RB750G wi-fi router build help

Hi guys - I am looking to build an elaborate 493G setup at home. I am starting off with a RB750G however just to get a feel for the platform and capabilities etc. Once I am happy with this as opposed to the pfSense install I have been running I will purchase the 493G with 3 x R52Hn wifi cards.

I want to achieve the following:

• WAN on port 1 (WAN)
• Private network on ports 2,3,4 (LAN)
• Guest wifi on port 5 (GUEST)
• LAN should have full access out
• GUEST should only have very limited internet access
• GUEST should not access any resources on LAN

Obviously the RB750G has no mini-PCI slots so in order to get wi-fi I will be using 2 existing AP’s on two of the Ethernet ports.

The LAN one is easy, I have ports 2,3,4 in a switch group with ethernet2 as the switch master.

I set port 5 to have no master switch port and have plugged the guest wifi access point into this port.

I have set up an IP address on port 5 with a different range to my internal LAN network.

I have set up DHCP servers on the two scopes ie. 192.168.10.0/24 for internal LAN ad 192.168.11.0/24 for guest wifi.

NAT has also been set up for both networks.

I have some basic firewall rules in place for the LAN subnet, but have locked down the guest wifi so that my guests can no torrent etc, only TCP port 80, 443, 25 and 993 are allowed along with the usual UDP 53 for DNS etc.

With htis setup I can obtain internet access from both wifi AP’s and browse the internet.

What I would like to know is, should I have the port 5 on a seperate VLAN ? at the moment all ports are on the same VLAN (I presume). I notice I can only set up a single ‘switch’ on the device, how do I cut the broadcast subnet down ? I assumed via separate VLAN’s.

Any thoughts to how I achieve my requirements would be appreciated. I am at work just now so I can’t post my configs etc.

Cheers

Hello,

in your VERY DETAILED POST I can see that almost all is done.

I think you don’t need vlans. You have different networks, one for lan and other for wifi. You can add some rules in the firewall to avoid comunication from one network to another and this is all…

There are no broadcasts packets from one network to another network, because there are 2 diferent networks. 10.x and 11.x /24.

I don’t want to rely on Layer 3 to separate the networks. If someone were to change their IP address to one on the LAN network then they would gain full access. I would rather separate the networks at Layer2 which is why I thought you use VLANs on the same physical switch.

Also - was my post not detailed enough ? What other into can I provide?

Your post was very detailed. Very good post.

But it appears you are confused about how VLANs work, and what they do. VLANs allow you to implement multiple layer three networks on the same physical link. Security wise they do not do anything you cannot also achieve by using multiple physical ports.

Just by someone on the guest link changing their IP address to one used on the other LAN link doesn’t mean they have full access. In fact, they won’t be able to get anywhere since they now can’t reach the gateway IP on the router interface they are connected to.

Ahh ok - that makes sense. So set up firewall rules based on source interface?

Yes. Or IP addressing.

But this is my dilema - if I were to use just IP addressing, a savvy operator could manually change their IP address to one on my other network (ie. change his 192.168.11.0/24 address to a 192.168.10.0/24 address) and then bypass the firewall rules.

I work for a financial institution and I know that here we separate networks on switches by VLAN, so we run Zone 4 network (internal LAN) alongside Zone 5 network (vendor LAN) on the same physical switch and separate the two by VLAN.

That isn’t a dilemma.

If you have 192.168.0.1/24 on ether4 and 192.168.1.1/24 on ether5, and have someone behind ether5 configure an IP address of 192.168.0.10, he can NOT reach the network behind ether4, because he isn’t on that port. In fact, he can’t get anywhere at all anymore since he can’t talk to the router anymore as his default gateway.

Exactly as things work with VLANs: if you’re on a switch port configured for VLAN A you cannot magically talk to devices on VLAN B just because you configure an IP address on that network - you cannot get there because you are on a different logical network. When you’re behind different ports on a router you’re also on different networks, albeit physical networks and not logical networks. Protecting different VLANs and different router ports from one another is 100% equivalent. You can refer to interface names, or you can write rules that - for example - only allow traffic from behind a port sourced from the IPs you expect behind that port, dropping the rest. Then also drop traffic destined to IPs you don’t want those devices to reach, such as guest to LAN.

But here a short example with interface names:

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether2 action=accept
add chain=forward in-interface=ether5 protocol=udp dst-port=53 action=accept
add chain=forward in-interface=ether5 protocol=tcp dst-port=80,443 action=accept
add chain=forward action=drop

Ok - this is what I have:

[admin@MikroTik] > /ip firewall export
# jan/18/2011 12:19:54 by RouterOS 4.11
# software id = M26S-4LTJ
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Allow all from admin laptop" disabled=\
    no src-address=192.168.10.10
add action=accept chain=forward comment="Accept established" \
    connection-state=established disabled=no
add action=accept chain=forward comment="Accept related" connection-state=\
    related disabled=no
add action=log chain=forward comment="Drop invalid connections" \
    connection-state=invalid disabled=no log-prefix="DROP INVALID"
add action=drop chain=forward comment="Drop invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=forward comment="Accept all via ether2" disabled=no \
    in-interface=ether2-local-master
add action=accept chain=forward comment="Allowed traffic from public wifi" \
    disabled=no dst-address=208.67.222.222 dst-port=53 in-interface=\
    ether5-local-public-wifi protocol=udp
add action=accept chain=forward comment="" disabled=no dst-address=\
    208.67.220.220 dst-port=53 in-interface=ether5-local-public-wifi \
    protocol=udp
add action=accept chain=forward comment="" disabled=no dst-port=443 \
    in-interface=ether5-local-public-wifi protocol=tcp
add action=accept chain=forward comment="" disabled=no dst-port=993 \
    in-interface=ether5-local-public-wifi protocol=tcp
add action=accept chain=forward comment="" disabled=no dst-port=25 \
    in-interface=ether5-local-public-wifi protocol=tcp
add action=accept chain=forward comment="" disabled=no dst-port=80 \
    in-interface=ether5-local-public-wifi protocol=tcp
add action=log chain=forward comment="Log blocked traffic on public wifi" \
    disabled=no in-interface=ether5-local-public-wifi log-prefix=\
    "DROP PUB WIFI"
add action=drop chain=forward comment="" disabled=no in-interface=\
    ether5-local-public-wifi
add action=log chain=input comment="Log everything else" disabled=no \
    log-prefix="DROP FINAL INPUT"
add action=drop chain=input comment="Drop everything else" disabled=no
add action=log chain=forward comment="Log everything else" disabled=no \
    log-prefix="DROP FINAL FWD"
add action=drop chain=forward comment="Log everything else" disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    pppoe-out1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    pppoe-out1 src-address=192.168.11.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

and interfaces:

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                                                                                                                                        TYPE             MTU   L2MTU
 0  R  ether1-gateway                                                                                                                                              ether            1500  1524 
 1  R  ether2-local-master                                                                                                                                         ether            1500  1524 
 2  R  ether3-local-slave                                                                                                                                          ether            1500  1524 
 3     ether4-local-slave-private-wifi                                                                                                                             ether            1500  1524 
 4  R  ether5-local-public-wifi                                                                                                                                    ether            1500  1524 
 5  R  pppoe-out1                                                                                                                                                  pppoe-out        1492

Hi ilium007,

this isn’t far from what I’m trying to do. Any chance you could flick me your configs so I can see what how you’re doing it?

D - don@bowenvale.co.nz

I don’t have the hardware as yet. As soon as I have it I can send you my configs. Happy to do so.