Community discussions

MikroTik App
 
zespri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sat Mar 26, 2016 1:45 pm

VLANs + VPN + Hypervisor + Wifi. Please review my setup.

Sat Jun 27, 2020 6:48 am

Hello all,

Recently I was asked to return the server I used to run my home lab, and I took an opportunity to purchase a used Dell Precision T5610. I'm running ESXI hypervisor on it.
Unlike my old server this one came only with a single network port (whereas the old one had three), so this was a call to learn a bit about VLANs and configure my hAP ac to have a trunk port to connect to the Dell.

Since I never used VLANs before, this is was a bit of a learning curve, and I would like the helpful community here to review my setup.

What I wanted to achieve:
  • 5 VLANs to start with: Home - for all wired and wireless device at home; GuestWiFi - for guest's mobile phones and tablets. Isolated from the rest of network; Esxi - management network for hypervisor; VMInt - virtual machines that cannot be accessed externally; VMExt - virtual machines with some ports forwarded for external access
  • Trunk port to ESXI over Esxi, VMInt and VMExt
  • VPN - Need to have an account to access home network (and everything else) but also an account that cannot access the home network and can only access hypervisor infrastructure (Esxi, VMInt, VMExt)
  • DNS interception - all DNS requests has to be captured and resolved at the server I chose.

Note about the code posted below: This is not a verbatim `/export`. I removed a few lengthy uninteresting sections (wifi access list, static DNS, DHCP static leases) and a few other unimportant ones. I also re-arranged the order of some section (all the firewall rules are shown in the right order). The comments that I added is not aimed so much at you (you might find them obvious) but at myself, when I read the same thing some months or years from today. Some rules are disabled or not enabled. Those are for the temporary configuration that I experimented with, and perceive as useful in future.

What I'm worried about:
This setup seems to work and do all I need. The main worry is firewall security. I'd like you to tell me if there are any serious security issues with this setup. Since I'm not very experienced with mikrotik, the way I set it up may rely on wrong assumptions. Any other comments / problems with the way I did this are also welcome. Thank you in advance!
# Bridge is VLAN enabled
/interface bridge
add name=bridge vlan-filtering=yes

# ISP connection
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=REDACTED user=REDACTED

/ip dhcp-client
add comment=defconf interface=ether1

# Wifi
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=REDACTED
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity="" wpa2-pre-shared-key=REDACTED

# Wifi Home network
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country="new zealand" default-authentication=no disabled=no \
    distance=indoors frequency=auto frequency-mode=manual-txpower mode=\
    ap-bridge ssid=REDACTED wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac country=\
    "new zealand" default-authentication=no disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=\
    REDACTED wireless-protocol=802.11

# Wifi Guest network
/interface wireless
add default-forwarding=no disabled=no mac-address=CE:2D:E0:3E:EA:7D \
    master-interface=wlan1 name=wlan3 security-profile=guest ssid=REDACTED \
    vlan-id=35 wps-mode=disabled
add default-forwarding=no disabled=no mac-address=CE:2D:E0:3E:EA:7C \
    master-interface=wlan2 name=wlan4 security-profile=guest ssid=REDACTED \
    vlan-id=35 wps-mode=disabled

# VLANs
/interface vlan
add interface=bridge name=Home vlan-id=25
add interface=bridge name=GuestWiFi vlan-id=35
# arp is for VPN to work
add arp=proxy-arp interface=bridge name=Esxi vlan-id=40
add interface=bridge name=VMExt vlan-id=42
add interface=bridge name=VMInt vlan-id=41

# VLANs DHCP ranges
/ip pool
add name=Home_POOL ranges=192.168.88.192/26
add name=Esxi_POOL ranges=192.168.89.192/26
add name=GuestWiFi_POOL ranges=192.168.32.192/26
add name=VMExt_POOL ranges=192.168.91.192/26
add name=VMInt_POOL ranges=192.168.90.192/26

# VLAN DHCP servers
/ip dhcp-server
add address-pool=Esxi_POOL disabled=no interface=Esxi name=Esxi_DHCP
add address-pool=VMInt_POOL disabled=no interface=VMInt name=VMInt_DHCP
add address-pool=VMExt_POOL disabled=no interface=VMExt name=VMExt_DHCP
add address-pool=Home_POOL disabled=no interface=Home name=Home_DHCP
add address-pool=GuestWiFi_POOL disabled=no interface=GuestWiFi name=\
    GuestWiFi_DHCP

# VLAN DHCP networks
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
add address=192.168.32.0/24 dns-server=192.168.88.1 gateway=192.168.32.1
add address=192.168.89.0/24 dns-server=192.168.88.1 gateway=192.168.89.1
add address=192.168.90.0/24 dns-server=192.168.88.1 gateway=192.168.90.1
add address=192.168.91.0/24 dns-server=192.168.88.1 gateway=192.168.91.1

