Community discussions

MikroTik App
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

How to block traffic between ethernet ports

Sat Mar 13, 2021 6:33 pm

Hi everyone,

I've got a Mikrotik hAP ac², and all the ethernet ports are set in bridge. So, every device in my LAN shares the same subnet.
To one port is connected an AP/swtich (say port 4), to another one my own PC (say port 2). Other devices are connected to the rest of them. ok.

Everthing has worked flawlessly so far, but now I'd like to secure my PC from any traffic going through the AP (port 4), or any unauthorized
attempt to access my PC coming from that port. You know, I set a guest-wifi on the AP mentioned above. However, I still want that my pc can still access the same AP.
Could you help figure out the best and easy way to set it in my Mikrotik's firewall and manage it without setting up VLANs?
Thanks
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to block traffic between ethernet ports

Sat Mar 13, 2021 8:17 pm

The easiest way would be to set-up firewall directly on PC.

Another way would be to enable use-ip-firewall=yes on bridge, disable hw offload on port 4. Beware IP firewall for bridge traffic works slightly differently from same firewall for routed IP traffic...
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: How to block traffic between ethernet ports

Sat Mar 13, 2021 8:44 pm

The easiest way would be to set-up firewall directly on PC.
By blocking incoming traffic from that swich's IP?
Another way would be to enable use-ip-firewall=yes on bridge, disable hw offload on port 4. Beware IP firewall for bridge traffic works slightly differently from same firewall for routed IP traffic...
Not sure here. I don't want to mess something up.

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to block traffic between ethernet ports

Sat Mar 13, 2021 9:08 pm

The problem is that you have the same subnet for both wifi guest and Home users going through the etherport to the Access Point.
The Access Point could have a guest wifi but that may only entail a separate SSID. To be truly guest the AP needs to feed the guest wifi into another subnet.
I think vlans in this case make sense, at least put the guest wifi on a vlan.

The question I have is your Access POint able to read vlans?
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: How to block traffic between ethernet ports

Sat Mar 13, 2021 9:25 pm


The question I have is your Access POint able to read vlans?
Nope.

Anyway, I'd like to understand if I can block any traffic coming from it to my pc only by setting a firewall filter on the ethernet port.
Thanks
 
User avatar
SpartanX
newbie
Posts: 44
Joined: Mon Jun 27, 2016 6:13 pm

Re: How to block traffic between ethernet ports

Sun Mar 14, 2021 6:28 pm

I don't think you can use the switch chip to do this because you need access to the AP still, and don't want VLANs.

What do you want clients connected via port 4 to be able to do? Do you want all clients on that port to be treated the same?

If you can live with all port 4 clients being blocked from access to your PC, then the simplest way would seem to be a different subnet for that. No VLAN is required if all clients connecting through on that port are treated the same. You'll have to take that port off the common bridge.

Then, in order for traffic to pass from that subnet to your PC's subnet, the router must route it which it will do by default. We can use the firewall to control that. Create a rule to drop traffic originating from port 4 and destined for the PC's port (or anywhere other than WAN if you only want internet access from port 4). That rule should be placed after the 'allow established/related' rules. You might need another rule allowing connections from port 4 to WAN depending on your firewall arrangement.

So... traffic starting from port 4 cannot get to your PC; the firewall drops it. For connections started from the PC going to port 4, create another firewall rule to permit that (if needed according to your firewall setup). This connection will get noted by connection tracking and so the return traffic will be allowed by the established rule.

That is basically what I do here for an IoT subnetwork. Anything on that network is only allowed to be routed to WAN, but my rule to allow new connections from main LAN to IoT mean I can still make contact to configure those devices.

You'll need to create/change DHCP for that subnet of course.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to block traffic between ethernet ports

Sun Mar 14, 2021 8:38 pm

A cheap access point that works well the TPLINK eap245 carries vlans and would solve your issues, running two vlans, the home network and the guest network.
 
User avatar
SpartanX
newbie
Posts: 44
Joined: Mon Jun 27, 2016 6:13 pm

Re: How to block traffic between ethernet ports

Sun Mar 14, 2021 9:42 pm

Yes, I use EAP245 and EAP225; they are good APs. That's a better solution.
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: How to block traffic between ethernet ports

Mon Mar 15, 2021 6:28 am

I don't think you can use the switch chip to do this because you need access to the AP still, and don't want VLANs.

What do you want clients connected via port 4 to be able to do? Do you want all clients on that port to be treated the same?

If you can live with all port 4 clients being blocked from access to your PC, then the simplest way would seem to be a different subnet for that. No VLAN is required if all clients connecting through on that port are treated the same. You'll have to take that port off the common bridge.

Then, in order for traffic to pass from that subnet to your PC's subnet, the router must route it which it will do by default. We can use the firewall to control that. Create a rule to drop traffic originating from port 4 and destined for the PC's port (or anywhere other than WAN if you only want internet access from port 4). That rule should be placed after the 'allow established/related' rules. You might need another rule allowing connections from port 4 to WAN depending on your firewall arrangement.

So... traffic starting from port 4 cannot get to your PC; the firewall drops it. For connections started from the PC going to port 4, create another firewall rule to permit that (if needed according to your firewall setup). This connection will get noted by connection tracking and so the return traffic will be allowed by the established rule.

That is basically what I do here for an IoT subnetwork. Anything on that network is only allowed to be routed to WAN, but my rule to allow new connections from main LAN to IoT mean I can still make contact to configure those devices.

You'll need to create/change DHCP for that subnet of course.
A new subnet for port 4 would be a good idea. However, I don't want to drop all forwards between port 4 (AP) and bridge (LAN) since devices connected to the switch can sometimes use a server in my bridge (LAN) other than the WAN port for intenet connection. thanks
 
User avatar
SpartanX
newbie
Posts: 44
Joined: Mon Jun 27, 2016 6:13 pm

Re: How to block traffic between ethernet ports

Mon Mar 15, 2021 5:41 pm

Once the Port 4 traffic is being routed, you can do anything you want with it in the firewall. If you know the IP or MAC addresses of the hosts that you want to access the server (or the opposite), just allow that in the FW. Of course, if 'using the server' means heavy data transfers, routing it through the CPU isn't ideal even with Fasttrack. Best if you could do it with HW offload in the switch chip...

...Life would be much simpler with a kit upgrade to support VLANs.
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: How to block traffic between ethernet ports

Tue Mar 16, 2021 9:46 am

Once the Port 4 traffic is being routed, you can do anything you want with it in the firewall. If you know the IP or MAC addresses of the hosts that you want to access the server (or the opposite), just allow that in the FW. Of course, if 'using the server' means heavy data transfers, routing it through the CPU isn't ideal even with Fasttrack. Best if you could do it with HW offload in the switch chip...

...Life would be much simpler with a kit upgrade to support VLANs.
Ok, got it. Thanks

Who is online

Users browsing this forum: sid5632 and 42 guests