Community discussions

MikroTik App
 
mcdonaldryan
just joined
Topic Author
Posts: 1
Joined: Mon Sep 13, 2021 5:32 am

Is this type of filtering possible?

Mon Sep 13, 2021 5:48 am

I have an industrial hardware appliance that is configured using a web interface. Shockingly, this appliance has zero security. You just point your web browser at it and you're in. No usernames, no passwords. It's insane and the vendor even recognizes it. So would it be possible to offer some protection to it using my MikroTik hEX S router? Here's what I'm hoping for...

My industrial device is connected to my LAN using an ethernet cable connected to a run of the mill switch. I was hoping that I can insert my hEX between the appliance and the switch and block all inbound traffic to the appliance where port 80 is the destination port EXCEPT if you're coming from some privileged host. Everything else must be allowed to pass at the L2 level since this devices does things on our LAN that we need. I just need to block the web interface. The IP of the appliance can NOT be changed and I can not place it in its own vlan and set up access control lists on our main router like you would normally do in a situation like this. I'm thinking the hEX will just act like a standard L2 switch and monitor SYN packets for the condition I gave above. If a packet has 80 as the destination port, it just drops the packet if its not from the privileged host.

Is this possible?

-Ryan McDonald
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is this type of filtering possible?

Mon Sep 13, 2021 9:04 am

It is possible. When a RouterOS device is plugged between some device and the rest of network, it can be configured as a bridge (same L2 network). At the same time it can do some traffic filtering, bridge can enforce firewall settings. More in bridge firewall manual.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is this type of filtering possible?

Mon Sep 13, 2021 5:58 pm

Hi Mkx,
So it when solely using an MT device for bridging between devices, one cannot use the regular fire rule settings one has to use bridge settings?
For example if using hex as a switch with bridge and vlans, to enforce any rules that would have to be done on bridge firewall settings as the main router would handle the regular L3 firewall rules?

okay so what is this in effect doing stopping traffic at L2 (by mac address)??
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is this type of filtering possible?

Mon Sep 13, 2021 7:21 pm

There's bridge setting use-ip-firewall (or something close to that). If it's set to yes and W offload is disabled for at least one of involved ports (so that traffic is handled by CPU), this setting makes bridge to push traffic through firewall rules (both raw and filter). Some properties are not available, such as {in,out}-interface because we're talking about ports, not interfaces.

The other possibility is to use bridge filters (same consideration about HW offload apply), they are L2 and hence offer less versatility. If they suffice it's recommended to go with them, they are likely less resource demanding.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is this type of filtering possible?

Mon Sep 13, 2021 9:16 pm

Nice, I hadnt though there was such a think as bridge filters until now , nor do I actually see where I would/.could use them yet.

Who is online

Users browsing this forum: arm920t, ccrsxx and 50 guests