# VLAN Ports
/interface bridge port
# Home VLAN
add bridge=bridge comment=defconf interface=ether2 pvid=25
add bridge=bridge comment=defconf interface=ether3 pvid=25
add bridge=bridge comment=defconf interface=ether4 pvid=25
add bridge=bridge comment=defconf interface=wlan1 pvid=25
add bridge=bridge comment=defconf interface=wlan2 pvid=25
# GuestWiFi VLAN
add bridge=bridge interface=wlan3 pvid=35
add bridge=bridge interface=wlan4 pvid=35
# Esxi, VMInt, VMExt VLANs (trunk port)
add bridge=bridge interface=ether5
# Not used
add bridge=bridge comment=defconf interface=sfp1

# VLAN Tags
/interface bridge vlan
# Home VLAN
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,wlan1,wlan2 \
    vlan-ids=25
# GuestWiFi VLAN
add bridge=bridge tagged=bridge untagged=wlan3,wlan4 vlan-ids=35
# Esxi VLAN
add bridge=bridge tagged=ether5,bridge vlan-ids=40
# VMInt VLAN
add bridge=bridge tagged=ether5,bridge vlan-ids=41
# VMExt VLAN
add bridge=bridge tagged=ether5,bridge vlan-ids=42


# Default gateways for VLANs
/ip address
add address=192.168.88.1/24 interface=Home network=192.168.88.0
add address=192.168.89.1/24 interface=Esxi network=192.168.89.0
add address=192.168.90.1/24 interface=VMInt network=192.168.90.0
add address=192.168.91.1/24 interface=VMExt network=192.168.91.0
add address=192.168.32.1/24 interface=GuestWiFi network=192.168.32.0

# Interface lists for filtering rules
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=ESXI

/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=Esxi list=LAN
add interface=VMExt list=LAN
add interface=VMInt list=LAN
add interface=Home list=LAN
add interface=GuestWiFi list=LAN
add interface=Esxi list=ESXI
add interface=VMExt list=ESXI
add interface=VMInt list=ESXI

# VPN Common
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc pfs-group=modp2048
/ppp profile
set *0 use-encryption=required
/interface l2tp-server server
set authentication=mschap2 enabled=yes \
    ipsec-secret=REDACTED use-ipsec=yes

# VPN Home
/ip pool
add name=Home-vpn_POOL ranges=192.168.88.120/29
/ppp profile
add bridge=bridge dns-server=192.168.88.1 local-address=192.168.88.109 name=\
    Home-profile remote-address=Home-vpn_POOL
/ppp secret
add name=REDACTED password=REDACTED profile=Home-profile service=l2tp

/ip arp
add address=192.168.88.120 interface=Home published=yes
add address=192.168.88.124 interface=Home published=yes
add address=192.168.88.121 interface=Home published=yes
add address=192.168.88.122 interface=Home published=yes
add address=192.168.88.123 interface=Home published=yes
add address=192.168.88.125 interface=Home published=yes
add address=192.168.88.126 interface=Home published=yes
add address=192.168.88.127 interface=Home published=yes

# VPN Esxi
/ip pool
add name=Esxi-vpn_POOL ranges=192.168.89.16/28
/ppp profile
add bridge=bridge dns-server=192.168.88.1 local-address=192.168.89.2 name=\
    Esxi_profile remote-address=Esxi-vpn_POOL
/ppp secret
add name=REDACTED password=REDACTED profile=Esxi_profile service=l2tp

#  Sundry
/ip dns
set allow-remote-requests=yes cache-size=12048KiB servers=\
    REDACTED

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip accounting
set enabled=yes threshold=2560

/ip accounting web-access
set accessible-via-web=yes address=192.168.88.0/24

/ip service
set www-ssl address=0.0.0.0/0 certificate=my-cert disabled=no

/system clock
set time-zone-name=Pacific/Auckland

/system ntp client
set enabled=yes primary-ntp=103.242.68.69

/system logging
add topics=wireless
add topics=ipsec,!packet

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube).*\$"


# Firwall
/ip firewall address-list
add address=8.8.8.8 list=opendns
add address=8.8.4.4 list=opendns
add address=208.67.222.222 list=opendns
add address=208.66.222.220 list=opendns
add address=209.244.0.3 list=opendns
add address=REDACTED comment="Work Public Ip" list=\
    "Router Whitelist"
add address=REDACTED comment="Friend's Public IP" list="Router Whitelist"
# Devives to restrict YouTube access from
add address=192.168.88.45 list=youtube/int
add address=192.168.88.52 list=youtube/int
add address=192.168.88.44 list=youtube/int
add address=192.168.88.42 list=youtube/int
add address=192.168.88.43 list=youtube/int
# DMZ Host
add address=192.168.88.3 disabled=yes list=WANAccess
add address=192.168.88.53 list=WANAccess


