Hello,
We are a scout campsite in the UK, with a few devices on "our network" like IP Phones, IP CCTV Cameras, a couple of computers, a couple of servers etc, and an authenticated Wireless network for campers and people who book our residential buildings. I am in the process of swapping our site firewall over to a MikroTik (we've ordered an RB4011 box).
We're going to use the Hotspot feature for our authenticated wireless network. The authentication will be handled via RADIUS to our Active Directory server. I've got instructions for how to do this already, so am confident that I can get this bit working.
So, at this point, users will be able to login to our wireless network.
What I would like to be able to do is apply filter rules in the firewall that allow certain users (or groups of users) more access to things on other VLANs or Bridges.
For example:
- Hotspot will be setup on ether4 (VLAN =40, IP range will be something like 192.168.40.0\22)
- "Our Network" is on ether1 (VLAN=10, IP range will be 192.168.10.0\23).
- I have an Address-List setup for the 4 or 5 Printers we have on site (eg, 192.168.10.20-192.168.10.29).
- Our AD Server has a group setup called "Staff" for the volunteer campsite crew
- I would like a firewall rule that blocks all access from VLAN40 to VLAN10 --> this bit is easy
- I would then like a series of rules that open up the access from VLAN40 to VLAN10 based on a user's AD Group Membership (via the RADIUS authentication) eg, Staff can access the devices in my Printers address list from their laptops but guests (i.e. campers) wouldn't be able to.
Any ideas? I can't see an obvious place where I can specify which user groups or so a filter rule applies to.
Thanks...
Colin