Community discussions

MUM Europe 2020
 
ajtudela
just joined
Topic Author
Posts: 11
Joined: Sat Jun 06, 2015 12:06 am

Isolated network

Tue Feb 23, 2016 10:55 pm

Hi, I'm trying to make my own private wireless network for domotic devices and without connection to internet and without connection to others devices of the house.

So,
- I created a Virtual AP (wlan2-private)
- I created a bridge-private and I added to port
- I created a DHCP server for that bridge-private
- I block bridge-local and bridge-private, dropping packages in both ways.

How I block bridge-private to internet?

A lot of thanks!
/interface bridge
add comment="Bridge invitados" name=bridge-private
add comment="Bridge local" name=bridge-local

/interface wireless
add comment=Wifi-Private default-ap-tx-limit=10000000 \
    default-client-tx-limit=5000000 disabled=no mac-address=D6:CA:6D:67:C0:71 \
    master-interface=wlan1 name=wlan2-private security-profile=nopassword ssid=\
    Wifi_devices wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=dhcp_private ranges=192.168.4.2-192.168.4.254

/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add auto-isolate=yes bridge=bridge-private interface=wlan2-private

/ip address
add address=192.168.4.1/24 comment="Wifi Private" interface=bridge-private \
    network=192.168.4.0
    
/ip firewall filter
add chain=input comment="Acepta conexiones desde la LAN IPTV " in-interface=\
    vlan2
add chain=input comment="Acepta conexiones establecidas" connection-state=\
    established
add chain=input comment="Acepta conexiones relacionadas" connection-state=\
    related
add chain=input comment="Permite el protocolo ICMP" protocol=icmp
add chain=input comment="Permite VPN mediante el protocolo L2TP/IPSec" \
    dst-port=500,1701,4500 in-interface=pppoe-out1 protocol=udp
add chain=input in-interface=pppoe-out1 protocol=ipsec-esp
add chain=input in-interface=pppoe-out1 protocol=ipsec-ah
add action=drop chain=input comment="Bloquea el resto" in-interface=\
    pppoe-out1
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="Aisla bridge-local y bridge-private" \
    in-interface=bridge-private out-interface=bridge-local
add action=drop chain=forward in-interface=bridge-local out-interface=\
    bridge-private
add chain=input comment="Permite a wifi-private avanzar hacia el router" \
    connection-state=new in-interface=bridge-private
add chain=forward connection-state=new in-interface=bridge-private
add chain=forward comment="Permite avanzar conexiones ya establecidas" \
    connection-state=established
add chain=forward comment="Permite avanzar conexiones relacionadas" \
    connection-state=related
add action=drop chain=forward comment=\
    "Descarta paquetes que avanzan invalidos" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Enmascara las conexiones hacia WAN" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=\
    "Enmascara las conexiones hacia el puerto WAN" out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat comment=\
    "Enmascara las conexiones hacia IPTV" out-interface=vlan2
add action=masquerade chain=srcnat comment=\
    "Enmascara las conexiones hacia VOIP" out-interface=vlan3
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Re: Isolated network

Wed Feb 24, 2016 6:30 am

You have to create two dhcp-server, one for local and one for private, assigned to separate bridges, two ip pools one for each dhcp server, then restrict your masqurade rule to only specific subnet allowed to internet.
 
TomosRider
Member Candidate
Member Candidate
Posts: 202
Joined: Thu Nov 20, 2014 1:51 pm

Re: Isolated network

Wed Feb 24, 2016 9:53 am

This...without NAT Masquerade rule on your private subnet, you wont be able to go on internet...
 
ajtudela
just joined
Topic Author
Posts: 11
Joined: Sat Jun 06, 2015 12:06 am

Re: Isolated network

Wed Feb 24, 2016 11:51 am

You have to create two dhcp-server, one for local and one for private, assigned to separate bridges, two ip pools one for each dhcp server, then restrict your masqurade rule to only specific subnet allowed to internet.

Sorry, I didin't post it. Yes I have to DHCP servers.
/ip dhcp-server
add address-pool=dhcp_local disabled=no interface=bridge-local name=\
    dhcp_local
add address-pool=dhcp_guest bootp-support=dynamic disabled=no interface=\
    bridge-guest name=dhcp_guest
 
ajtudela
just joined
Topic Author
Posts: 11
Joined: Sat Jun 06, 2015 12:06 am

Re: Isolated network

Wed Feb 24, 2016 11:52 am

This...without NAT Masquerade rule on your private subnet, you wont be able to go on internet...

I don't know why but without NAT masquerade I have internet connection in the private subnet, that is annoying meand i don't know how to fix it.
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Re: Isolated network

Thu Feb 25, 2016 6:34 am

This...without NAT Masquerade rule on your private subnet, you wont be able to go on internet...

I don't know why but without NAT masquerade I have internet connection in the private subnet, that is annoying meand i don't know how to fix it.
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"Enmascara las conexiones hacia WAN" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=\
"Enmascara las conexiones hacia el puerto WAN" out-interface=\
ether1-gateway
add action=masquerade chain=srcnat comment=\
"Enmascara las conexiones hacia IPTV" out-interface=vlan2
add action=masquerade chain=srcnat comment=\
"Enmascara las conexiones hacia VOIP" out-interface=vlan3
you have to delete theese tree and add only one:
ip firewall nat add chain=srcnat src-address=192.168.4.0/24 out-interface=pppoe-out1 action=masquerade
This will allow only 192.168.4.0/24 to connect to internet
 
ajtudela
just joined
Topic Author
Posts: 11
Joined: Sat Jun 06, 2015 12:06 am

Re: Isolated network

Thu Feb 25, 2016 12:34 pm

ip firewall nat add chain=srcnat src-address=192.168.4.0/24 out-interface=pppoe-out1 action=masquerade
This will allow only 192.168.4.0/24 to connect to internet
Thanks, It works!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Isolated network

Thu Feb 25, 2016 4:33 pm

The best way to do this would be to use the forward chain in the filter rules.

Using a bridge for the isolated network (name=bridge-isolated) you would add these two simple rules:
/ip firewall filter
add chain=forward in-interface=bridge-isolated action=drop
add chain=forward out-interface=bridge-isolated action=drop

Then you don't even need to modify your NAT rules, and fyi - the packets are still actually forwarded with the NAT disabled, and this actually leaves the network open to send things to the Internet that don't need replies - like SNMP and DNS cache poison packets, DDoS flood traffic, etc.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 23 guests