Community discussions

MikroTik App
 
electroroute
just joined
Topic Author
Posts: 10
Joined: Fri Oct 08, 2021 4:37 am

Router route all AP traffic to Wan only

Fri Oct 08, 2021 5:21 am

Hi, I have a RB5009 running RouterOS 7. I have an old Linksys router that I want to use as an AP.

My objective is to give the AP:
- access to internet only
- no access to other devices wired to the RB5009.

/ ------------> AP
ISP --> RB5009 ----> PC
\----> PC
\---> PC

In essence, I consider any device connected to AP wifi untrusted.

Question: How do I go about making this happen? Thank you in advance for your help.
You do not have the required permissions to view the files attached to this post.
Last edited by electroroute on Sat Oct 09, 2021 9:08 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8839
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router route all AP traffic to Wan only

Fri Oct 08, 2021 2:10 pm

THrough firewall rules.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
electroroute
just joined
Topic Author
Posts: 10
Joined: Fri Oct 08, 2021 4:37 am

Re: Router route all AP traffic to Wan only

Sat Oct 09, 2021 3:50 am

Thank you Anav. Would you be kind to tell me how that rule would be written?
Say the AP has static IP 192.168.1.30

Im new to this so I appreciate everyone's patience. :)
 
holvoetn
Member Candidate
Member Candidate
Posts: 156
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Router route all AP traffic to Wan only

Sat Oct 09, 2021 4:20 pm

Unclear without more detailed info.

From your picture I assume you AP is connected on the network part before your Mikrotik ?
In that case all communication from AP to Tik is already blocked, since the incoming port of your router (eth1) is considered WAN and that one is blocked by default in the firewall.
If you want to connect your AP to one of the ports on the RB, define that port in the interface list as WAN instead of LAN and remove it from the bridge.
Or do you also need to take care of DHCP on the AP and its clients through RB ?

See, unclear without more detailed info on what you want to do.
Last edited by holvoetn on Sat Oct 09, 2021 4:24 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8839
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router route all AP traffic to Wan only

Sat Oct 09, 2021 4:23 pm

Depends,
Would have to see your current firewall rules to make any assessments.
/export hide-sensitive file=anynameyouwish

my assumption is that the access point is also connected behind the router, also on the network as are the PCs........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
electroroute
just joined
Topic Author
Posts: 10
Joined: Fri Oct 08, 2021 4:37 am

Re: Router route all AP traffic to Wan only

Sat Oct 09, 2021 9:17 pm

@holvoetn: Sorry I just realised that the text diagram lost its formatting. I edit the original post with an image instead.
For the time being I dont need Mikrotik to handle DHCP for the AP connected devices.

@anav: Here are the firewall rules.
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8839
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router route all AP traffic to Wan only

Sat Oct 09, 2021 10:45 pm

In general, this is only possible if the AP and its clients are on a different subnet.
If they are on the same subnet (layer2 connectivity) then layer3 firewall rules cannot prevent them from talking to each other.

Thus recommend using a different subnet for the AP etc.....
Lets say you use 192.168.10.0/24 for the LAN and
192.168.50.0/24 for the AP....

then you only need to add one rule at the end.......
add chain=forward action=drop in-interface=subnet WIFI out-interface=subnet LAN
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 1591
Joined: Mon Apr 08, 2019 1:16 am

Re: Router route all AP traffic to Wan only

Sun Oct 10, 2021 12:43 am

This needs more network detail.

Simple suggestions without knowing your setup may be confusing, and not valid.

I would add all PC ethernet ports to the bridge. The bridge is member of the LAN interface list
Ether1 is the WAN port by default (is member of the WAN interface list), and is not connected to the bridge
EtherX has your Linksys connected. That ethernet port is NOT on the bridge, but is member of the LAN interface list. (not the WAN interface list !)

