Page 1 of 1

Isolate devices from same physical network.

Posted: Mon Mar 09, 2020 4:28 pm
by alexantao
Hi all,

I give up and ask for some help here. Please, I've searched a lot and couldn't find a way to configure my network.
I've worked a long time ago with networks, but I'm outdated with new tech.

I bought a Mikrotik HEX 750gr3 for my home network, a very simple network topology, but I want to play with it and configure some more serious security, since I have a NAS and want to control access to it.

TOPOLOGY:
My internet connection is a MODEM from ISP configured as a BRIDGE.
Behind it I put the Mikrotik Router, configured WAN with PPPoE.
3 Mikrotik LANs are plugged on Access Points through my house (actually all Apple Airport, 2 express and 1 extreme, will change them in the future), all configured as bridge.
Mikrotik with DHCP and any other service.


Image


Some Considerations:
  • All devices connect on wireless
  • There's no guest network, because for this I need to make Apple Airport a router with DHCP included and I don't want that.
  • All devices are on the same IP Pool.


THE GOAL:
I want to Isolate some devices from others. Ex.: Infra (APs/NAS), Fixed Devices (TVs, etc...), Guests, etc... to give exclusive access to each one and preferably not let some access other local devices, like NAS or any APs configuration.

How it was before:
Before Mikrotik, all APs were linked directly to my modem/router, that had Static leases to specific ranges of my Class C network. So, in firewall I permitted or not the access to some services to internet based on those ranges, but anyone could access another on my local LAN. Any unknown device was considered Guest and had very limited access to Internet.

My options?
  • Implement just as it was before: no way, I want something better.
  • Separated network for APs and double IPs on Router: I was considering trying to make something like this, setting APs to a different address space, like 10.0.0.0 and configuring a second IP on router's Ethernet. Just an option.
  • VPN: I'd like to manage everything using VPN, but I'm stuck. I've worked with VPN long time ago, but this setup is out of my knowledge. For this, I need to identify the devices by their MAC address to set the VLANID, since all devices goes to the same APs. Any unknown device will be considered a Guest. So I need to configure DHCP Server for this and I don't know how, if it's possible.
  • Another Option? I'll be glad to hear any suggestion.
Thanks !

Re: Isolate devices from same physical network.

Posted: Mon Mar 09, 2020 4:55 pm
by anav
Hi there,
There are lots of ways to provide separation but the main ones are:
a. use bridges to separate subnets at Layer 2 (old method but still works)
b. use vlans to separate subnets at Layer 2 (newer method)
c. use forward chain firewall filter rules to block cross talk between subnets (just use drop all rule at end of forward chain).

So this will work fine for your router and any attached APs that are VLAN capable, OR you have a smart switch between the router and the AP and have expectations of one AP=one subnet only.
If you want multiple subnets on one AP, then you need better APs.

I like the vlan approach, its quite simple and you can have your NAS on its own vlan as well.
In other words you really need to ditch airport extreme.
Best value consumer AP at the moment TP-Link EAP245 AC1750 Wireless MU-MIMO Gigabit.
MT has the capAC which I use.
Probably the best but pricey are ubiquiti products
If you dont have wiring to each AP location, then perhaps the new mesh products may be of interest _ the MT audience seems like a decent design (has separate dedicated 5ghz channel for extending)

Re: Isolate devices from same physical network.

Posted: Tue Mar 10, 2020 7:36 pm
by WeWiNet
Alexantao,

As you ask for suggestions, I would suggest (on top of anav's recommendations) you think hard
about how do you want to group/separate devices and device types before you implement your network:

I suggest you define 3 to 4 zones (at least)
- Zone 1: trusted devices, your PC, Printer, other (non kids!) PC/laptops. Devices inside this network are "supposed to be save"
and will have access for instance to a NAS with important information (not a film/music server, which I would put into Zone 2).
- Zone 2: Phone/consumer products: Here goes Chromecast, phones, tablets, Sonos etc. Stuff that must be on the same L2 network
to work/cast/stream etc...
- Zone 3: Kids: I assume they can't be controlled ;-) and their devices (and usage) is by nature unsafe. So I keep them separated from the rest.
- Zone 4: IOT devices: new/old, good bad, Alexa, Sonoff, Raspberry, old phones with Wifi used as audio players etc. which I can not "trust"
(just do a "torch" on some of them and you know why). They have internet connection but are each fully isolated and that is all they get.

