Hi everybody,
As a software developer and an electronic hobbyist, I am working on my own door access system.
This is going pretty well and I could already implement most of the required parts, but I am facing a last challenge: the network.
This is a critical part of the security of my system and I need to make sure it is properly configured. However, my knowledge in the subject is quite limited. I tried to document myself as much as possible on internet but I cannot get the whole picture right and I don't want to invest some money in the wrong hardware.
Here is a schema of my system:
Terminals are esp32 microcontrollers (more precisely wESP32 modules) that read RFID tags (Mifare Desfire EV1) containing a secret and sending it to a central unit that does all the authorisation/validity checks and sends an HTTP request to a relays controller to actually open the doors. The central unit can also communicate through HTTPS to a NFC device to configure the NFC cards.
Terminals are outside the building and thus highly insecure, but the rest is all in a secure room.
The communication between the central unit and the relays is insecure (the device I am using doesn't handle SSL) and thus it is very important that one cannot just plug his laptop in place of the terminal and send a command to open the door to the relays controller... This would defeat the whole purpose of my system... I thus want that terminals see as less as possible and can only communicate on port 443 with the central unit and doesn't see any other traffic (not even the one of other terminals).
I would then need to find a switch with at least 8 PoE outputs, 3 normal ones and one for internet. And I would need to be able to define rules in the switch to ensure that:
- eth0..7 can only communicate with eth8 (and not between each other) on port 443
- eth9 can only communicate with eth8 on port 443
- eth10 can only communicate with eth8 on port 80
- Only eth8 can access internet on eth11
I am under the impression that I should be able to reach this goal with the MikroTik netPower 16P and using these kinds of firewall rules like here: https://github.com/rcarvalloh/mikrotik_zbf.
I could use a "zone" for each physical interface and create the proper rules, no ?
Otherwise, if this requirement is too complicated, I could reduce it by defining 4 zones, one for eth0-7, one for eth8, one for eth9-10 and one for eth11. As it will use SSL, it is acceptable that terminals see the traffic of other terminals.
Could someone confirm me that this would actually be possible with a MikroTik netPower 16P ? And I would greatly appreciate if I could get some help writing the rules
Thanks in advance for you help,