Community discussions

 
LunaticRv
just joined
Topic Author
Posts: 13
Joined: Mon Dec 31, 2018 8:50 am

Best Way to Isolate Bridges to Reach Each Other's IPs

Sat Jun 22, 2019 3:51 pm

Hello,

I have 2 bridged named A and B. What I would like to do is to isolate each bridge from each other to prevent ip accesses.

Bridge A has Port 2,3,4
Bridge B has Port 5,6,7

What I currently did for each IP block for each bridge is below (sample):

;;; A_DROP
chain=forward action=drop protocol=!gre dst-address=100.64.1.0/24
in-interface=A log=yes
log-prefix="A_UNATUH_ACCESS_TRIES"

Is there better approach to do this since I have to add single rule for each IP block.

Thanks in advance.
 
cieplik206
Trainer
Trainer
Posts: 286
Joined: Sun Jul 01, 2007 12:25 am
Contact:

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Tue Jun 25, 2019 11:40 pm

You may not need an address matched at all or use an address list
https://www.wispcasts.com - Mikrotik Video Tutorials.

The best place where you can improve your skills!

Facebook - F/wispcasts
Twitter - @wispcasts
 
cieplik206
Trainer
Trainer
Posts: 286
Joined: Sun Jul 01, 2007 12:25 am
Contact:

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Tue Jun 25, 2019 11:41 pm

You may not need an address matched at all or use an address list
https://www.wispcasts.com - Mikrotik Video Tutorials.

The best place where you can improve your skills!

Facebook - F/wispcasts
Twitter - @wispcasts
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Wed Jun 26, 2019 4:10 pm

Edit: post duplicated.
Last edited by 2frogs on Thu Jun 27, 2019 2:52 am, edited 5 times in total.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Wed Jun 26, 2019 4:12 pm

If you are using the default firewall rules, you could change the default forward drop rule to:
/ip firewall filter 
add chain=forward connection-nat-state=dstnat in-interface=WAN action=accept
add chain=forward out-interface=!WAN action=drop
And if you are not doing DST-NAT or UPNP, you can omit the first rule.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Thu Jun 27, 2019 12:43 am

what you want is prevent one side to have a route to another side -> routing issue -> adjust routing config

Some options:
separate routing table for each interface (=VRF)
or just deny routing between them using routing rule (ex: action=unreachable)
 
joegoldman
Member
Member
Posts: 497
Joined: Mon May 27, 2013 2:05 am

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Thu Jun 27, 2019 12:56 am

just easy forward rule, in-interface=a, out-interface=b action=drop, and vice versa, that way no traffic can go between a and b.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Thu Jun 27, 2019 10:08 am

Altough it will do the trick, it's not the most efficient manner, as each packet needs to be processed, and the source system is non the wiser, and WILL keep on retrying.

Through routing notice, the source is advised that the network is not reachable.Also the user has immediate feedback, and is not kept waiting.
This can be done through firwall too, but with "action=reject reject-with=icmp-network-unreachable"
 
Gombeen666
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Tue Jun 25, 2019 5:33 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 3:10 pm

what you want is prevent one side to have a route to another side -> routing issue -> adjust routing config

Some options:
separate routing table for each interface (=VRF)
or just deny routing between them using routing rule (ex: action=unreachable)
Can i ask for advise for the best way to isolate four bridges on a RB750,
Port1 + 2 = bridge_A
Port1 + 3 = Bridge_B
Port1 + 4 = Bridge_C
Port1 + 5 = Bridge_D
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1717
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 3:24 pm

How you add Port1 to four different bridges?
Real admins use real keyboards.
 
sindy
Forum Guru
Forum Guru
Posts: 3886
Joined: Mon Dec 04, 2017 9:19 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 3:48 pm

What is the ultimate goal?

If you really need ports 2 to 4 to forward traffic at L2 layer to/from port 1 but not to each other, search for "bridge horizon" which allows exactly this on a single bridge. Some switch chips can do this in hardware, check the switch type used in your RB model.

