Hi everybody,

As a software developer and an electronic hobbyist, I am working on my own door access system.
This is going pretty well and I could already implement most of the required parts, but I am facing a last challenge: the network.

This is a critical part of the security of my system and I need to make sure it is properly configured. However, my knowledge in the subject is quite limited. I tried to document myself as much as possible on internet but I cannot get the whole picture right and I don't want to invest some money in the wrong hardware.

Here is a schema of my system:



Terminals are esp32 microcontrollers (more precisely wESP32 modules) that read RFID tags (Mifare Desfire EV1) containing a secret and sending it to a central unit that does all the authorisation/validity checks and sends an HTTP request to a relays controller to actually open the doors. The central unit can also communicate through HTTPS to a NFC device to configure the NFC cards.

Terminals are outside the building and thus highly insecure, but the rest is all in a secure room.

The communication between the central unit and the relays is insecure (the device I am using doesn't handle SSL) and thus it is very important that one cannot just plug his laptop in place of the terminal and send a command to open the door to the relays controller... This would defeat the whole purpose of my system... I thus want that terminals see as less as possible and can only communicate on port 443 with the central unit and doesn't see any other traffic (not even the one of other terminals).

I would then need to find a switch with at least 8 PoE outputs, 3 normal ones and one for internet. And I would need to be able to define rules in the switch to ensure that:

- eth0..7 can only communicate with eth8 (and not between each other) on port 443
- eth9 can only communicate with eth8 on port 443
- eth10 can only communicate with eth8 on port 80
- Only eth8 can access internet on eth11

I am under the impression that I should be able to reach this goal with the MikroTik netPower 16P and using these kinds of firewall rules like here: https://github.com/rcarvalloh/mikrotik_zbf.
I could use a "zone" for each physical interface and create the proper rules, no ?

Otherwise, if this requirement is too complicated, I could reduce it by defining 4 zones, one for eth0-7, one for eth8, one for eth9-10 and one for eth11. As it will use SSL, it is acceptable that terminals see the traffic of other terminals.

Could someone confirm me that this would actually be possible with a MikroTik netPower 16P ? And I would greatly appreciate if I could get some help writing the rules

Thanks in advance for you help,

To me it sounds like you need a bit more figuring things out before tackling such a complex network. My recommendation would be to simplify things just a little bit and implement that first. Once you get the simpler version working you will have gained much more experience and can start testing more complex setups on the same hardware.

Here's what I'm thinking:
Implement a flat network where all of the devices will be able to talk to each other. This does not mean someone attaching to a cable on the terminal will be able to listen to communications between the central unit and relay controller. But there will be security compromises.
Use a firewall (aka router), and block all devices from talking to the internet. Allow your central unit's IP address to talk to internet.

Hardware:
You will need a router as the firewall. Some mikrotik switches will also be able to run the same functions as a router, but I think it will be easier for you to learn with a separate router.
An older device like the hEX series will for sure be able to handle your load.
Expand ports with a switch. The netPower series is an heavy duty outdoor switch and much more expensive for what you need. Check out the CRS112-8P-4S-IN instead.

Make sure you understand the difference between 24V passive PoE and 802.3 af/at before ordering a switch. Confirm the switch is compatible with your devices.

Then later on you could implement separate VLAN's for each device type, only allow specific communication between the VLAN's on your firewall and enable client isolation. All with the same hardware.

Hi miksu103,

Thanks a lot for you answer and your advices !

So if I understand it right, you would split it in 2 components, one PoE switch for the terminals and a router for the rest, including firewall rules. Something like this:



When it comes to MikroTik netPower 16P been overkilled, it is actually only 80$ more expensive than the CRS112-8P-4S-IN, so it stays in the same price range.

I still have a few questions to make sure I am going in the right direction by choosing a MikroTik:
- Can all devices, including old hEX devices running on ROS4 be upgraded to ROS6 ?
- Viewing https://github.com/rcarvalloh/mikrotik_ ... er/zbf.rsc, I am under the impression that we can define firewall rules at the layer 1 level too. Is it right ? Will I be able to build complex rules both for router's ports (for instance 'ether3') and transport layer ports (for instance 'https:443') ?

Hi!

It sounds like the netPower 16P makes a lot more sense for you, so go ahead with it.

I actually haven't used the hEX series myself, and could not find resources to confirm their software updates.
I'd guess they still receive updates as they are actively being sold but do confirm if you want to be sure.

I do not have experience with port based or zone firewalls.
I do not see a big security benefit in this case, and would personally just stick to couple separated subnets with a firewall between them.
Both are likely just as valid methods to do it, but I cannot comment on it more.

The reason I suggested you add the hEX (or any small router) to your setup is it comes with a default configuration that will get you started right away.
It is totally possible to build the exact configuration directly on the netPower switch, but you have to configure everything manually as it is not intended for that use case.
If you use the hEX default configuration method, it will not matter which devices you connect to the hEX and which to the large switch as they are all in the same network. Unless you configure otherwise.

Not sure, if beacon (RFID) based home door access system is a smart solution
since on power down event you need back up solution to enter your home anyway

You can try car lock system solution, which sometimes fails but has worked fine for Ms of cars for years

I am working on integration of Android smartphone and AP/router by MT
to let my smartphone to act as beacon to be recognized by router
invoking user scripts to run to set my private Home configuration

My friend prefers Alexa to control his home
but I need LE proximity sensor to recognize me, entering home, to turn router on, run router's scripts
and get connected to my smartphone running AP tethering as Internet access.

The hardest part is how to keep BT and WiFi on smartphone down (to save battery) and get me personally somehow automagically identified (RFID) and recognized, turning wifi in smartphone on/ tethering enabled

I have to check key lock in car specification