[Solved] Routing of Traffic from Switch with Port Isolation

Solero · Thu Nov 01, 2018 2:54 pm

Hi,

I have a hEX S running with a DGS-1100-08 (D-Link Smart Switch) and want reroute all of the port-isolated switch traffic through the router in order to apply firewall rules.

In detail:
The router runs several bridged VLANs (user, services, guest, etc). Separation of the VLANs is enforced by IP tables. Switches are connected to the router using the VLANs. Behind a switch I have several client PCs in the same user-VLAN and I want to prevent that PC1 may access PC2 directly without the traffic going through the router allowing me to apply the firewall rules. This works easily for devices in different VLANs as the traffic goes through the router, of course. I want it for devices in the same VLAN and on the same switch, too.

In order to do so I deployed port isolation (d-link calls it traffic segmentation). Right now I have the following switch setup:

gateway port 1, edge ports 2-8
Port 1 may access ports 2-8 but
ports 2-8 may only access port 1.

This works and runs smoothly with one exception which is the reason for this post:
When I try to access PC2 from PC1 I get a no route to host. This means that there is no routing between these ports thus I cannot apply IP tables from the router. I want to route the traffic from port 2 to port 3 through the router (IP tables) and decide on the router whether I allow the traffic or not.

How do I apply routing in this setup? What do I need?

I would be very happy about some advice.

Best regards
Solero

Solero · Wed Nov 07, 2018 4:39 pm

Hi,

eventually I figured it out myself.

OSPF has nothing to do here as far as I have learned.
What I want can only be realized with a firewall running on the switch. As far as I know, MikroTik cannot do this as the switches cannot reject packages.
A quirky solution would be to set the subnet from /24 to /32. In this case every packet will go through the router, but you will completely loose your broadcast capabilities for all your devices.

tl;dr:
Either you allow communication between specific ports without knowing what data is flowing between them or you deny it completely by use of port isolation.

Regards,
Solero

anav · Fri Nov 16, 2018 5:03 pm

Good question, I would think in general, if you want to apply firewalls to things, they need to run through the router so the rules can be enforced.
Any path at layer 2 will defeat this including being on the same bridge, same LAN or Same VLAN.
I think what you want to achieve may be possible but with a different design from the get go.

If you could detail your requirements without discussing solution space or design space that would help derive whether or not a solution was possible.

mducharme · Fri Nov 16, 2018 10:06 pm

2. What I want can only be realized with a firewall running on the switch.

Not true - you can do this by enabling "local-proxy-arp" on the interface or bridge interface or VLAN interface on the MikroTik that the hosts are on. This should enable communication between the hosts with isolation on the switch.

Solero · Sun Nov 25, 2018 3:19 pm

Hi,

I didn't know local-proxy-arp before and enabled it on the interface of my mikrotik where I have two devices (A and B) behind a switch with port isolation. When I then try to ping B from A I get the follwing:

ping 192.168.10.14
PING 192.168.10.14 (192.168.10.14) 56(84) bytes of data.
From 192.168.10.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.10.14)
From 192.168.10.1: icmp_seq=3 Redirect Host(New nexthop: 192.168.10.14)
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable
From 192.168.10.1 icmp_seq=2 Destination Host Unreachable
From 192.168.10.1 icmp_seq=3 Destination Host Unreachable
From 192.168.10.1: icmp_seq=4 Redirect Host(New nexthop: 192.168.10.14)
From 192.168.10.1: icmp_seq=5 Redirect Host(New nexthop: 192.168.10.14)
From 192.168.10.1: icmp_seq=6 Redirect Host(New nexthop: 192.168.10.14)
From 192.168.10.1 icmp_seq=4 Destination Host Unreachable
From 192.168.10.1 icmp_seq=5 Destination Host Unreachable
From 192.168.10.1 icmp_seq=6 Destination Host Unreachable
From 192.168.10.1: icmp_seq=8 Redirect Host(New nexthop: 192.168.10.14)
From 192.168.10.1 icmp_seq=7 Destination Host Unreachable
From 192.168.10.1 icmp_seq=8 Destination Host Unreachable
From 192.168.10.1 icmp_seq=9 Destination Host Unreachable
From 192.168.10.1: icmp_seq=11 Redirect Host(New nexthop: 192.168.10.14)
From 192.168.10.1 icmp_seq=10 Destination Host Unreachable
From 192.168.10.1 icmp_seq=11 Destination Host Unreachable
From 192.168.10.1 icmp_seq=12 Destination Host Unreachable
From 192.168.10.1 icmp_seq=13 Destination Host Unreachable
From 192.168.10.1 icmp_seq=14 Destination Host Unreachable
From 192.168.10.1 icmp_seq=15 Destination Host Unreachable
^C
--- 192.168.10.14 ping statistics ---
16 packets transmitted, 0 received, +15 errors, 100% packet loss, time 15214ms

Obviously I am doing something wrong, but I have know idea what it is. Could someone give me a hint in which direction I have to look for a solution?

Best regards,
Solero

mducharme · Mon Nov 26, 2018 2:57 am

Have you tried turning off "send redirects" in IP->Settings? With Cisco devices, enabling local proxy arp disables redirects on that interface, but it looks like MikroTik may not do that by default, based on your output.

[Solved] Routing of Traffic from Switch with Port Isolation

[Solved] Routing of Traffic from Switch with Port Isolation

Re: Routing of Traffic from Switch with Port Isolation

Re: [Solved] Routing of Traffic from Switch with Port Isolation

Re: Routing of Traffic from Switch with Port Isolation

Re: [Solved] Routing of Traffic from Switch with Port Isolation

Re: [Solved] Routing of Traffic from Switch with Port Isolation

Who is online