Community discussions

MikroTik App
 
hurymak
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Mon Oct 06, 2014 1:31 pm

Secure network, separate dhcp pool with vlan?

Thu Oct 13, 2022 8:15 am

I have mikrotik router in company, normal dhcp pool for workers which need access to local lan and internet is 10.0.0.1-10.0.0.250, (I assign them manually by mac) (lets say its workers pool)
but i have also separate pool for guests which are no on static dhcp list, default pool for them is 172.16.0.0 – 172.16.0.250. guests pool.
Guests pool have only limited access to internet, max 10mbps ques, traffic through porn filtering dns.
sfp port is for internet access on pppoe, all other ports are in bridge, on bridge is dhcp server.
Workers pool is filtered from guests pool on firewall, blocked access on forward chain.

When there is new person connecting default pool is for this person 172, if this is worker i go to dhcp leases and assign for him address from workers pool.
If this is not new worker, he stays on guests pool.

How to make it more secure so every guest is additionally in separate vlan space?
And if this is possible:
how to make someone, who is guest and have address in pool 172, when he will launch wireshark, how to make him to not see others mac's?
How to separate this every guest on 172 pool so everyone with 172. address will be totally isolated even on sniffing, pcap, level?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Secure network, separate dhcp pool with vlan?

Thu Oct 13, 2022 9:03 am

I'll just say that VLAN is the right way. How exactly to configure whole network really depends on exact layout (could be that some changes to layout would be beneficial as well) and on exact requirements. The way you phrased your post (question?) indicates to me that your current solution is on the convoluted end of configuration style and any further extension of the same concept might lead to unmanageable one.
And I guess solving conceptual problems is well beyond the scope of this forum (which is mostly to help with technical questions regarding MT gear). However, you can still go ahead and describe your setup and requirements in more detail, somebody still might give you some useful input.
 
hurymak
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Mon Oct 06, 2014 1:31 pm

Re: Secure network, separate dhcp pool with vlan?

Thu Oct 13, 2022 10:40 am

Ok, so first just this part:
how to make current dhcp server automatically add different vlan for every new client but only on guests pool?
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Secure network, separate dhcp pool with vlan?

Thu Oct 13, 2022 1:07 pm

It doesn't work like that. If you wish to isolate clients layer 2 / ethernet traffic you need to look at bridge horizon or port isolation, and disabling client-to-client traffic on any wireless APs. As this at the ethernet level the isolation applies to all packets, including IP - it cannot be different for guest / non-guest IP ranges.

Using MAC addresses to 'authenticate' device access is not really the right way to do this as they can easily be spoofed. For wired networks using switches which support 802.1X, and for wireless networks APs which support WPA2-Enterprise, coupled with a RADIUS server with separate credentials and/or certificates for each user is used by many universities and enterprises to control network access.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], neki, yosmithy and 20 guests