Community discussions

MikroTik App
 
alexantao
just joined
Topic Author
Posts: 4
Joined: Mon Mar 09, 2020 2:39 am

Isolate devices from same physical network.

Mon Mar 09, 2020 4:28 pm

Hi all,

I give up and ask for some help here. Please, I've searched a lot and couldn't find a way to configure my network.
I've worked a long time ago with networks, but I'm outdated with new tech.

I bought a Mikrotik HEX 750gr3 for my home network, a very simple network topology, but I want to play with it and configure some more serious security, since I have a NAS and want to control access to it.

TOPOLOGY:
My internet connection is a MODEM from ISP configured as a BRIDGE.
Behind it I put the Mikrotik Router, configured WAN with PPPoE.
3 Mikrotik LANs are plugged on Access Points through my house (actually all Apple Airport, 2 express and 1 extreme, will change them in the future), all configured as bridge.
Mikrotik with DHCP and any other service.


Image


Some Considerations:
  • All devices connect on wireless
  • There's no guest network, because for this I need to make Apple Airport a router with DHCP included and I don't want that.
  • All devices are on the same IP Pool.


THE GOAL:
I want to Isolate some devices from others. Ex.: Infra (APs/NAS), Fixed Devices (TVs, etc...), Guests, etc... to give exclusive access to each one and preferably not let some access other local devices, like NAS or any APs configuration.

How it was before:
Before Mikrotik, all APs were linked directly to my modem/router, that had Static leases to specific ranges of my Class C network. So, in firewall I permitted or not the access to some services to internet based on those ranges, but anyone could access another on my local LAN. Any unknown device was considered Guest and had very limited access to Internet.

My options?
  • Implement just as it was before: no way, I want something better.
  • Separated network for APs and double IPs on Router: I was considering trying to make something like this, setting APs to a different address space, like 10.0.0.0 and configuring a second IP on router's Ethernet. Just an option.
  • VPN: I'd like to manage everything using VPN, but I'm stuck. I've worked with VPN long time ago, but this setup is out of my knowledge. For this, I need to identify the devices by their MAC address to set the VLANID, since all devices goes to the same APs. Any unknown device will be considered a Guest. So I need to configure DHCP Server for this and I don't know how, if it's possible.
  • Another Option? I'll be glad to hear any suggestion.
Thanks !
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5939
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate devices from same physical network.

Mon Mar 09, 2020 4:55 pm

Hi there,
There are lots of ways to provide separation but the main ones are:
a. use bridges to separate subnets at Layer 2 (old method but still works)
b. use vlans to separate subnets at Layer 2 (newer method)
c. use forward chain firewall filter rules to block cross talk between subnets (just use drop all rule at end of forward chain).

So this will work fine for your router and any attached APs that are VLAN capable, OR you have a smart switch between the router and the AP and have expectations of one AP=one subnet only.
If you want multiple subnets on one AP, then you need better APs.

I like the vlan approach, its quite simple and you can have your NAS on its own vlan as well.
In other words you really need to ditch airport extreme.
Best value consumer AP at the moment TP-Link EAP245 AC1750 Wireless MU-MIMO Gigabit.
MT has the capAC which I use.
Probably the best but pricey are ubiquiti products
If you dont have wiring to each AP location, then perhaps the new mesh products may be of interest _ the MT audience seems like a decent design (has separate dedicated 5ghz channel for extending)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
WeWiNet
Member
Member
Posts: 489
Joined: Thu Sep 27, 2018 4:11 pm

Re: Isolate devices from same physical network.

Tue Mar 10, 2020 7:36 pm

Alexantao,

As you ask for suggestions, I would suggest (on top of anav's recommendations) you think hard
about how do you want to group/separate devices and device types before you implement your network:

I suggest you define 3 to 4 zones (at least)
- Zone 1: trusted devices, your PC, Printer, other (non kids!) PC/laptops. Devices inside this network are "supposed to be save"
and will have access for instance to a NAS with important information (not a film/music server, which I would put into Zone 2).
- Zone 2: Phone/consumer products: Here goes Chromecast, phones, tablets, Sonos etc. Stuff that must be on the same L2 network
to work/cast/stream etc...
- Zone 3: Kids: I assume they can't be controlled ;-) and their devices (and usage) is by nature unsafe. So I keep them separated from the rest.
- Zone 4: IOT devices: new/old, good bad, Alexa, Sonoff, Raspberry, old phones with Wifi used as audio players etc. which I can not "trust"
(just do a "torch" on some of them and you know why). They have internet connection but are each fully isolated and that is all they get.

You can add more / less zones depending on what you want to do/achieve.

Then for each zone you consider what you allow/disallow/enable/disable etc.
You can still have IP traffic (if you decide to do so) from one zone to the other. For instance allow certain clients in zone 3 (kids) to use the printer from zone 1
(you need an IP/network printer).

For instance connecting to the router is possible only from Zone 1, or even better, a special Zone 5 dedicated to management.
WeWiNet

**
MTCNA
I like a new challenge, I migrate to ROS7... :? or maybe I am just crazy :lol: !!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5939
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate devices from same physical network.

Wed Mar 11, 2020 4:39 am

Concur, a firm understanding of the user requirements is essential before designing the network.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
silversword
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Tue Jul 23, 2013 3:36 pm

Re: Isolate devices from same physical network.

Sat Jan 02, 2021 4:23 pm

Alexantao,

I suggest you define 3 to 4 zones (at least)
Conceptually sounds good. Do you have an example config on how you implement this?

Who is online

Users browsing this forum: mkx and 92 guests