I tried (3) off your link and they all want $1500 to $2000.
/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked comment="allow existing connections and some other ok stuff"
add action=drop chain=forward connection-state=invalid comment="block invalid packets"
add action=accept chain=forward in-interface=<LAN1> comment="allow from LAN1 to any destination"
add action=accept chain=forward in-interface=<LAN2> out-interface=<WAN> comment="allow from LAN2 to WAN"
...
add action=accept chain=forward connection-nat-state=dstnat comment="allow forwarded ports"
add action=drop comment="block everything else"
Sob - thanks for helping, any directions are useful!Where is backoffice? Connected to main router and this config is from second one, right?
In any case, you can prevent communication between different networks using firewall filter. Use statefull firewall, something like this:Devices in LAN1 can connect everywhere (LAN2, WAN, whatever else there is). Devices in LAN2 only to WAN (but not to LAN1). You get the idea.Code: Select all/ip firewall filter add action=accept chain=forward connection-state=established,related,untracked comment="allow existing connections and some other ok stuff" add action=drop chain=forward connection-state=invalid comment="block invalid packets" add action=accept chain=forward in-interface=<LAN1> comment="allow from LAN1 to any destination" add action=accept chain=forward in-interface=<LAN2> out-interface=<WAN> comment="allow from LAN2 to WAN" ... add action=accept chain=forward connection-nat-state=dstnat comment="allow forwarded ports" add action=drop comment="block everything else"
Not exactly something where I shine, but if by security on AP's you mean WPA2, I think it's good idea to leave it there and not have the network completely open.
VLAN for cameras sounds like a good plan. Or one VLAN for them and other for users, whatever your APs supports. If they send tagged packets to RB, you can make interface for each VLAN and work with them like with any other interface.
Some random hints:
- Export has useful parameter "/export hide-sensitive"
- When interface is in bridge (your ether5), IP address should go on bridge, not on the bridged interface.
- It's good idea to secure access to router, it's done using firewall too, only in chain=input. Same idea as with forward, allow what you need, block the rest. You don't want to give hotspot users opportunity to guess router's password.
Modem
|
hEXs
|
Managed switch
/ | \
Everything Else
Sob - the diagram doesn't show my currently in use (2) Linksys routers. I want to replace them with the hEXs.I don't see where exactly you have two routers, it looks like one should be enough (but there's no major difference between one and two, you'd just spread the config between them). So one independent port would be WAN, and the remaining four would go in bridge. Office can be directly on bridge untagged and hotspot in tagged VLAN (you need to configure your APs to tag hotspot traffic). So bridge will be LAN interface for office and VLAN interface will be where you add hotspot.
xvo - if a switch would make it better/easier I can get one. Which one do you suggest?The only thought to consider:
hEX S have a very weak switch chip implementation - it can't do vlan's in hardware, only in software.
It is not a real problem for small loads, but depending of the intra-vlan/inter-vlan ratio it can be a good idea to put a more decent switch between hEX and the rest of the network, so only inter-vlan routing is done on the hEX, and all intra-vlan switching is done on a switch.
If the existing Netgear switch is a managed type and if it can be done "geographically", you can rearrange your layout to use it, instead of the extra one.
Code: Select allModem | hEXs | Managed switch / | \ Everything Else
Have no experience using it, but it should do the work.xvo - if a switch would make it better/easier I can get one. Which one do you suggest?The only thought to consider:
hEX S have a very weak switch chip implementation - it can't do vlan's in hardware, only in software.
It is not a real problem for small loads, but depending of the intra-vlan/inter-vlan ratio it can be a good idea to put a more decent switch between hEX and the rest of the network, so only inter-vlan routing is done on the hEX, and all intra-vlan switching is done on a switch.
If the existing Netgear switch is a managed type and if it can be done "geographically", you can rearrange your layout to use it, instead of the extra one.
Code: Select allModem | hEXs | Managed switch / | \ Everything Else
Is the CRS112-8P-4S-IN a good one? - I do need to replace some of these POE injectors on my IP cams.
My Netgear switch is unmanaged.
Thanks
THANKS sindy!The /interface vlan for hotspot must be attached to the bridge, not to its particular member port. And the IP address, DHCP server, and hotspot configuration for the guest network must all be attached to that /interface vlan, whilst the IP address and DHCP server for the "insider" network stays attached to the bridge as frames carrying the insider network's packets come untagged from the AP. And at this stage you don't need to activate vlan-filtering on the bridge - if you do, you have to set more items.
sindy - ok I will incorporate the firewalls once I get the Tik hotspot working on the vlan.Second, your only /ip dhcp-server network item provides the hotspot clients with a default gateway address but not with a DNS server address, which makes it impossible for them to translate domain names like www.google.com to addresses like 216.239.36.109. So either add dns-server=8.8.8.8 to that item to make the clients use the Google DNS, or use dns-server=192.168.180.1 to make them use the Tik itself (so translations of popular domain names will get cached on the Tik and you'll thus save some uplink bandwidth), but in that case, you'll also have to set allow-remote-requests to yes under /ip dns and permit access to DNS port from the LAN (hotspot) side in the firewall. Access to DNS via WAN must stay blocked.
If ether1 gets a public IP, the machine may have already been compromised.I will incorporate the firewalls once I get the Tik hotspot working on the vlan.
The setting of upper tier DNS servers for the Tik itself is one thing, telling the DHCP clients what DNS servers to use is a different one.
