Community discussions

MikroTik App
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

Apply Firewall Filter Rule to RADIUS Group

Thu Jun 23, 2022 7:32 pm

Hello,

We are a scout campsite in the UK, with a few devices on "our network" like IP Phones, IP CCTV Cameras, a couple of computers, a couple of servers etc, and an authenticated Wireless network for campers and people who book our residential buildings. I am in the process of swapping our site firewall over to a MikroTik (we've ordered an RB4011 box).
We're going to use the Hotspot feature for our authenticated wireless network. The authentication will be handled via RADIUS to our Active Directory server. I've got instructions for how to do this already, so am confident that I can get this bit working.
So, at this point, users will be able to login to our wireless network.

What I would like to be able to do is apply filter rules in the firewall that allow certain users (or groups of users) more access to things on other VLANs or Bridges.
For example:
- Hotspot will be setup on ether4 (VLAN =40, IP range will be something like 192.168.40.0\22)
- "Our Network" is on ether1 (VLAN=10, IP range will be 192.168.10.0\23).
- I have an Address-List setup for the 4 or 5 Printers we have on site (eg, 192.168.10.20-192.168.10.29).
- Our AD Server has a group setup called "Staff" for the volunteer campsite crew
- I would like a firewall rule that blocks all access from VLAN40 to VLAN10 --> this bit is easy
- I would then like a series of rules that open up the access from VLAN40 to VLAN10 based on a user's AD Group Membership (via the RADIUS authentication) eg, Staff can access the devices in my Printers address list from their laptops but guests (i.e. campers) wouldn't be able to.

Any ideas? I can't see an obvious place where I can specify which user groups or so a filter rule applies to.

Thanks...

Colin
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Apply Firewall Filter Rule to RADIUS Group

Thu Jun 23, 2022 8:11 pm

The way to do this would be to prepare some rules in the firewall that match on a src-address-list (e.g. src-address-list=staff) and allow the extra traffic, then dynamically add the members of that group to that address-list when they connect.
How to do that, is a different matter. With PPP (and related protocols) it is easy as you can specify the name of an address-list where the current connection is to be added.
But with hotspot, I am not sure. Maybe others can add that info.
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

Re: Apply Firewall Filter Rule to RADIUS Group

Thu Jun 23, 2022 8:17 pm

Hi @pe1chl,
Thanks for the reply. This is extremely useful.
When you say "add the members of that group to the address list when they connect", presumably you mean add the IP-Address that they are assigned when they connect to the address list right? So that the connection is then allowed.
How would the list get refreshed though as the IP-Addresses will eventually get re-used when new clients connect.
I just had a quick look at the address lists that I've got setup and I couldn't see any sort of expiry or anything like this.
Thanks...
Colin
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

Re: Apply Firewall Filter Rule to RADIUS Group

Thu Jun 23, 2022 8:22 pm

Ignore my last post - just found the timeout option and have had a play and that does indeed purge the list of expired addresses.
So, I guess I just need to setup something via the RADIUS that does a check to see if the connection is still live and keeps extending the timeout or something.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Apply Firewall Filter Rule to RADIUS Group

Thu Jun 23, 2022 8:45 pm

You could also use a different VLAN for the members of the Staff group. It is possible to specify a VLAN in the RADIUS response and it works on plain WiFi, I do not know about hotspot.
This would mean you need to add another subnet (with DHCP config) for the staff members, and in the firewall you can use that for rules.
Unfortunately MikroTik use a nonstandard RADIUS attribute for specification of the VLAN. You will likely need to add it to the Windows RADIUS server.
I use freeradius and it already exists in one of the manufacturer-specific attribute defs, like this:

Mikrotik-Wireless-VLANID-type = 0,
Mikrotik-Wireless-VLANID = 64

In standard attributes that would be like this:

Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-id = "64"
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Re: Apply Firewall Filter Rule to RADIUS Group

Thu Jun 23, 2022 10:20 pm

pe1chi's suggestion would be the best in my mind.

You could also have static DHCP addresses for staff and use address lists in your firewall filter rules and bypass the AD Group Membership.

For example, you could do something like,
/ip firewall address-list
add address=192.168.40.200 comment="Camp Counselor" list=Printer_Access
add address=192.168.40.201 comment="Camp Counselor" list=Printer_Access
add address=192.168.40.202 comment="Camp Counselor" list=Printer_Access
add address=192.168.40.203 comment="Staff" list=Printer_Access

add address=192.168.1.210 comment="Main Office Printer" list=Printers
add address=192.168.1.211 comment="Cabin 1 Printer" list=Printers
add address=192.168.1.212 comment="Cabin 2 Printer" list=Printers

/ip firewall filter
add action=accept chain=forward comment="Allow certain computers in VLAN 40 access to printers in VLAN10 " connection-state=new in-interface=VLAN40 out-interface=VLAN10 \
    src-address-list=Printer_Access dst-address-list=Printers
The only downside to the option above is that you need to manage the static IP's and the firewall address lists. Not a problem with the printers, but depending on the amount of turn over you have on those with access to the printers in VLAN40, that could add up.

Just easier to have a new VLAN for staff that has access to the VLAN40 and VLAN10.
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

Re: Apply Firewall Filter Rule to RADIUS Group

Thu Jun 23, 2022 11:10 pm

Hi,

I’ve seen that it’s possible to set login/logout scripts for Hotspot logins, and that it’s possible to get things like username, Mac-ID, etc.

Is there anywhere that describes the built in parameters that are accessible this way? I can see that I have to declare local variables in order to make easy use of these, but it wasn’t clear to me from reading the MikroTik website so far, what parameters were actually available to me.

Do you think it would be possible to access the AD group memberships via RADIUS this way?

I’d prefer not to have to set fixed IPs for people - we’re all volunteers and the turnover can be a bit high sometimes.
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Re: Apply Firewall Filter Rule to RADIUS Group

Fri Jun 24, 2022 12:42 am

Hi,

I am not familiar with Active Directory, and I am not sure if you are using Mikrotik CAPsMan. But the following may help you,

https://mum.mikrotik.com/presentations/ ... 293520.pdf

I am also including this other tutorial I wrote doing what you want with a couple of caveats.

1. Instead of using the Hotspot and Microsoft AD, I am using the new RADIUS server that comes included in the new ROS7.
2. This is assuming you are using Mikrotik CAPsMAN to manage mikrotik CAP routers.

viewtopic.php?p=936639&hilit=radius+vla ... ic#p936639
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

Re: Apply Firewall Filter Rule to RADIUS Group

Tue Aug 30, 2022 12:30 pm

Hi,
Just to close this one off, and for anyone else who needs a similar solution... I got the effect I wanted by setting up different Hotspot User profiles and passing the parameter to select the user profile from Radius (based on the Network Policy Server settings, which does obey the AD Groups).
Each of the Hotspot user profiles was setup to populate a specific address list, and I applied the firewall rules to the address lists... and everything works exactly as I want it to :-)

Thanks to everyone who posted help here - it really did help me to get along the way to the final solution.

Who is online

Users browsing this forum: abdulschizo, Ahrefs [Bot], maxslug and 83 guests