Community discussions

MikroTik App
 
fball
newbie
Topic Author
Posts: 31
Joined: Mon Oct 08, 2007 7:59 pm

Restrictive routing between 2 MT's

Fri Dec 21, 2007 7:36 am

I am trying to simplify my network wiring and need advice on how to securely (this is relative, I understand that anytime packets run on the same wire there could be compromise). What I have is a MT being used as a gateway Ether1 is the WAN and Eth2 is private (192.168.10.101/24). Ideally I would use Eth3 to connect to my MT that is acting as a hotspot gateway to my wireless clients, but I don’t have 2 wires between the two MT’s. I could use VLAN’s in the 3 COM switches but lightning has taken out ports in the past so simply having the customers move cat5 cables is not an option when they go down. SO I would like to have the hotspot MT on the private network and NAT to the wireless clients. This is all set and working but the wireless clients can now get at all the resources on my private network. So what routing/firewall rules could I put in to restrict wireless clients to only be able to hit the gateway on the private network and not have that MT route them back out?? What about a VPN between the two MT’s? Thoughts?


WAN ->
<- MT1 {Eth1 <-
-> Eth2(192.168.10.101/24)} ->
<- Private Clients
<- MT2 {Eth1 (192.168.10.102) <-
-> WLAn1 (102.168.1.101/24)}
 
fball
newbie
Topic Author
Posts: 31
Joined: Mon Oct 08, 2007 7:59 pm

Re: Restrictive routing between 2 MT's

Fri Dec 21, 2007 7:44 am

Something else I thought of... the WLAN is a bunch of access points connecting back to the central AP (the MT2 in the diagram above). It would also be nice to monitor the hardware (ping is fine, but query for signal strength is better) from the private network to the WLAN network.
 
awsmith
newbie
Posts: 45
Joined: Wed May 31, 2006 8:18 am

Re: Restrictive routing between 2 MT's

Wed Jan 02, 2008 11:49 am

Change your NAT rule on MT2 to something like the following:

add chain=srcnat src-address=192.168.1.0/24 dst-address=!192.168.10.0/24 \
action=masquerade comment="" disabled=no

Then, in the filter section, deny all communication between 192.168.1.0/24 and 192.168.10.0/24 other than what you want, like SNMP, ICMP echo/echo reply, and so forth. You could also create an address list that contains a list of the /32s of your APs and have a rule allowing them to communicate with 192.168.10.0/24, and then a subsequent rule preventing all other 192.168.1.0/24 addresses from communicating with 192.168.10.0/24.

You don't need to worry about explicitly allowing the customers to be able to talk to the gateway at 192.168.10.101 as their outbound packets aren't addressed to it, just forwarded through it.

If your DNS servers that your customers use are on the 192.168.10.0/24 network, you'll need a rule to allow them to talk to it.

Who is online

Users browsing this forum: BatsirayiM, stefanau, wapbytez and 98 guests