/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
# For L2TP VPN
add action=accept chain=input comment=l2tp protocol=ipsec-esp
add action=accept chain=input comment=l2tp dst-port=500,1701,4500 protocol=\
    udp
# Enable this rule for temp access to router web ui
add action=accept chain=input comment="Temp router web-ui access" disabled=\
    yes dst-port=443 protocol=tcp src-address-list="Router Whitelist"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
# Enable to disable Youtube DNS resolution
add action=drop chain=input comment=Youtube disabled=yes packet-mark=\
    youtube_packet src-address-list=youtube/int
# Accespt from each VLAN
add action=accept chain=input in-interface-list=LAN
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
# Enable to disable Youtube DNS resolution
add action=drop chain=forward comment=Youtube disabled=yes packet-mark=\
    youtube_packet src-address-list=youtube/int
add action=drop chain=forward comment="Block Public Dns" dst-address-list=\
    opendns
# This rule enables DSTNATed external access to whitelisted internal IPs
add action=accept chain=forward comment="External access" dst-address-list=WANAccess \
    in-interface-list=WAN
# Home VLAN has access everywhere
add action=accept chain=forward in-interface=Home
# GuestWiFi VLAN can only access internet
add action=accept chain=forward in-interface=GuestWiFi out-interface-list=WAN
# Esxi VLAN can access VMInt and VMExt
add action=accept chain=forward in-interface=Esxi out-interface-list=ESXI
# Esxi VLAN can access internet
add action=accept chain=forward in-interface=Esxi out-interface-list=WAN
# VMInt can access Esxi. Esxi hypervisor does not allow deploying vSphere on the management VLAN, that's why we have two
add action=accept chain=forward in-interface=VMInt out-interface=Esxi
# VMInt VLAN can access internet
add action=accept chain=forward in-interface=VMInt out-interface-list=WAN
# VMExt VLAN can access internet
add action=accept chain=forward in-interface=VMExt out-interface-list=WAN
# This rule enables DSTNATed external access to all hosts on VMExt
add action=accept chain=forward in-interface-list=WAN out-interface=VMExt
# Esxi VPN users (untagged) have access to Esxi, VMInt and VMExt
add action=accept chain=forward out-interface-list=ESXI src-address=\
    192.168.89.16/28
# Esxi VPN users (untagged) do not have access to anything else
add action=drop chain=forward src-address=192.168.89.16/28
# Home VPN users (untagged) have access everywhere
add action=accept chain=forward src-address=192.168.88.120/29
# Drop everything else
add action=drop chain=forward


/ip firewall mangle
# Enable to disable Youtube DNS resolution
add action=mark-connection chain=prerouting comment=Youtube connection-mark=\
    no-mark disabled=yes dst-port=53 layer7-protocol=youtube \
    new-connection-mark=youtube_conn passthrough=yes protocol=udp
# Enable to disable Youtube DNS resolution
add action=mark-packet chain=prerouting comment=Youtube connection-mark=\
    youtube_conn disabled=yes new-packet-mark=youtube_packet passthrough=yes


/ip firewall nat
# NAT from external IP to internal network
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
# Enable for Hairpin configuration
add action=masquerade chain=srcnat comment=Hairpin disabled=yes dst-address=\
    192.168.88.53 dst-port=80 out-interface-list=LAN protocol=tcp \
    src-address=192.168.88.0/24
# Enable for Hairpin configuration
add action=dst-nat chain=dstnat comment=Hairpin disabled=yes dst-address=\
    REDACTED dst-port=80 protocol=tcp to-addresses=192.168.88.53 \
    to-ports=80
# Make sure it's us who resolve all DNS requests
add action=redirect chain=dstnat comment=\
    "Force all DNS requests no matter target IP to resolve on the router" \
    dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=\
    "Force all DNS requests no matter target IP to resolve on the router" \
    dst-port=53 protocol=udp
# Portforward shkaf:22 to external port 4444
add action=dst-nat chain=dstnat comment=\
    "SSH redirect incoming 4444 to shkaf:22" dst-port=4444 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.88.53 to-ports=22
# Portforward external 60000-61000 to shkaf:60000-61000 for MOSH
add action=dst-nat chain=dstnat comment=\
    "MOSH redirect incoming 60000-61000 to shkaf:60000-61000" dst-port=\
    60000-61000 in-interface=pppoe-out1 protocol=udp to-addresses=\
    192.168.88.53 to-ports=60000-61000
# Enable this to portforwad external 443 to shkaf
add action=dst-nat chain=dstnat comment="External 443 to an internal Web" \
    disabled=yes dst-port=443 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.88.53 to-ports=443
# Portforward exteranl 3000 to 80 on 192.168.91.254 (VMExt)
add action=dst-nat chain=dstnat dst-port=3000 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.91.254 to-ports=80
# Enable this to forward external 59081 to 192.168.88.3:3389
add action=dst-nat chain=dstnat comment=RDP disabled=yes dst-port=59081 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.3 to-ports=\
    3389
# Enable this if you enable DNZ Host, but still want port 443 to be used for router web ui access
add action=accept chain=dstnat comment=\
    "Keep tcp/443 for web access on the router" disabled=yes dst-port=443 \
    in-interface=pppoe-out1 log=yes protocol=tcp to-addresses=192.168.88.1 \
    to-ports=443
# Enable for DNZ Host: all unknow ports forwarded to it
add action=dst-nat chain=dstnat comment="And the rest goes to the DMZ host" \
    disabled=yes in-interface=pppoe-out1 to-addresses=192.168.88.3

Who is online

Users browsing this forum: No registered users and 31 guests