Community discussions

 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia
Contact:

LAN side bridge forward filtering options?

Mon Jul 02, 2018 4:07 am

Hi.
I'm running a small campus with about 40 wifi/ether ports devices(Distribution network) for guests that run behind a MT hotspot/firewall.

I run a pretty good firewall set on the main router/internet/hotspot box.

I'm putting some thought on the internal LAN side of the network and asking the question, "If an internal client has a nasty virus/malware or wants to 'scan' around on the LAN side, what could I implement on my LAN devices to 'filter' potential nefarious activities to stop infections etc to other users of the LAN"

That said the internet is distributed on a VLAN across the campus and I use a separate management VLAN to manage all edge/core devices. Vlans bond to a BRIDGE on each device.

So based on that I am thinking about BRIDGE filtering as all my 'internet /client side VLAN/Bridges' which goes out to either a WiFi interface or physical ether(bridge-port bond).

What sort of rules do/are people run for this kind of setup ?
Do(can?) you block devices talking to each other?
Is it worth blocking/filtering common ports (forwarding on the bridge) ?
MIT, BIT, ITIL, CERT IV Electronics.
 
dadaniel
Member Candidate
Member Candidate
Posts: 155
Joined: Fri May 14, 2010 11:51 pm

Re: LAN side bridge forward filtering options?

Mon Jul 02, 2018 12:46 pm

Enable port-isolation on every switch - only forward packets to upstream Port(or VLAN).
Enable wireless isolation, sometimes called client or AP isolation on every accesspoint - only forward packets to upstream Port(or VLAN).

So a client could never reach other connected devices (maybe you would have to allow access to some printers/shares)
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia
Contact:

Re: LAN side bridge forward filtering options?

Wed Jul 04, 2018 1:58 am

Thanks dadaniel.
I'll take a look at AP isolation.
As I am not using the switch chip for my ether->vlan activities rather ether->bridge->vlan. Thats why I am looking at bridge firewall rules at this point.

Cheers
MIT, BIT, ITIL, CERT IV Electronics.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 883
Joined: Sun Oct 01, 2006 11:44 pm

Re: LAN side bridge forward filtering options?

Wed Jul 04, 2018 2:22 am

LAN to LAN packets won't touch your bridge - they will go directly through the ports the clients are connected to on the VLAN switch. dadaniel has the right idea - you need to configure port isolation on whatever device the clients are physically connecting to.
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia
Contact:

Re: LAN side bridge forward filtering options?

Wed Jul 04, 2018 4:00 am

Sorry, I don't agree with you R1CH for my typical mikrotik configurations across my campus network.
If this was a typical cisco switch(ASIC switching) I would agree, or if I was using mikrotik switch chip directly.
I can use Torch on the bridge and or each interface and see traffic 'Forwarding' or 'inputing' on or to the bridge that was generated from external devices connected to each ether interface. So I'm sure I can Bridge 'Filter' the traffic traversing bridge on each of my 40+ MT devices.
As you can see below(A sample of 2 of my units). I bond each physical ether interface to a bridge, and the bridge forwards appropriate traffic.
Also each bridge can have firewall(filter) enabled, so I'm sure I can filter appropriately using the bridge-filter(firewall) function.
Image
WIFI.jpg
You do not have the required permissions to view the files attached to this post.
MIT, BIT, ITIL, CERT IV Electronics.

Who is online

Users browsing this forum: Bing [Bot] and 42 guests