I am looking for a way to create a SOHO network with enhanced security in which the local devices are distrusted unless explicitly specified otherwise. More specifically:
WiFi clients:
cannot see each other
cannot see the Ethernet clients
must use DNS provided by the router (and no other) (See Note (A) below)
must be whitelisted explicitly to be able to connect
Different SSID/passphrase for different WiFi clients/client groups (is that possible?)
A special group of WiFi clients (local-wifi-clients):
must not connect to the Internet
must be able to connect only to a specific Ethernet clients group (local-eth-services) (thus obviously see that group).
must be able to use certain services provided by the specified Ethernet clients group (e.g. a computer streaming video to a smart TV)
Ethernet clients:
cannot see the WiFi clients
can see the other Ethernet clients
local-wifi-clients and local-eth-services groups can see each other
can use DNS provided by the router (but can use other too)
Router OS management:
Clients must not know they are connected to a Mikrotik device (including hints like gateway’s IP address being 192.168.88.1 or 192.168.188.1)
WiFi and Ethernet clients must not be able to log into RouterOS
Login to RouterOS (on any of the two routers) must be possible through one fixed Ethernet port only (e.g. eth3) and must use only secure connections (SSH or www-ssl)
Please also see Question 3 below
Firewall:
General policy: Block everything (including forward chain)
Allow explicitly only required connections. Example:
allow ping between Ethernet clients
allow ping from Ethernet clients to the Internet
allow DNS and TCP 443 to everywhere for all clients
allow outgoing connection to example.com (or 1.2.3.4) TCP 22 only for Ethernet clients only
Host block/allow lists:
All devices should benefit global hosts lists preventing/allowing connections - ideally, something like this.
It should be easy to update/edit the lists
It should be easy to toggle (enable/disable) specific lists (e.g. for testing purposes)
IP protocol:
Only IPv4 is used on the client side (see Note (B) below)
General security hardening:
Considering the specifics here, the network should follow the general security recommendations in RouterOS new and old documentation.
Any additional advise and recommendations are welcome!
Notes:
(A) I am aware that his can be circumvented if a device uses DoH in which case DNS traffic will appear as regular HTTPS. AFAIK, there is no way around this.
(B) I suppose IPv6 can probably provide even better ways for all this but as I am still learning about it, I would rather not do something which I don’t understand. Regardless of that, advises and clarifications in that direction are welcome!
I also need a way to monitor the connections any device attempts (successfully or not), so I can fine tune firewall rules. I am not sure which is the proper way to do this though. On Linux routers, I simply tcpdump. Is it possible to do this from a selected Ethernet client? Or must it be done on the router itself (i.e. in RouterOS)?
Are there any security downsides in enabling Internet access through the management port? If yes - how do I block it? If no - how do I allow it?
Are there any security downsides in providing local-eth-services through the management port?
Thanks for stopping by.
I wonder if I need to edit the OP to clarify that:
I am not a network professional
“I am looking for a way” does not mean I know how to implement it myself but I am facing small difficulties. It means I don’t know to approach it correctly and I am willing to learn.
When I ask “How do I create…” it does not mean “I expect that you create it for me”. It means I am willing to understand whatever is necessary, so that I can do it myself. Then others reading this will be able to benefit from it too.
“I am willing to learn” means my current level is limited and I am OK to be told what exactly I need to learn (as long as it is not something generic like “Go learn networking” or anything else that will take months or years). It also means the way the official documentation is organized is not helping much.
Hiring a professional to do it will not help me learn. If I wanted to do this, I wouldn’t ask here at all.
I hope this clarifies any potential misunderstanding.
I believe the described setup can benefit others too. Ideally, if it turns into something well organized, we can probably have it as some kind of community guide.
(read, let it sink in, reread again, digest it more, test setup, read again)
High level I don’t see immediate glaring issues preventing this from being setup like you want.
Requirements are already half of the work and you did your homework quite decently IMHO.
Caveat
One of your requirements is about isolation of wireless clients.
What APs are in use and what control do you have there ?
Because if the acces point can not block it, no way you can prevent it from happening.
Its normal to isolate users by vlans because the vlans do it as they are L2 constructs and we ensure the firewall rules do the same at L3.
Whats NOT normal is your requirement to isolate wifi users from themselves within the same subnet or isolate wifi users from lan users in the same subnet.
That takes the complexity up a notch. The wifi bit will be dependent upon the software particular to the access point.
You can do this on MT wifi access points I believe.
There is no requirement to isolate users. The requirement is to isolate devices and to restrict their access. Whether the isolation should happen within the same subnet or through separate subnets - I don’t know, as I am not aware of the pros and cons of each approach. Suggestions are welcome. The idea is that most of the devices are not trusted and it is unknown what mischief they may do. Also, when the devices are distrusted this way, even if one device gets compromised, this setup will prevent it to compromise others.
The wifi bit will be dependent upon the software particular to the access point.
What do you mean? The device models are shown in the OP.
Regarding firewalls, I have some experience with iptables, less with nftables, only basic one with RouterOS’s firewall filter. I will look at your link. Thanks.
if you put IoT devices on their own vlan and they want to create havoc within that subnet, let them.
They will not be able to get to the rest of your network (if properly firewalled).
If needed, you can segregate further and put each device in its own VLAN (solitary confinement, poor things …)
Same with wifi users/devices.
Put them apart, let them play within their perimeter. No need to complicate further.
They can’t reach the rest anyhow (if properly firewalled).
My wifi users can not reach my main lan. Only device they can reach is printer and iperf server (for test purposes since I use my home setup quite a lot as test environment).
Nothing else.
It is much harder to isolate devices at L2, and thus if you have untrustworthy devices keep them in their own subnet period.
You can always drill L3 holes to allow one way communication to such devices.
@holvoetn
Fortunately, we have no IoT devices (unless a smart TV can be considered such). No network printers either (so far).
What do you mean by properly firewalled? How did you properly firewall yours?
@anav
Isn’t VLAN an L2 isolation which creates a subnet? Or what do you mean?
Are you saying that L3 holes can circumvent L2 isolation or something else?
I hope you can clarify.
You said the need was to isolate devices…
My reply is that you cannot easily isolate devices if in the same subnet L2, aka a normal subnet or vlan.
One should isolate devices in layer2 by putting them in their own subnet, makes things easy.
You can put each one in a different subnet or group then in a vlan as you see fit.
Yes L3 rules allow one to access a device one-way.
For example all users need access to a shared printer.
The printer is on a house LAN.
I can make firewall rules so guest wifi users vlan can access the printer to print stuff.
If I was really anal, I would put the printer on its own vlan and then let all vlans access that device