total network isolation with common Inet access

st1ckyb1t · September 13, 2014, 5:30pm

Not a firewall or network guy, so please bear with me.

I am using WebFig/routerOS v6.7, and can also telnet to the CLI.

I am trying to setup the following topology with a Mikrotik Routerboard Model RB2011UiAS-RM. I have 5 physical unmanaged switches and physical cabling to connect the 5 networks to the Routerboard. This is for a residential ISP (FiOS) connection.

I’d like to set it up like this:
Inet(FiOS demarc) <> Routerboard <> Switch[1/2/3/4/5] <> PCs.
Or do I ned a residential router (Linksys, Netgear, etc) between the Inet and Routeroard, like this?
Inet(FiOS demarc) <> [Linksys or Netgear] <> Routerboard <> Switch[1/2/3/4/5] <> PCs.
I do like the relative security that a garden-variety residential router provides, so let me know your thoughts…

OK, here goes…
I set up 5 networks, each on their own physical interface:

192.168.1.1/24; network 192.168.1.0; eth6; ether6-master-local;
192.168.2.1/24; network 192.168.2.0; eth7; ether7-slave-local
192.168.3.1/24; network 192.168.3.0; eth8; ether8-slave-local
192.168.4.1/24; network 192.168.4.0; eth9; ether9-slave-local
192.168.5.1/24; network 192.168.5.0; eth10; ether10-slave-local

DHCP Pools:
192.168.88.10-192.168.88.254 default-dhcp
192.168.1.101-192.168.1.199 pool1
192.168.2.101-192.168.2.199 pool2
192.168.3.101-192.168.3.199 pool3
192.168.4.101-192.168.4.199 pool4
192.168.5.101-192.168.5.199 pool5

I want total segregation/isolation to/from each other on all of these networks, but all should have Inet access via NAT.

Are the below rules the correct (or a sane) way to go about this?

(.1 to .2 isolation)
ip firewall filter add chain=forward action=drop src-address=192.168.1.0/24 dst-address=192.168.2.0/24
ip firewall filter add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.1.0/24

(.1 to .3 isolation)
ip firewall filter add chain=forward action=drop src-address=192.168.1.0/24 dst-address=192.168.3.0/24
ip firewall filter add chain=forward action=drop src-address=192.168.3.0/24 dst-address=192.168.1.0/24

(.1 to .4 isolation)
ip firewall filter add chain=forward action=drop src-address=192.168.1.0/24 dst-address=192.168.4.0/24
ip firewall filter add chain=forward action=drop src-address=192.168.4.0/24 dst-address=192.168.1.0/24

(.1 to .5 isolation)
ip firewall filter add chain=forward action=drop src-address=192.168.1.0/24 dst-address=192.168.5.0/24
ip firewall filter add chain=forward action=drop src-address=192.168.5.0/24 dst-address=192.168.1.0/24

How do I handle all going out to the Inet through a masquerade rule in the NAT portion of the firewall?

I’d prefer to use the 192.168.1.1 as the default gateway for all networks, but is this going to compromise security if I want all of the networks to be fully isolated from each other? Should I use 192.168.0.1 (or something else) for the WAN port’s IP?

Is this accurate?
NAT Configuration:
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=WAN
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.2.0/24 out-interface=WAN
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.3.0/24 out-interface=WAN
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.4.0/24 out-interface=WAN
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.5.0/24 out-interface=WAN

If I have an example of how to set one network up, I can edit for the others.

This seems to me to be a lot of info to ask for, but for some of you, it is hopefully a no-brainer…

st1ckyb1t · September 15, 2014, 4:06pm

If the above post is too convoluted, how do I totally isolate 2 networks but have Inet WAN access for both?

Thanks in advance for any tips or guidance.

st1ckyb1t · September 17, 2014, 1:47am

Is it not possible to separate networks with a routerboard?

cdiedrich · September 17, 2014, 5:13am

Of course it is possible.

Your config looks OK to me, just some notes about that:

Your config states the ethernet names with -master and -slave - beware you cannot have them in a switch group when attaching multiple networks. You’ll need them seperate.

Having 192.168.1.1 as gateway for every network will not work.
How should for example 192.168.3.144 reach 192.168.1.1?
Gateways must be in the same network to be reachable for the clients.
I’d rather suggest to add a 192.168.X.1 address to each appropriate ethernet port and configure the DHCP servers to send out this as gateway.

Your isolation rules look correct to me, could probably merged into one:
ip firewall filter add chain=forward action=drop src-address=192.168.0.0/16 dst-address=192.168.0.0/16

You could simplify your (correct) masquerading rules to be only one with src-address=192.168.0.0/16 as well.

Cheers
-Chris

st1ckyb1t · September 17, 2014, 6:29pm

Thanks cdiedrich. I appreciate any constructive input as this is a new realm to me.

I’ll work through your suggestions, and report back how it goes, in case this is useful information for anyone.