I have a MTK switch, routerOS 7.15 CRS312-4C.
The switch is par of a home/office network with a single bridge and multiple VLANs sonfigured. Router on a stick is a pfsense box.
I would like to now connect an untrusted network (central building switch) to it, and isolate this VLAN from a security standpoint - so that the switch itself is safe, administration can not be done from this interface and so on.
I dont use any L3/4 stuff on the switch, just basic VLANs so no FW is configured on the SW yet.
How best to do this? Do I need to isolate this port to another bridge?
If the pfsense box is the gateway for all vlans, you can block inter-vlan access with firewall rules. It’s not blocked as standard on pfsense when creating vlans on it. But it all depends on how everything else also is configured.
Yes, I control the pfsense box. The L3/4 is not an issue, I was thinking more MAC winbox access, discovery protocols and such. So the switch itself is the question.
So from an attacker perspective I would go for the 'tik. So just the L2 stuff. I did all the stuff (that applies) from here. Looking for some extra stuff to look into.
Yup did all this (just configured service discovery for a VLAN interface on a separate mgmt lan so mtiks in the net can talk). All other as you have suggested!
Except for regular hardening as in disable services not needed (there are a few) and adding firewall rules another option to enhance the security or rather the segmentation is to use VRF’s.
Unfortunately not all services supports VRF today (as of 7.15.2 stable) such as DNS (currently broken), FTP and remote logging.
So a workaround for that is to let the main VRF be your mgmt and create a new VRF that you call lets say VRF-LAN to which you put all other interfaces into which isnt the mgmt-interface (who normally is ether1 or whatever it can be called on your box).
Also make sure that the mgmt IP is configured directly on ether1 (or whatever physical interface you will be using) and that this interface is NOT part of the bridge.