Now you have 3 subnets to handle with the firewall.
The WAN interface list is securing your router, and the ether1 has a DHCP client by default. The WAN interface list is defined as having NAT in the firewall by default.
The LAN1 is the bridge. You have an IP address and DHCP server on the bridge. All PC's are connected to ports of the bridge and are in the same subnet.
The LAN2 is etherX. EtherX port needs an IP address in another subnet (the subnet of the Linksys), different from LAN1

The @anav firewall rule will prevent communication between LAN1 and LAN2.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8839
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router route all AP traffic to Wan only

Sun Oct 10, 2021 12:56 am

Its up to the OP to provide a full config via
/export hide-sensitive file=anynameyouwish

I was giving general advice, which is all one can give based on the meager information provided.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
electroroute
just joined
Topic Author
Posts: 10
Joined: Fri Oct 08, 2021 4:37 am

Re: Router route all AP traffic to Wan only

Sun Oct 10, 2021 8:19 pm

@bpwl: Thank you for describing the setup. The only additional thing is I dont want LAN2 to have communication with LAN1
@anav: Thank you and yes I'd like devices connected to AP to be able to talk to each other but not to devices connected to the router itself. I'd rather AP just go straight to WAN.

I pasted the full config as you requested. Please let me know the best way to achieve my objective:
1- shield and protect router from attacks/unauth access
2- shield devices wired to router from WAN but allow them to talk to each other (except AP)
3- provide WAN access only to AP and devices connected to it.

Side note: AP (old Linksys router) has its own DHCP and provides its own IP to devices connected to it wirelessly.
/interface bridge
add admin-mac=5B:C0:7A:BB:74:D1 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=40:2A:41:7A:0A:35
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.26.5.20-172.26.5.29
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/system logging action
set 0 memory-lines=10000
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=172.26.5.30/24 comment=defconf interface=bridge network=\
    172.26.5.0
/ip arp
add address=172.26.5.28 interface=bridge mac-address=DB:17:42:42:BC:D1
add address=172.26.5.29 interface=bridge mac-address=A8:05:EB:1E:3A:46
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.26.5.28 client-id=1:db:17:42:42:bc:d1 mac-address=\
    DB:17:42:42:BC:D1 server=defconf
/ip dhcp-server network
add address=172.26.5.0/24 comment=defconf dns-server=172.26.5.29 \
    gateway=172.26.5.30 netmask=24
/ip dns
set servers=172.26.5.29
/ip dns static
add address=172.26.5.30 comment=defconf name=router.lan
/ip firewall address-list
add address=172.26.5.28 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input disabled=yes dst-address=172.26.5.30 \
    src-address-list=allowed_to_router
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name=mikrotikrb
/system package update
set channel=long-term
/system routerboard settings
set cpu-frequency=auto
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8839
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router route all AP traffic to Wan only

Sun Oct 10, 2021 8:41 pm

Whatever port is going to the AP, remove from the bridge.
Give the etherportX its own subnet, IP address IP pool dhcp server and dhcp server network.
Make sure its part of the Interface LAN list along with the bridge.

In the firewall forward chain rule.
Before the last rule put in something to the effect.

add action=drop chain=forward in-interface=etherportX out-interface=bridge

This will effectively block all AP traffic to the rest of the users that are on the bridge.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Zacharias
Forum Guru
Forum Guru
Posts: 2750
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Router route all AP traffic to Wan only

Sun Oct 10, 2021 8:49 pm

You could as well use VLANs with Bridge VLAN filtering on the RB5009 that supports Hardware offload when applying Bridge VLAN filtering ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8839
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router route all AP traffic to Wan only

Sun Oct 10, 2021 9:21 pm

Yes, but lets not put the cart before the horse Zach!!
Yes me not advocating vlans right away.........miracles.
Its good that the OP knows how to manipulate the ports and bridge with rules prior to introducing vlans.

Vlans, in general, are only really required if one does not have enough ports and need to send traffic down a single port to different groups of users with different rules,
including to a smart switch, or to a smart AP, that can then distribute the traffic appropriately.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
electroroute
just joined
Topic Author
Posts: 10
Joined: Fri Oct 08, 2021 4:37 am

Re: Router route all AP traffic to Wan only

Wed Oct 13, 2021 7:44 am

Hi Anav, would you be kind enough to list the steps to execute your suggestion. I spent quiet a bit of time on it and the AP Ether port loses all connectivity and I have to reload the config file I started with. I use webconfig but I m confortable with CL.

Who is online

Users browsing this forum: ConnyMercier, pointpet and 22 guests