Community discussions

 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Firewall in Access Points

Wed Feb 27, 2019 10:20 am

Should one configure firewall filter input rules in LAN access points (WLANs and eth bridged) ?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Firewall in Access Points

Wed Feb 27, 2019 11:03 am

I would say yes, to protect the ap itself, even from unintentional attacks (client box infected).
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Firewall in Access Points

Wed Feb 27, 2019 2:24 pm

Hmm interesting question.
On my two capacs I have winbox access only from the LAN side but no firewall rules added.
Access to configure the capac is limited to either subnet or specific pc IPs.
The firewall rules are applied to all traffic by the main router.

Are you saying there is more to do??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Firewall in Access Points

Wed Feb 27, 2019 3:09 pm

The question is same as: "should I enable firewall on my desktop/server (on inner network)?"
That depends on a lot of factors..
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Firewall in Access Points

Wed Feb 27, 2019 4:00 pm

Well since its in AP mode how and thus not routing at layer 3, how is it going to apply filter rules?
Not saying it cant but usually not possible.
I do know there is a default rule that allows all traffic to pass so there is some sort of ACL structure or filtering.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Firewall in Access Points

Wed Feb 27, 2019 9:25 pm

The question was about input rules, i.e. if someone would want to access something on AP (WinBox, ...). And as was already said, it depends. If you think that the network is completely safe, you can probably live without it. Or you can just limit access in "/ip services". But if you add real firewall and only allow seleted port(s), it can't hurt.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Firewall in Access Points

Wed Feb 27, 2019 9:33 pm

Okay so the capac acting as a wisp bridge an invoke input chain rules???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: Firewall in Access Points

Thu Feb 28, 2019 3:38 am

Yes, it will, if anyone on the network try to reach capac's IP address. (unless you dst-nat everything)
The rule won't be obviously applied to bridged traffic.
Similarly, it won't be applied to non-IP traffic (mac-winbox for example can't be blocked this way)
 
p3rad0x
Long time Member
Long time Member
Posts: 603
Joined: Fri Sep 18, 2015 5:42 pm
Location: South Africa
Contact:

Re: Firewall in Access Points

Thu Feb 28, 2019 8:41 am

I would create a management VLAN for them.

Then just disable the mac server on the client side facing interfaces and disable forwarding on the ap's/
There you go then you touched something ;-) : it only takes a change in wind direction to screw with your nat :-)

Who is online

Users browsing this forum: No registered users and 130 guests