add action=drop chain=forward comment=\
"no routing between IPTV box network and LAN" dst-address=192.168.42.0/23 \
src-address=192.168.40.0/24
add action=drop chain=forward comment=\
"don't route between public WiFi and IPTV box" dst-address=\
192.168.41.0/24 src-address=192.168.40.0/24
# Technically the rules above only drop packets in one direction, while they allow packets in other direction. They are enough
# to prevent any bi-directional connection between any two subnets (either TCP or UDP), but they are not enough to prevent
# some bad-boyish action, such as UDP flood or some such. A cautious admin would have these rules in pairs
# (with src-address and dst-address exchanged)
/ip firewall nat
# my internet is overt PPPoE. Athough contractually I have static IP address, technically it's dynamic, hence masquerade not src-nat
add action=masquerade chain=srcnat out-interface=pppoe src-address=192.168.40.0/24
add action=masquerade chain=srcnat out-interface=pppoe src-address=192.168.41.0/24
add action=masquerade chain=srcnat out-interface=pppoe src-address=192.168.42.0/23
# I might be over-cautious and could get by with single masquerade rule by omitting src-address ... instead of three rules above:
# add action=masquerade chain=srcnat out-interface=pppoe
.
Of course there are other firewall rules, protecting my router and my LAN from bad boys (both on WAN and non-management LAN).
As you can see, the routing/firewalling rules don’t refer to interface names at all … hence it’s not important where address in a particular LAN subnet is attached to, ether port, bridge or VLAN interface.
I am a bit confused, I thought traffic through a vLAN was already segmented from other vlans and the host network the VLAN was running on.
Hence if I attache VLAN15 to my home lan, that traffic is secure from host lan traffic or other vlan traffic.
If I simply route the VLAN traffic to the internet, wont it be blocked from going anywhere else by default.
Doesnt the VLAN get its own subnet as well as DHCP serving??
Whenever router gets address at some certain device it will, by default, forward traffic there. Changing this behaviour is not really productive, it’s better to setup firewall filter rules to get desired behaviour.
In my example: VLANs 40 and 41 are separate L2 networks and are perfectly separating devices on one VLAN from devices on another VLAN.
When I added interfaces vlan-40 and vlan-41, I didn’t allow any connection, at this point both VLANs are still separated (from internet as well). One of rare possible things, added by defining VLAN interfaces, was ability to MAC-connect from Winbox to router.
Then I defined IP address on both VLAN interfaces. At this point RB started to route/forward packets in all directions, including between both VLANs. So device from VLAN=40 with IP address say 192.168.40.15 can now access device from VLAN=41 with IP address say 192.168.41.42. Or both devices can now access internet (if NAT rules do proper job). And that’s because router is … routing!
Only after that you can add DHCP server for each VLAN … router is still routing between both VLANs.
Only after firewall filter rules drop packets travelling from 192.168.40.0/24 towards 192.168.41.0/24 the two VLANs are separated again - in reality only partially, see comment block in my config example in my previous post.
’