I'm mainly using a RB 450G (v4.17 so far) as a firewall, with 4 defined security zones (each on a level 3 interface): WAN, DMZ, LAN, TEST.
As I've 5 ports available, I've allocated 2 ports to LAN zone, by defining the first LAN port as master-port for the second LAN port. So this result in this, following wiki logic:
Code: Select all
[CPU]
|
---------------------------------------------------
| | | |
[ ] [ ] [ ] [ ]
| | | ----------- |
| | | | |
| | [ ] [ ] |
[WAN] [DMZ] [LAN] [LAN] [TEST]
Configuration detailed here:
Code: Select all
/interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R ether1-WAN 1500 00:0C:42:7F:40:73 enabled
1 R ether2-DMZ 1500 00:0C:42:7F:40:74 enabled none switch1
2 R ether3-LAN 1500 00:0C:42:7F:40:75 enabled none switch1
3 RS ether4-LAN 1500 00:0C:42:7F:40:76 enabled ether3-LAN switch1
4 R ether5-TEST 1500 00:0C:42:7F:40:77 enabled none switch1
/interface ethernet switch port print
Flags: I - invalid
# NAME SWITCH VLAN-MODE VLAN-HEADER
0 ether2-DMZ switch1 secure leave-as-is
1 ether3-LAN switch1 secure leave-as-is
2 ether4-LAN switch1 secure leave-as-is
3 ether5-TEST switch1 secure leave-as-is
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.10.254/24 192.168.10.0 192.168.10.255 ether2-DMZ
1 192.168.0.254/24 192.168.0.0 192.168.0.255 ether3-LAN
2 D <WAN IP ADDR>/32 XXXXXXXX 0.0.0.0 pppoe-fibre
And finally:
Code: Select all
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1 switch-all-ports=no
/interface ethernet switch vlan
add disabled=no ports=cpu,ether2-DMZ,ether3-LAN,ether4-LAN,ether5-TEST switch=switch1 vlan-id=0
Fact is I can sniff on the [TEST] port and get sometimes packets going from DMZ to LAN (with src and dst being unicast IP addresses).
So I try to think about doing something clean like I would do on a real level 3 switch: port VLAN isolation.
I play with some vlan rules to set a vlan-id (without tagging) on ports, like:
Code: Select all
interface ethernet switch rule
add copy-to-cpu=no disabled=no mirror=no new-vlan-id=102 ports=ether2-DMZ redirect-to-cpu=yes switch=switch1 vlan-header=not-present
add copy-to-cpu=no disabled=no mirror=no new-vlan-id=103 ports=ether3-LAN,ether4-LAN redirect-to-cpu=no switch=switch1 vlan-header=not-present
add copy-to-cpu=no disabled=no mirror=no new-vlan-id=105 ports=ether5-Phone redirect-to-cpu=yes switch=switch1 vlan-header=not-present
Then I thought about tagging this frames within the same rules, but I quickly came to something blocking: I can set a trunk-like link between ethernet port and cpu port (from the switching chip point of view), but I can't handle these tagged frames at level 3 after that. Because level 3 vlan interfaces are bound to an interface (like on *nix) but "cpu" is not a valid supporting interface. So I cant brig tagged frames to cpu but it can't untag them and process them?
So what can I do to do proper isolation on interface that aren't the WAN port (which is ok after switch-all-ports=no)?
I don't want to set an elaborate security policy and see that due to switch chip "messing up", security zones aren't really isolated.
--
edit: more details on tests and some precise output of packets sniffing will be posted here shortly, as I have to do them again).