Community discussions

MikroTik App
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Block LAN access, allow only Internet + some restrictions

Wed Feb 27, 2019 1:29 am

Hi guys,
I'm trying to figure out this:

I have a LAN, 192.168.88.0/24

One IP within this LAN is assigned to a Ubiquity AP wich serves Internet access to a small park. The IP is 192.168.88.254 via static DHCP. The AP has it's own DHCP and subnet (10.10.10.0/24). I would like to block access to my 192.168.88.0/24 LAN for users connected to that AP, leaving them only with Internet access and that's it. I know this isn't the best setup and that I should use a dedicated port and network for that AP but unfortunately I don't have total control on the network.

I can't figure out how to make the rules in the firewall. I'm thinking about dropping forwarding from 10.10.10.0/24 to 192.168.88.0/24 or...?

Sent from my Mi A2 Lite using Tapatalk

 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 675
Joined: Fri Nov 10, 2017 8:19 am

Re: Block LAN access, allow only Internet + some restrictions

Wed Feb 27, 2019 1:40 am

Since the AP is connected to particular interface, it would be more failproof to make firewall rules based on interfaces:

First firewall filter rule: Accept forward from unifi to wan:
- in-interface: your port where unifi is connected (i assume it is not bridged with anything else)
- out-interface: your wan port
- action: accept

Second firewall filter rule: Deny forward from unifi (Even though it is safe approach, this second rule is not necessary if you follow principle "accept specified, deny everything else" and your firewall is already set up that way. If you are unsure, better to use this rule.)
- in-interface: your port where unifi is connected
- action: drop

this way, only packets destined to WAN will be forwarded from your unifi. Anything else from unifi will be dropped. You won't have to worry about spoofed IP or exceptions, you won't need to update your rule anytime you add another subnet etc...
 
anav
Forum Guru
Forum Guru
Posts: 4635
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Block LAN access, allow only Internet + some restrictions

Wed Feb 27, 2019 1:52 am

What I would do is turn all that traffic into a vlan.
So lets say eth3 is a port that is directly wired to the AP.
create a guest-bridge (pvid=1) ingress filtering=yes
create vlanAP_30
associate the vlan to the guest bridge when identifying the vlan interface
add address with interface being vlanAP_30
add ip pool 192.168.30.2-192.168.30.3
etc..........
Create a vlan DHCP-server services and DHCP-server network
add address with interface being vlanAP_30
192.168.30.0/24 etc
etc..........
In other words your are going to give a VLAN LANIP to the ap.

associate the vlan to the guest bridge when identifying the vlan interface
/bridge port
add bridge=guest bridge interface=eth3 pvid=30 admit only untagged frames.

/bridge interface vlan
add bridge=guest bridge tag=bridge untag=eth3 vlanid=30

The only firewall rule you will require is
add chain=forward action=accept in-interface=vlanAP_30 out-interface=wan
(allow vlan to wan traffic)

There all traffic coming from the AP is on a separate VLAN with only access to the internet.
There are probably 20 ways to do this..........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 28 guests