Community discussions

 
someone2
newbie
Topic Author
Posts: 40
Joined: Sun Jan 07, 2018 9:52 pm

Firwall rule

Tue Nov 05, 2019 2:55 pm

Hello
1.Is there any way to filter packets by the sender host name?
2.How to limit communication for only the hosts that are joined to a specific domain?
3.how to integerat mikrotik and active directory and set firewall rule based on domain name of clients?
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firwall rule

Tue Nov 05, 2019 3:45 pm

1.Is there any way to filter packets by the sender host name?

Not dynamically ... as in: here comes a packet from random-never-seen-before source IP address, check if it's from "somedomain.com". Some setup commands allow you to enter FQDN instead of IP address and that rule then "dynamically" changes ... if FQDN resolves into another IP ... but it only does it after DNS TTL expires.

The fact is that firewall is (more or less) L3 stuff and that operates on IP addresses.

2.How to limit communication for only the hosts that are joined to a specific domain?

See my answer above. If you can construct an address list containing IP addresses of all hosts from a specific domain, then you could construct firewall filter rule using that address list. You can not use domain name as constructor of the list, because usual DNS clients can't get whole list from DNS servers (that would be zone transfer and most DNS servers are configured such that zone transfers are only allowed for certain DNS servers, most notably secondary DNS servers for same domain).

Another way (not hugely practical) is to construct L7 filter rules. The problem with L7 rules is that they are very CPU intensive and that it's only possible to use them for a few particular L5 protocols (e.g. http or https) where destination server name is mentioned early in the connection.

3.how to integerat mikrotik and active directory and set firewall rule based on domain name of clients?

AFAIK ROS doesn't talk LDAP (or AD or whatever), you'd have to use a Radius server which would translate LDAP/AD policies into Radius policies.
BR,
Metod
 
someone2
newbie
Topic Author
Posts: 40
Joined: Sun Jan 07, 2018 9:52 pm

Re: Firwall rule

Tue Nov 05, 2019 7:02 pm

Thanks
If i make a list containing all ip of all host from a specific domain, how can i limit dhcp in mikrotik to lease ip for only joined clients? Is it possible to set windows dhcp server for mikrotik clients and control joined clients and give ip only for joined host by dhcp server?
In this situation joined systems have ip and other clients are unable to have ip from a special range. After that we can limit with firewall rule for a specific ip addresses and reject other packets.

What about filtering based on mac address?
For example we can make a list of mac address for joined clients and filter based on this list. Is there any way to export joined clients mac address in AD?
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firwall rule

Tue Nov 05, 2019 8:18 pm

Definitely you can use domain server as DHCP server for the network, just disable/deconfigure DHCP server on mikrotik.
Filtering by MAC addresses is possible as well, but might degrade overall performance of your router.

Just beware that using MAC addresses as access control is not fial safe, it is quite easy to fake MAC address on client machine.
BR,
Metod
 
someone2
newbie
Topic Author
Posts: 40
Joined: Sun Jan 07, 2018 9:52 pm

Re: Firwall rule

Tue Nov 05, 2019 9:37 pm

If i use active directory as dhcp server, is it possible for dhcp server to give ip only for joined clients? Is dhcp server able to control on clients?
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firwall rule

Tue Nov 05, 2019 9:46 pm

That's not possible: station first needs IP address (obtained from DHCP server) so that it can later authenticate with AD controller. The access control can then be done using 802.1X .. which unfortunately is not (yet) supported by ROS ... but ultimately solves problem of faked MAC addresses (faking domain authentication is much harder).
BR,
Metod
 
someone2
newbie
Topic Author
Posts: 40
Joined: Sun Jan 07, 2018 9:52 pm

Re: Firwall rule

Thu Nov 07, 2019 4:34 pm

So what is the best practice for controlling clients to be joined to a specific domain?
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firwall rule

Thu Nov 07, 2019 5:38 pm

Which domain exactly do you have in mind? DNS domain? Windows domain? Or even IP subnet?

Each of those have its own mechanisms to control membership ... and can be all implemented in same service (and no, generally that service is not run by router or firewall). If network lacks some mechanisms, then sometimes poor substitutes exist ... emphasis is on "poor".
BR,
Metod
 
someone2
newbie
Topic Author
Posts: 40
Joined: Sun Jan 07, 2018 9:52 pm

Re: Firwall rule

Thu Nov 07, 2019 5:50 pm

Thanks

Who is online

Users browsing this forum: No registered users and 148 guests