Community discussions

MikroTik App
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

New start: help check user requirements

Wed Nov 30, 2022 12:05 am

Please help by checking user reqs and suggesting technical solution (not the actual setup of the MT, I'll attempt on my own after confirming my functional reqs here).

Fresh start after failing first attempts in limited spare time to learn MT.

Yes I've read New user pathway to success but though I'd start over by getting user reqs right first. Please suggest.

Devices:
Network: Mikrotik hEX S with RouterOS 7.6, 2 x Unifi AC Lite (vlan aware WAP's, support max 4 SSID's), 2 x netgear 'smart' switches (not truly managed, but smart enough for vlan), 1 x RPi with unifi controller and PiHole
"Admin devices" (trusted. mine): wired desktop, laptop, phone,
"Other user devices": 2 x RPi, laptops, phones, tablets
"Kid's devices": laptops, phones, tablets
"Untrusted / IoT": lighting devices and other home automation - printer also here?

What I'd like:
Segregated networks (I'm assuming VLAN's?) for:
1. "Admin" for management of network devices (as recommended per MT forum). Contains management interfaces of network devices and my personal devices. My personal devices should have access to internet and all other VLAN's. Wifi and wired access.
2. User devices 'DNS unfiltered': for "other user devices", unrestriced access to internet, access to other VLAN's EXCEPT "Admin". Wifi and wired access.
3, User devices 'DNS filtered': for "other devices", PiHole filtered access to internet, access to other VLAN's EXCEPT "Admin". Wifi and wired access.
4. Untrusted / IoT devices: access to internet but NO access to any other VLAN. Wifi and wired access.

Preferably a seperate VLAN for Kids devices with filtered internet access and NO access to any other VLAN ... but then I'd exceed 4 SSID's in my current imagined setup. So add these to group 3.?
No seperate VLAN's required for TV receivers or IP phones, as we don't have these devices.

Other user reqs:
a. user devices can choose filtered (phiole) and unfiltered internet via SSID (required because adblocking can "break" sites and users need easy way of switching between filtered and unfiltered DNS)
b. PPPoE access through VLAN 6 (ISP delivers internet on VLAN 6)
c. two ports used on the hEX S: 1 x WAN, 1 x LAN. Switching left to the switches as much as possible.
d. LAN on ether1 so the MT can be powered by PoE switch

Functional reqs?
Please help define. So what will be basic setup... 5 VLAN's (1 WAN, 4 x LAN) ? I understand there's different ways to go about this in RouterOS - what would be most suitable way for me?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New start: help check user requirements

Wed Nov 30, 2022 1:08 am

Yes very confused,

Define all the group of users.
FOR EACH, tHen give all the should be able, and should not be able to...........
things to consider
a. internet
b. wired
c. wifi
d. force dns
e. force adguard
f. access to user groups a, b,c ( which also tells which ones not allowed to)
g. access to specific shared device ( ie printer - note dont put it on untrusted IOT LAN )

For instance I didnt see an entry for guest wifi users .........dont have relatives or friends ?
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: New start: help check user requirements

Wed Nov 30, 2022 3:09 pm

Like so?

User groups (ideally):
1. Admin: internet (unfiltered DNS); wired+wifi; access to: all
2: Users unfiltered: internet (unfiltered DNS); wired+wifi; access to: all except Admin
3. Users adblocked: internet (adblocked DNS); wired+wifi; access to: all except Admin
4. Guests: internet (unfiltered DNS); wifi; access to: none
5. Kids: internet (filtered DNS); wifi; access to: none
6. Printer/scanner: no internet (I guess?), wired, access to: none
7. IoT / "smart" home automation: internet (unfiltered), wired+wifi, access to: none

Comments / constraints:
* Access to = access to other user groups
* Users group 2 + 3: should be able to choose adblocked or unfiltered by SSID, as some sites break when adblocking
* Above = ideal, except In doubt about printer access (use scan-to-device function of the printer/scanner on a fairly regular basis)
* WAP's have a limit of 4 SSID's (can go to eight if I turn off some functionality but Unifi users seem to advise against for my particular WAP's). WAP's are connected by wire to switches on different floors
* In doubt about which group belongs: printer, RPi (with pihole, unifi controller, but also home automation/information (e.g. energy consumption, control of 'smart' lights) software that only needs to be accessed from LAN)
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: New start: help check user requirements

Sun Dec 04, 2022 10:19 pm

Define all the group of users.
Like so? ^^^

Next steps?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New start: help check user requirements