You can add more / less zones depending on what you want to do/achieve.

Then for each zone you consider what you allow/disallow/enable/disable etc.
You can still have IP traffic (if you decide to do so) from one zone to the other. For instance allow certain clients in zone 3 (kids) to use the printer from zone 1
(you need an IP/network printer).

For instance connecting to the router is possible only from Zone 1, or even better, a special Zone 5 dedicated to management.

Re: Isolate devices from same physical network.

Posted: Wed Mar 11, 2020 4:39 am
by anav
Concur, a firm understanding of the user requirements is essential before designing the network.

Re: Isolate devices from same physical network.

Posted: Sat Jan 02, 2021 4:23 pm
by silversword
Alexantao,

I suggest you define 3 to 4 zones (at least)
Conceptually sounds good. Do you have an example config on how you implement this?

Re: Isolate devices from same physical network.

Posted: Tue Feb 09, 2021 6:24 pm
by nezik
There are lots of ways to provide separation but the main ones are:
a. use bridges to separate subnets at Layer 2 (old method but still works)
b. use vlans to separate subnets at Layer 2 (newer method)
Can You explain to me please, why (if) are VLANs better then bridges?

Re: Isolate devices from same physical network.

Posted: Thu Feb 11, 2021 10:27 am
by WeWiNet
Can You explain to me please, why (if) are VLANs better then bridges?
The VLAN experts will tell you multiple VLAN on one bridge is better for final routing performance.
Personally I found VLAN setup confusing and you often block yourself out.
Then also I found on ROS7 some VLAN stuff does not yet work correctly. On ROS7 I do not use VLAN at all.

Using bridges is flexible and very easy to do. In my setup I do have 7 bridges, over 200 FW rules, queue trees etc. and have never hit CPU limit so far.
But I acknowledge my WAN speed is low (50Mbps), so WAN-LAN routing is not demanding.
If you have a 1Gbps WAN connection maybe you would start to see CPU is getting overloaded with many bridges (but will also depend on the device you use, number of FW rules etc).

In short, for beginners or not experts I would start with multiple bridge setup and get familiar to all the rest. Once done AND you see performance limitations you can migrate
that setup to VLAN based.

I am sure other forum members will have different view...

Re: Isolate devices from same physical network.

Posted: Thu Feb 11, 2021 7:30 pm
by silversword
Still hoping for some actual config examples so I can see how the concepts meet actual config commands

Re: Isolate devices from same physical network.

Posted: Thu Feb 11, 2021 7:59 pm
by anav
This is not difficult to config, but its up to the op to provide how far he has gotten thus far.
/export hide-sensitive file=anynameyouwish

Highly recommend he.she other use this as a guide...........
viewtopic.php?t=143620

Re: Isolate devices from same physical network.

Posted: Thu Feb 11, 2021 8:26 pm
by silversword
Highly recommend he.she other use this as a guide...........
viewtopic.php?t=143620
Thank you for that link, definitely well laid out! :)

Re: Isolate devices from same physical network.

Posted: Fri Feb 12, 2021 4:55 pm
by anav
For vlans to work, they need to interact with smart devices, vlan capable switches or vlan capable access points.
At the point in time where you have to connect to a dumb device (pc etc, anything that cannot read vlans), then that is the last stop for the vlan.

So for example if your access points were NOT vlan capable, you couldnt then have any devices behind it on different vlans they would be all on the vlan (lan) so to speak.
There are hybrid ports but thats another topic.