If you need routing between devices connected to port 2 and the internet uplink connected to port 1, it makes more sense to attach one IP subnet to each of the ports 2..4 and follow the approach mentioned earlier in this thread.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Gombeen666
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Tue Jun 25, 2019 5:33 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 3:53 pm

How you add Port1 to four different bridges?
I created individual Vlans for each port and then added them in bridge/port
so for bridge 2 - it has vlans port1 + vlanport2 , bridge 3 has vlanport1 + vlanport3 .......
 
sindy
Forum Guru
Forum Guru
Posts: 3886
Joined: Mon Dec 04, 2017 9:19 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 3:57 pm

In that case the traffic is separated at L2 layer by running on individual bridges; to prevent routing between IP subnets which use those bridges, the firewall rules or vrf as suggested above can be used.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Gombeen666
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Tue Jun 25, 2019 5:33 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 4:06 pm

In that case the traffic is separated at L2 layer by running on individual bridges; to prevent routing between IP subnets which use those bridges, the firewall rules or vrf as suggested above can be used.
As i am a newbie ? could I ask for the four bridges do I need to create 4 routing marks on four interfaces - example
(1) interfaces=vlanport2 routing-mark=port2
(2) interfaces=vlanport3 routing-mark=port3
(3) interfaces=vlanport4 routing-mark=port4
(4) interfaces=vlanport5 routing-mark=port5
 
anav
Forum Guru
Forum Guru
Posts: 3091
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 4:09 pm

I am not sure what the fuss is about....... Bridges are already separated at layer2, vlans are separated at layer 2.
The only thing need be done is FW rules and mainly no FW rules.

established related
{any allow rules like lan to wan}
Last rule
add chain=forward action=drop.


Done!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3886
Joined: Mon Dec 04, 2017 9:19 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 4:15 pm

It doesn't matter whether you are a newbie or an experienced professional. You have set up some configuration but you haven't shown it so we can only guess. You have chosen one of the solutions above (as you mention routing marks, it is probably the VRF one), and you still haven't stated how the overall network architecture / traffic matrix should look like, so we'd have to guess again. Describe what you already have (which is best done by exporting the configuration) and what you want to achieve.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1717
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 5:35 pm

@anav:

Nets at L2 may be separated but routing at L3 works and OP asks how to prevent IP access.

@OP:
what about using filters at bridge level? Antything what is forwarded to other interface than WAN should be dropped.
You do not have the required permissions to view the files attached to this post.
Real admins use real keyboards.
 
anav
Forum Guru
Forum Guru
Posts: 3091
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 11:11 pm

@Bartoz, explain to me how devices from one bridge are going to magically access devices on a second bridge when the last forward rule in the forward chain is drop all??
(I know your knowledge far outstrips my few scribbles of notes on toilet paper that make up my imaginary expertise LOL, so please educamate me!! )
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1717
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Sun Jul 07, 2019 11:41 pm

anav: maybe my toilet paper has just more layers than your?

BTW....

If you want to protect computers on one bridge at L3 from another L3 layer then you need to block bridge A pool (name it poolA) from poolB, poolC, poolD ... poolC protect form poolD but not from poolE .... poolF from poolA, poolB but not from poolZZ etc. ...
Therefore you need n^2 rules to block/allow all bridge/L2 domain combinations ... aren't you? IMHO "headache" is an euphemism to such situation.

For particular bridge in "IP firewall" you define where you pass traffic to and you do not care if there are 10, 20 or 1000 additional L2 domains/bridges?
Am I wrong? I do not pretend to be THE ONE ... share you experience and knowledge.
Real admins use real keyboards.
 
Gombeen666
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Tue Jun 25, 2019 5:33 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Mon Jul 08, 2019 12:01 am

I am trying to establish if I need additional VRF route marks, which in my case has RB750 3 AP's Vlans + 1 local admin vlan connected by 4 bridges to port 1
Port 1 is PTP has Vlan's (a + b + c + d )
Port 2 has AP1 Vlan a - Bridge A (port 1 + 2)
Port 3 has AP2 Vlan b - Bridge B (port 1 + 3)
Port 4 has AP3 Vlan c - Bridge C (port 1 + 4)
Port 5 has local admin Vlan d - Bridge D (port 1 + 5)

Each AP has VRF route mark on Vlan interface then connecting to RB750 at this point do I need to additional VRF route marks as the 4 vlans become on port 1 of Rb750?
 
anav
Forum Guru
Forum Guru
Posts: 3091
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Mon Jul 08, 2019 3:23 am

anav: maybe my toilet paper has just more layers than your?
I think we need to explore this in philosophical terms........ but yes I am your basic one ply and you probably have at least 2 or 3 ;-P