>Where do you add DNS server address to hotspot clients on the dhcp-server? /ip dns - My server now is 8.8.8.8 and 8.8.4.4
>I ticked "allow-remote-request"
>can't find - permit access to DNS port from LAN
sindy i hope to get this working - thanksGuessing from your description what may be wrong: you can have one tagless and as many as you want tagged VLANs directly on an Ethernet interface, but if you do it this way, you cannot add the interface itself to a bridge (I mean, you can but the tagged VLANs won't work). So if you want ether4 to be bridged with other interfaces, you have to detach the /interface vlan from ether4 and attach it to the bridge of which ether4 is a member port.
If you do this and it still doesn't work, post the current export again.
vlan-filtering requires more settings to be done to work properly, as @pcunite explains here. For your scenario it is not actually needed unless the Ethernet ports are physically exposed to random passers-by.I also turned on vlan filtering > under bridge > double-click bridge tab and it works, but will uncheck for the rest of my config is done.
It is OK as long as you keep your network topology free from redundant links between the boxes. Once you'd wish to provide some resilience, you'd have to think about STP and you'd have to change the protocol-mode of the bridge.I guest you noticed I had the Protocol Mode > none. Is that ok?
To keep it simple I'd stay with the same VLANs on all APs. You probably want your guests and colleagues to roam as seamlessly as possible among the APs, so you need them to stay in the the same IP subnet and keep the same IP address, which implies a common VLAN for the same SSID on all APs.Now I need to config HS on the vlan10 and other AP's. Should I config the other AP's as a different vlan-id or keep the same id10?
A firewall provides the best protection if it drops everything by default and only lets through exceptions you want to let through. The firewall rules provided in the default configuration of the hXX product line of Mikrotik do exactly that, but with some optimisation which complicates readability. So instead of three simple rulesI got to put in firewall rules to separate the vlan from the office. Can you give me direction?
Clients in the same IP subnet send traffic to each other directly at L2, so this traffic bypasses IP firewall rules (unless you'd use special measures to force it through it, which you obviously don't).chain=forward action=accept in-interface-list=!WAN out-interface-list=WAN
chain=forward action=drop
The above rule separates the zones > If I understand the rule, it only allows all interfaces internet connection and drops everything else.
OFFICE clients can connect to each other?
If you have only these two rules in chain=forward, it's no surprise that the second one breaks internet access, because the first one only permits packets to flow in LAN->WAN direction, but not in the opposite one. So you have to add chain=forward connection-state=established,related as the very first rule in chain=forward. This rule will handle most traffic in both directions, only the initial packet of each new connection will get past it and be handled by one of the two other ones.(when I do the last rule above - the internet isn't available)
There is a tutorial on Mikrotik wiki on how to create a certificate and use it. Nothing complicated about it."I also need remote management" and to generate a certificate for https and bind - I will need some direction (I guess OpenSSL?)
Here, the chain=input action=accept connection-state=established,related rule just speeds things up. As chain=output is empty, the response packets of the system are always let through, but the rule I've mentioned will make sure that mid-connection packets from the management PC will not have to be checked by all the rules preceding the one which matches and accepts them.Note: I could just remote into the management computer and open winbox and usermanager.
chain=input action=accept protocol=udp dst-port=53 in-interface-list=!WAN
chain=input action=accept protocol=tcp dst-port=53 in-interface-list=!WAN
chain=input action=accept protocol=tcp dst-port=22,443,8291 in-interface-list=LAN src-address=ip.of.your.laptop
chain=input action=drop
I added the input drop rule and management works great from my dedicated laptop with static ip. Disabled drop rule and packet count increased by 1 per connection.If the Tik was behind an external firewall, it's OK, no need to netinstall.
The rest remains - add the last drop rule in input after checking that the one permitting management access from a dedicated interface with a dedicated subnet counts packets. It will count just one packet per each connection, the other packets of each connection will be handled by the "accept established or related" one.
Malware scripts and enabled services are just the visible top of the iceberg. More advanced malware lives below the RouterOS wrapper of linux so it remains invisible from the RouterOS level in both configuration and logs. By netinstall you remove everything because the flashdisk is completely erased, but you remove also the configuration, so you need to save it before netinstall and then restore it. So the advice regarding the inspection of the exported configuration addresses solely this save and restore process. The most important part is the netinstall.I don't see any scripts that I haven't done and my logs are ok.
You can see SSH as the least complicated kind of VPN - if you enable SSH tunneling at Mikrotik and in PuTTY, you can log in using SSH (so the SSH port may be the only one open for access from the internet) and then use Winbox via the tunnel instead of the command line in SSH itself. The same can be done for the cameras - you set the tunnels in PuTTY from a local port on the client PC to internal address:port of the camera and you're done.What about ssh?
...
My cams are me only - so I will look into a vpn solution. I don't have time to learn vpn and get that done.
Once again - DROP exceptions from a general ACCEPT strategy are a wrong idea. The correct approach are ACCEPT exceptions from a general DROP. You're not an ISP, you're a client network, so there is no reason why access to your LAN and to the router devices themselves should be generally open. Your WiFi clients won't bring their servers to run them in your network and expect requests from clients from the whole world to get through to them.I think on the port 111 > I will try:
add chain=tcp protocol=tcp dst-port=111 action=drop \
comment="deny RPC portmapper"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
Well, to pass the PCI scan to five stars, the best way is to disconnect the device from internet and run the test, but a purpose of such action is beyond my understanding. What's the sense in passing the scan once under specially created conditions? Remember DieselgateAlthough - I NEED to pass my scan NOW.
I guess I will disable the cam ports and run the scan for now.
There is no reason why Mikrotik's own port 80, and ports 80 of hosts on your LAN, should be accessible to clients in the internet. What you only need is that port 80 of servers in the internet is accessible to clients connected in your LAN, and that's a different task and different corresponding setup of the firewall.I still need to handle port 80? (maybe disable 80 for the scan) and I hope my above port 111 solution will work.