Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Network Isolation (again)

Locked
 
User avatar
lopar
just joined
Topic Author
Posts: 23
Joined: Mon Jan 30, 2017 5:47 pm

Network Isolation (again)

Tue Nov 13, 2018 1:56 pm

hi @all.
Again, network isolation problem. I have a some networks in my organisation, some of them needs to be isolated from all other networks. Now I on some routers I have a bunch of similar rules, such as:
Code: Select all
ip firewall filter add chain=forward src-address=10.0.0.0/24 dst-address=192.168.1.0/24 action=drop
ip firewall filter add chain=forward src-address=10.1.1.0/24 dst-address=192.168.1.0/24 action=drop
ip firewall filter add chain=forward src-address=10.15.12.0/24 dst-address=192.168.1.0/24 action=drop
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=10.0.0.0/24 action=drop
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=10.1.1.0/24 action=drop
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=10.15.20.0/24 action=drop
...
#all combinations of paired networks
Because of variety of networks it is hard enough to make /8 or /16 rules. But, is it OK to use /0 rules to isolate network from all others, or I will block forward traffic also inside network too?
I mean:
Code: Select all
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=0.0.0.0/0 action=drop
ip firewall filter add chain=forward src-address=0.0.0.0/0 dst-address=192.168.1.0/24 action=drop
Top
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: Network Isolation (again)

Tue Nov 13, 2018 2:05 pm

If your network is routable - yes. If its flows on layer 2 - then no.
Top
 
User avatar
lopar
just joined
Topic Author
Posts: 23
Joined: Mon Jan 30, 2017 5:47 pm

Re: Network Isolation (again)

Tue Nov 13, 2018 2:25 pm

Okay then. More advanced situation. If I have more networks to be isolated, I should use Address Lists, so my complex rules should be:
Code: Select all
ip firewall filter add chain=forward src-address-list="isolated" dst-address=0.0.0.0/0 action=drop
ip firewall filter add chain=forward src-address=0.0.0.0/0 dst-address-list="isolated" action=drop
So if Iwill need a hole to address in isolated network, I should use:
Code: Select all
ip firewall filter add chain=forward src-address=10.0.0.54/0 dst-address=192.168.1.54 action=allow comment="1-way hole to isolated"
Should I put this rule before or after. Is it enough to use only one rule, or I need more of them or change existing somehow?
Or this solution is completely wrong?
Top
 
Muqatil
Trainer
Trainer
Posts: 573
Joined: Mon Mar 03, 2008 1:03 pm
Location: London - UK
Contact:
Contact Muqatil

Re: Network Isolation (again)

Tue Nov 13, 2018 6:02 pm

I'll challenge you with another approach.
If the networks that you are trying to isolate are more than the networks that you want to allow, you might want to use ACL to whitelist the networks you want to allow forwarding, and drop everything else.
I would build a firewall like this (in the forward chain):
1 Allow established, related
2 Allow forward traffic from WAN interface
3 Allow forward traffic to WAN interface
4 Allow forward traffic from "AllowedNetworks"
5 Allow forward traffic to "AllowedNetworks"
6 Block all forward traffic

In address list AllowedNetworks put any network or single IP address you want to whitelist

Of course if you want to make it more granular, such certain networks whitelisted to certain others but not all of them, the rules will be a little bit more complex, but I would follow the same principle.
Top
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Thu Nov 21, 2013 6:54 pm

Re: Network Isolation (again)

Tue Nov 13, 2018 6:38 pm

A quick solution is to use VRF.
/ip route vrf
add every interface to a new vrf (routing mark) and they will have a separate routing table and will be isolated from other networks.
clean solution without firewall.
Top
 
User avatar
lopar
just joined
Topic Author
Posts: 23
Joined: Mon Jan 30, 2017 5:47 pm

Re: Network Isolation (again)

Tue Nov 13, 2018 8:13 pm

2 Allow forward traffic from WAN interface
3 Allow forward traffic to WAN interface
Broke my internet trying to ask why to do this. Then understood and found why. =)

Why only established/related? What;s wrong with new?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11627
Joined: Thu Mar 03, 2016 10:23 pm

Re: Network Isolation (again)

Wed Nov 14, 2018 8:37 pm

Assume you have plenty firewall filters for combinations of public host, internal address and protocol (e.g. chain=forward action=allow proto=tcp ports=80 src-address=1.2.3.4 dst-address=192.168.42.42) and the last rule drop all. These allow connection from wan host to lan server but block replies, so there should be another filter rule allowing connections in the other direction. If (one of first) rules allows related, then also replies from lan server to wan host get allowed (but not new connections).
The established is (if I uderstand correctly) more a shortcut so that packets of already established connections don't have to pass whole filter list but get allowed as soon as possible.

If there was a filter accepting new connections without other filter peculiarities (such as src address, dst address, proto and port), that rule would allow all new connection initializations (that's TCP SYN packets) and if there was the usual established,related rule enabled, firewall would not block any connection what so ever. There's rarely a reason to allow new connection packets and not the rest, so state=new is used almost never.
Top
Locked

Who is online

Users browsing this forum: aferreira, FurfangosFrigyes and 100 guests
  4. RouterOS
  5. Beginner Basics