Community discussions

 
silvio
just joined
Topic Author
Posts: 4
Joined: Wed Sep 20, 2017 12:51 pm

How to isolate networks

Wed Sep 20, 2017 5:50 pm

Hi, I'm new on networking and I need your help.

I need to separate my own LAN (network A) from a second lan (network B) that need only internet access. So from the network B the hosts in network A can't be accessed and vice versa.
This is my network configuration.
Router B get internet access through Router A.
Image

Can anyone help me?

Thanks
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: How to isolate networks

Fri Sep 22, 2017 8:36 pm

Hi,
post cidr's of both networks.
I have bigger routing table.
 
silvio
just joined
Topic Author
Posts: 4
Joined: Wed Sep 20, 2017 12:51 pm

Re: How to isolate networks

Fri Sep 22, 2017 9:28 pm

Network A has 192.168.100.0/24
Network B has 192.168.1.0/24
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: How to isolate networks  [SOLVED]

Fri Sep 22, 2017 9:49 pm

Hi, I'm new to networking. I need to isolate network A from network B. Network B needs only internet access.
Silvio,
Thank you for the network diagram and the question. I know you'll come to enjoy the things MikroTik can do for you. While not perfect, and we need more features, they are really fun to work with.

Answer:
On a purely technical level, there are several ways to do this. There are ways (port isolation), better ways (vlan, pvlan), and then better performing ways (wire speed vlan) if you have the hardware. Without going into all the ends and outs of what's best, let's just start with some good ducktape. Others can chime in to make it more clear or say I'm wrong. : - P

Conceptual Design 1:
  • Router B's port 1, is plugged into Router A's port 10.
  • Router A's port 10 will be set isolated (removed from a switch group or bridge).
  • Router A will set a unique ip address and DHCP server on it's port 10 interface.
  • Firewall rules will block port 10 from accessing other ports, except to flow out the wan interface.
  • Router B is turned into a simple switch.
There are quite a few commands to enter to make all this actually work in practice. Let's get Router B setup first. Turn it into a simple switch.
/interface bridge
add name=bridge-LAN protocol-mode=none

/interface bridge port
add bridge=bridge-LAN interface=ether1
add bridge=bridge-LAN interface=ether2
etc ...

/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
etc ..

/ip address
add address=192.168.1.2/24 interface=bridge-LAN

# route out Router A's port 10
/ip route
add distance=1 gateway=192.168.1.1
Now, let's setup Router A to serve this switch and thus anything connected to it.

/interface ethernet
set [ find default-name=ether10 ] master-port=none

# will be the default gateway for Router B
/ip address
add address=192.168.1.1/24 interface=ether10

/ip pool
add name=dhcp_pool10 ranges=192.168.1.10-192.168.1.254

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool10 always-broadcast=yes authoritative=yes disabled=no interface=ether10 name=dhcp10
Now that we have the routing setup, we'll have to setup firewall rules to allow things to work. So, edit Router A's settings. Change bridge-LAN to match your interface name. Note the way we introduce ether10, thus enabling it to work.
/interface bridge settings
set use-ip-firewall=yes

/ip settings
set rp-filter=strict secure-redirects=no send-redirects=no tcp-syncookies=yes

/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Accept established related"
add action=accept chain=input in-interface=bridge-LAN comment="Allow LAN access to router and Internet"

# since ether10 does not exist in bridge or switch, we set an allow on it
add action=accept chain=input in-interface=ether10 comment="Allow RouterB access to router and Internet"
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward connection-state=established,related comment="Accept established related"
add action=accept chain=forward connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"

# Anything trying to access Router A's network, if not coming from A we drop.
add action=drop chain=forward in-interface=!bridge-LAN out-interface=bridge-LAN comment="Isolate RouterA"

# since ether10 does not exist in bridge or switch, we set an allow on it
add action=accept chain=forward connection-state=new in-interface=ether10 comment="Allow RouterB access to router and Internet"
add action=drop chain=forward comment="Drop all other forward"

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masq" out-interface=ether-WAN

# Optionally if you have the package installed
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
A note about the way I've created the rules. I allow access to Router A itself, from Router B, thus you'll be able to ping 192.168.x.1 from the B x.x.1.1 network. Why? To allow services, like DNS, DHCP, etc. running on Router A to serve the B network.
Last edited by pcunite on Fri Sep 22, 2017 11:59 pm, edited 6 times in total.
 
silvio
just joined
Topic Author
Posts: 4
Joined: Wed Sep 20, 2017 12:51 pm

Re: How to isolate networks

Fri Sep 22, 2017 10:14 pm

Thank you very much for the response, so you mean that I need to configure my RouterB PORT10(for example) as dhcp server for the network to isolate? RouterA and RouterB are in the same lan, is the isolatedRouter that it must be isolated.
And which are the firewall rules? Sorry but I'm a newbie :)
Thanks again for your help.

Image
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: How to isolate networks

Fri Sep 22, 2017 10:24 pm

So you mean that I need to configure my RouterB PORT10(for example) as dhcp server for the network to isolate?
No, I'm suggesting that you make RouterB into a switch. It will have no DHCP, or any services of any kind. I'm having you set a static IP on it. All of it's ports will simply send traffic to RouterA's Port 10.
 
silvio
just joined
Topic Author
Posts: 4
Joined: Wed Sep 20, 2017 12:51 pm

Re: How to isolate networks

Fri Sep 22, 2017 10:30 pm

ok understood, and for the firewall?
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: How to isolate networks

Fri Sep 22, 2017 11:29 pm

ok understood, and for the firewall?
I've updated the post.

Who is online

Users browsing this forum: Google [Bot] and 25 guests