Isolate devices from same physical network.
Posted: Mon Mar 09, 2020 4:28 pm
Hi all,
I give up and ask for some help here. Please, I've searched a lot and couldn't find a way to configure my network.
I've worked a long time ago with networks, but I'm outdated with new tech.
I bought a Mikrotik HEX 750gr3 for my home network, a very simple network topology, but I want to play with it and configure some more serious security, since I have a NAS and want to control access to it.
TOPOLOGY:
My internet connection is a MODEM from ISP configured as a BRIDGE.
Behind it I put the Mikrotik Router, configured WAN with PPPoE.
3 Mikrotik LANs are plugged on Access Points through my house (actually all Apple Airport, 2 express and 1 extreme, will change them in the future), all configured as bridge.
Mikrotik with DHCP and any other service.
Some Considerations:
THE GOAL:
I want to Isolate some devices from others. Ex.: Infra (APs/NAS), Fixed Devices (TVs, etc...), Guests, etc... to give exclusive access to each one and preferably not let some access other local devices, like NAS or any APs configuration.
How it was before:
Before Mikrotik, all APs were linked directly to my modem/router, that had Static leases to specific ranges of my Class C network. So, in firewall I permitted or not the access to some services to internet based on those ranges, but anyone could access another on my local LAN. Any unknown device was considered Guest and had very limited access to Internet.
My options?
I give up and ask for some help here. Please, I've searched a lot and couldn't find a way to configure my network.
I've worked a long time ago with networks, but I'm outdated with new tech.
I bought a Mikrotik HEX 750gr3 for my home network, a very simple network topology, but I want to play with it and configure some more serious security, since I have a NAS and want to control access to it.
TOPOLOGY:
My internet connection is a MODEM from ISP configured as a BRIDGE.
Behind it I put the Mikrotik Router, configured WAN with PPPoE.
3 Mikrotik LANs are plugged on Access Points through my house (actually all Apple Airport, 2 express and 1 extreme, will change them in the future), all configured as bridge.
Mikrotik with DHCP and any other service.
Some Considerations:
- All devices connect on wireless
- There's no guest network, because for this I need to make Apple Airport a router with DHCP included and I don't want that.
- All devices are on the same IP Pool.
THE GOAL:
I want to Isolate some devices from others. Ex.: Infra (APs/NAS), Fixed Devices (TVs, etc...), Guests, etc... to give exclusive access to each one and preferably not let some access other local devices, like NAS or any APs configuration.
How it was before:
Before Mikrotik, all APs were linked directly to my modem/router, that had Static leases to specific ranges of my Class C network. So, in firewall I permitted or not the access to some services to internet based on those ranges, but anyone could access another on my local LAN. Any unknown device was considered Guest and had very limited access to Internet.
My options?
- Implement just as it was before: no way, I want something better.
- Separated network for APs and double IPs on Router: I was considering trying to make something like this, setting APs to a different address space, like 10.0.0.0 and configuring a second IP on router's Ethernet. Just an option.
- VPN: I'd like to manage everything using VPN, but I'm stuck. I've worked with VPN long time ago, but this setup is out of my knowledge. For this, I need to identify the devices by their MAC address to set the VLANID, since all devices goes to the same APs. Any unknown device will be considered a Guest. So I need to configure DHCP Server for this and I don't know how, if it's possible.
- Another Option? I'll be glad to hear any suggestion.