Seriously though, are you telling me that all my vlans can talk to each other on layer 3 because I specifically dont have vlan2 block from vlan3, vlan 3 block from vlan 2, vlan 10 block from vlan 2,3 etc etc etc. Either you are correct and I have gone mad, or you will need the toilet paper and lots of it.................
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Mon Jul 08, 2019 8:09 am

Guys. Are you talking about a router, right? Isn't it basic functionality of a router to forward packets between the connected networks? If so, I see at least three ways to solve the issue: 1 disable routing. 2 remove ip addresses from bridges. 3 implement blocking rules between the bridges. Of course there are other "suboptions".
 
mkx
Forum Guru
Forum Guru
Posts: 3176
Joined: Thu Mar 03, 2016 10:23 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Mon Jul 08, 2019 8:23 am

Let's get this staight ... for @Gombeen666 ;-)

When devices treat VLAN tags correctly (read: configuration is correct), then on layer2 (ethernet switches) VLANs are properly separated and no frame carrying VLAN tag X should leave port which is not member of said VLAN. Likewise frames tagged with IDs different than port VLAN membership shall enter switch/router.

Bridges in RouterOS are separate L2 entities and don't interchange L2 frames between themselves. Interfaces of type vlan are selective and don't bleed frames with wrong VLAN ID to their untagged side.

Bridge with vlan-filtering=yes in RouterOS is proper VLAN-aware L2 switch and will treat VLAN-tagged frames properly. (On the other hand, bridge with vlan-filtering=no should be considered as dumb switch which doesn't honour VLAN tags).

So, down to here, we can conclude that VLANs are properly separated from each other on L2 within Routerboard device if configured correctly.

Now here comes L3 (IP) layer. RouterOS, being routing OS, will happily forward IP packets between its IP interfaces (this is important) according to route rules. IP interface is any interface with IP address attached. If packet forwarding is not desired, it should be prohibited by firewall filters. If some interface doesn't have IP address, then such interface effectively doesn't exist for the routing personality of ROS.

All those bridge filters and VRF and what not ... are advanced stuff to control frame forwarding on L2 within same L2 subnet ... while L2 unlimited forwarding is usually desired (because we want to make whole L2 domain single network) it is sometimes good to limit some communication without segmentation of the network. But honestly I don't think this is the case of OP, he implied that ether1 is actually a trunk port, carrying different VLANs.

It is always important to build the network from lower layers upwards ... and always make sure lower layers are properly built/configured before moving to upper layers. Upper layers can not fix mistakes made in lower layers no matter how hard we try.
BR,
Metod
 
Gombeen666
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Tue Jun 25, 2019 5:33 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Mon Jul 08, 2019 1:27 pm

At present the vlans on the AP's don't use Service Tag, so I wonder if i checked this option and used service tag option for the RB750 and for other routers in that segment and Tagged rather than Untagged vlan is this recommended?
 
sindy
Forum Guru
Forum Guru
Posts: 3886
Joined: Mon Dec 04, 2017 9:19 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Mon Jul 08, 2019 1:42 pm

use-service-tag=yes means to use 802.1ad tag, use-service-tag=no means to use 802.1Q tag. They differ by ethertype value. Don't use use-service-tag=yes unless you're perfectly sure why you do.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 3091
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Mon Jul 08, 2019 2:27 pm

@Bartoz, whats your address will send you tissues also for the cryin!! Perhaps a puke bucket too LOL.
As for @mkx, since when are you from the hood? "staight" LOL
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Gombeen666
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Tue Jun 25, 2019 5:33 pm

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Mon Jul 08, 2019 3:13 pm

use-service-tag=yes means to use 802.1ad tag, use-service-tag=no means to use 802.1Q tag. They differ by ethertype value. Don't use use-service-tag=yes unless you're perfectly sure why you do.
I am trying to solve a intermittent problem where AP's lockup and have no mac-telnet access by either ether or wlan - the solution is a hard reboot ,
Also I noticed to one particular internal network address ( Ok for www address's) that a AP could NOT ping then i added routemark in /ip route vrf and it can ping, disable and ping stops?
Any Ideas?

Who is online

Users browsing this forum: No registered users and 46 guests