Community discussions

 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

How to control routing between subnets?

Wed Feb 06, 2019 4:14 am

Hi Folks,
First of all thanks in advance for reading my post. I've recently for a new Mikrotik Router HAP AC and becoming a fan of it everyday.
I've setup my router to create three separate subnets to segregate traffic and manage devices properly. The three subnets I have are:
1. Home LAN: 192.168.40.0/24
2. Devices LAN: 192.168.50.0/24
3. Guests LAN: 192.168.8.0/24

The thing is that by default I can access IPs from one subnet to the other. I haven't really touched any routing tables or anything to allow that. I created these subnets so that the networking traffic among them should not be routable unless I explicitly configure it. For example, I should not be able to ping/access devices from Home LAN to Devices LAN unless I allow it in routing tables (perhaps in the router somewhere?).

I'm not a networking guru, just have some working knowledge and familiar with OSI, DNS, DHCP, Firewalls and some general stuff. So I'd appreciate if you can guide me where do I have to flip the switches to prevent routing between subnets. Ideally I don't want to use IP > Firewall for this, as I have to manually create a lot of rules for each combination of subnets and also because it is an overhead that I'd rather avoid if possible
.
FWIW, I've create my setup by create a bridge for each subnet LAN (see attached picture). DHCP is configured at bridge level to assign IPs. Ignore the default "bridge" for my configuration. Check out bridge-guest-lan, bridge-iot-lan and bridge-main-lan.
Imagehttps://imgur.com/a/gO4hhqa

Thanks in advance!
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How to control routing between subnets?

Wed Feb 06, 2019 11:15 pm

No worries,
Please post your config here
/export hide-sensitive file=myconfig

Use the code above (highlight) to shorten and colourize the associated text - the black square with white brackets!

I have a similar setup.
BRIDGE
- with normal LAN (transparent vlan1)
- a number of VLANS, some for smart devices, some for guest wifi etc.
SEPARATE LAN not on a bridge for a device that requires access/monitoring by external companies

The two LANs cannot see each other (one on bridge, one not on bridge )or see the VLANS, and the VLANS cannot see each other or the LANS in terms of layer 2 separation.
To ensure L3 separation my firewall filter rules last rule is DROP ALL ELSE.

Concept (only allow necessary rules)
{Forward chain}
allow established related
drop invalid packets
allow lans to wan
allow vlans to wan
allow admin to all vlans and lan2
allow dst-nat
drop all else.

In this manner I have not explicitly allowed LAN to LAN or VLAN to VLAN or any combination thereof and thus not possible.
I did allow myself access to all subnets from my admin pc.

By the way if all three networks are on separate bridges that is an effective L2 blocker but does not address L3.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

Re: How to control routing between subnets?

Wed Feb 06, 2019 11:32 pm

Hi There,

Thanks for taking the time to respond. Here is a view to my config, the way I've configured https://imgur.com/a/Wpy5ef2
Note that I didn't feel it's a good idea to post my entire configuration here in the forum. But I'm willing to share as much as necessary.
The two LANs cannot see each other (one on bridge, one not on bridge )or see the VLANS, and the VLANS cannot see each other or the LANS in terms of layer 2 separation.
Ok this is a great point. I have configured bridges for all my subnets and they all use my router as a gateway. So I'm thinking that way they can see each other right now. What'd be a way to confirm that? Like a command line that I can run on the router or my Mac to interrogate that?
To ensure L3 separation my firewall filter rules last rule is DROP ALL ELSE.

Concept (only allow necessary rules)
{Forward chain}
allow established related
drop invalid packets
allow lans to wan
allow vlans to wan
allow admin to all vlans and lan2
allow dst-nat
drop all else.
So for L3 I guess I do have to use IP > Firewall. The concepts you've mentioned here sound reasonable.
I still have the default firewall rules that came with the router's default config. Not sure if I should keep them.
Can you pls share the details of how to configure the rules you mentioned here. Concrete examples would be appreciated.

Thanks a lot!
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How to control routing between subnets?

Thu Feb 07, 2019 12:46 am

Hard to say, without posting your config.

The
/export hide-sensitive file=yourconfig
should remove any sensitive information.

Even still nothing wrong with bringing the file into notepad++
and removing anything you do not want shown,
The only things that are sensitive are
router serial number, router mac address
your WANIP address and your ISP IP gateway address (just replace with words if shown)
Ensure wifi passwords are not visible I believe they are already stripped.
Finally any address lists that contain external WANIPs that are allowed to the router for port forwarding
I change some port settings like ssh and winbox so I remove those if visible.

Everything else is not sensitive.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: MSN [Bot] and 95 guests