Does RouterOS need a special set of commands for that?
Yes, would be cool to have a simple UI in the “era” of internet-connected bulbs
No, a set of firewall rules with MAC address filter would do just fine
0voters
Hi,
I’m a SOHO user and I have a few IoT device deployed in my RouterOS-powered network.
I’m looking for a solution to simplify control over how and what can be accessed by a particular device,
where device is recognized by one or more MAC addresses (e.g. when it features both ethernet and wifi).
Currently one can already take all the measures to “sandbox” device: user Virtual AP and a set of firewall rules.
However it’s rather inconvenient, because you end up creating a good amount of repetitive settings
and then you end up with a cluttered config where it’s not that always easy to recognize that settings from various
RouterOS subsystems belong to the same device.
I’d like to see a feature that would allow me with a relative ease to specify the following parameters:
Ability to specify what parts of my lan (if any) and when (e.g. to forbid initiation, but allow established) IoT device can access
Ability to specify which parts of internet and how often (i.e. firewall’s limit) my IoT device can access (some devices have hardcoded IP address)
I think there are too many variables. You can have many LANs, many parts of internet to access at many different times, many different IoT devices with possibly very different needs for each of them. I think you’d either end up with very limited options, or with something even more complicated than what you have now.
I think there are too many variables. You can have many LANs, many parts of internet to access at many different times, many different IoT devices with possibly very different needs for each of them.
The point is not to support all the possible cases of course, but to focus on the most common once. Which is are usually reduced to:
Block from LAN
Only allow to access specific device in LAN (e.g. Hub)
Limit access to Internet through firewall either by IP or at least by amount of requests that are sent pet second
By having a separate CLI for that would allow one to further develop it into, first community-powered set of firewall recipes and then even vendor-powered set of firewall recipes.
I can imagine something like this as QuickSet feature. But I’m still not sure if it’s possible to find the right balance between available features and complexity.
Thinking about it a little more, the right way could be some generic extension system. Allow scripts to create dialogs (for WinBox/WebFix) or custom commands (for CLI, in dedicated subtree). What you need is high-level interface and this would be perfect if anyone would want to make one. It could use all already available low-level commands, so your imagination would be the limit.
It might not sound as cool for average user, because it would not be usable right away, someone else (= community) would have to create the goodies first. But then it would allow to create much more than MikroTik would be willing to invest their resources in.
I was thinking more about a group of firewall rules that appear in CLI and UI as a single record and can be moved around in a form of a single file. That way it would be fairly easy to upload it to your Mikrotik device. File’s content can be a typical mikrotik script which is more than sufficient.
I think that would be enough for a start and doesn’t sound to require serious effort: it all can be expressed through a single additional level in hierarchy of firewall rules.