Community discussions

 
wireless12
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Fri Aug 31, 2007 10:49 am

can mikrotik stop this?

Mon Oct 13, 2008 3:11 pm

hello all.

i have got three PTP link in the following manner:-

LNK1: RB411AH -----RB411AH--SWITCH---OMNI(A)[SENAO 2611+]---10 wireless internet clinets
LNK2: RB411AH -----RB411AH--SWITCH---OMNI(B)[RB433]---16 wireless internet clinets
LNK3: RB411AH -----RB411AH--SWITCH---OMNI(C)[RB433]---20 wireless internet clinets

NOTE:
all three links are interconnected with each other via switch and this switch is connected to broadband server.

QUESTION

1.There are lot of virus tarvel from one link to another
2. If there is ARP poisoning in any link then the whole network will be influenced
3. It sometime results in heavy letancy or breakage in pings.

Solutions required:

is there any method , scripts, filrewall in mikrotik ROS whick can make the other links uneffected by such kind of threats or in other words is it possible to stop traffic in the same link itself.

For Example; in the following diagram
there are three links, suppose there is ARP posioning frm the users connected to OMNI (A)...but the coustomers connected to OMNI (B) and OMNI (C) also feel effectd. what and where is the solution ?
You do not have the required permissions to view the files attached to this post.
 
netrat
Member
Member
Posts: 403
Joined: Thu Jun 07, 2007 1:16 pm
Location: Virginia

Re: can mikrotik stop this?

Mon Oct 13, 2008 4:43 pm

Turn default forwarding off, set the interfaces to arp reply-only, and set add-arp=yes for the dhcp server.
 
bushy
Member Candidate
Member Candidate
Posts: 140
Joined: Thu Oct 20, 2005 11:56 pm
Location: Ireland

Re: can mikrotik stop this?

Tue Oct 14, 2008 3:58 pm

Replace the netgear with a RB450 too for more control
 
wireless12
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Fri Aug 31, 2007 10:49 am

Re: can mikrotik stop this?

Thu Oct 16, 2008 10:02 am

dear @bushy @ netrat

sorry but i dont think that this will solve my problem

actaully i want that the traffic of one link should not clash with the traffic of any other link.
Secondly i m not usling any DHCP server or PPOE server. i m using a gateway server by which i issue fix local IP to my cleints to access ineternt. and bind this IP address with the mac Address of the client Access point.

For example: -

i hav got a coustomer on the link connected to omni (A).
i issue IP address 172.17.2.14, subnet= 255.255.255.252, gateway= 172.17.2.13
preffred DNS server= 172.17.2.13 to him.

the coustomer then feed the TCP/IP issued by the server in his NIC.Now he is connected to my server and can browse the internet. now if this computer in future is infected then this infection can infect any other computer in the entire network..

what i want is that, let this computer infect other computers which are runniing on the same link i hav no prob till this point....but cant it be possible that this infection will not move to other links which are already meshed with the infected link through the netgear switch...

CAUTION:-
only one single server is feeding all these three links...means that i can use an IP address issued by the server at any client computer at any of the three OMNI..
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: can mikrotik stop this?

Thu Oct 16, 2008 12:35 pm

set up firewall rule that will disallow communication with other subnets, if you do not want to do that, you cannot tell the difference between infection and normal traffic, so you can disable communication or allow.
 
User avatar
tjohnson
Member Candidate
Member Candidate
Posts: 127
Joined: Thu Aug 12, 2004 7:01 am

Re: can mikrotik stop this?

Sun Nov 02, 2008 7:14 am

We have found an inexpensive Cisco 2950 switch will do what you want. You can setup ports to be "port-protected" so they can't talk to other ports on the switch that are also port-protected.

So, you put port 1 of the switch to your internet server.
Then all the other links go on ports 2, 3 and 4. Then you configure ports 2, 3, and 4 to be "port-protected" and they will only talk to port #1.

We have used this at many of our tower locations where we have 20+ AP's and this keeps the traffic and virus traffic from infecting other people as easy.

These switches can be found on ebay for $150 or so.
Travis

Who is online

Users browsing this forum: No registered users and 19 guests