Wed Dec 07, 2022 12:32 am

I think your suggesting

vlan10 admin ( will serve as both wired and wifi network, unfilitered )
vlan20 home1- (unfiltered LAN and unfiltered WIFI) SSID=FREE
vlan30 home2- (filtered LAN and filtered WIFI ) SSID=FILT
vlan40 kids (filtered LAN and WIFI) SSID=KIDS
vlan50 wifi-guests (unfiltered) SSID=GUESTS
vlan60 IOT (unflitered wired and WIFI)
vlan70 shared devices (unfiltered)

/firewall
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input in-interface-list=MANAGE
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comnt="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=forward in-interface-list=MANAGE out-interface-list=LAN { admin to all vlans }
add action=accept chain=forward in-interface-list=HOME out-interface=LAN dst-address=!192.168.10.0/24
add action=accept chain=forward in-interface=VLAN40 out-interface=VLAN70 comment="kids access to printer"
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN src-address=!192.168.70.0/24
add action=accept chain=forward in-interface-list=FILTERED dst-address=Pihole/Adguard-IP
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward

/interface list members
add interface=ether1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add interface=vlan40 list=LAN
add interface=vlan50 list=LAN
add interface=vlan60 list=LAN
add interface=vlan70 list=LAN
add interface=vlan30 list=FILTERED
add interface=vlan40 list=FILTERED
add interface=vlan20 list=HOME
add interface=vlan30 list=HOME
and interface=vlan10 list=MANAGE

/ip firewall nat
add action=masquerade chain=srcnat dst-address=subnet of pihole/adguard src-address=subnet of pihole/adguard { so users on same subnet can access these services }
(may not be required)
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=FILTERED dst-port=53 protocol=tcp to-addresses=IPofPIhole/Adguard src-address=!pihole/adguard-IP
add action=dst-nat chain=dstnat in-interface-list=FILTERED dst-port=53 protocol=udp to-addresses=IPofPIhole/Adguard src-address=!pihole/adguard-IP
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New start: help check user requirements

Wed Dec 07, 2022 12:33 am

Next draw a network diagrams showing what devices are connected and which ports are involved and what vlans are flowing through which ports.
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: New start: help check user requirements

Thu Dec 08, 2022 9:57 pm

Thank you Anav!

1. How about this diagram?
2. Which vlan should I put the combined device [pihole + unifi controller] in? It's currently vlan10 (Admin), but will that work with how we configure the other VLAN's? (i.e., other VLAN's shouldn't connect to VLAN10, so I'm guessing it won't work, but also because of the unifi controller, you'd still want it in VLAN10, no?)
3. I'll try to make ether5 = off-bridge port for management access on the Mikrotik
Network 2022.12.08_nt.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New start: help check user requirements

Fri Dec 09, 2022 12:15 am

Yup all doable.......
vlan10 trusted ( admin, pihole/unifi,controller, smart switches, access points).

Rest will be done by firewall rules, (input,forward,srcnat etc.....)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New start: help check user requirements

Fri Dec 09, 2022 12:18 am

Read para C - viewtopic.php?t=182373
and note the advice after reading the first link and before you start.........]
give it a try......

What is the device that is connected to the switch unifi/controller and pihole, what is it exactly raspberrypi or something else ?????
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: New start: help check user requirements

Fri Dec 09, 2022 1:07 am

Thanks for the help so far!

Yes it's a Raspberry Pi 3b with unifi and pihole as main use.

But come to think of it, I use that little machine for a few more purposes, which makes me further doubt which VLAN it should be in :/

Also....

- "media downloading activities" (I'm old fashioned)
- app that provides some custom lighting routine for Philips Hue (seperate "smart" lighting device, that control lighting in our home, which will reside on VLAN 60)
- "home automation app" that I only use to record electricity and gas consumption and statistics from our central heating unit;
(no need to connect from outside home LAN)

Would doing it the "right" way require me to split the functionalities so that the network functionality (unifi controller/pihole) could reside on VLAN 10 and the other stuff I just listed on a separate device on VLAN 60?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: New start: help check user requirements

Fri Dec 09, 2022 2:12 am

You must be younger than I am. This is what the icon you used for "IoT device" is representing.
 
clem
just joined
Topic Author
Posts: 16
Joined: Tue Oct 18, 2022 2:01 pm

Re: New start: help check user requirements

Fri Dec 09, 2022 10:29 am

draw.io's "network" shapes don't include a "IoT device" so naturally I thought it would be appropriate to use the "supercomputer" one. You might well be older than me but I did recognize the shape as a cray from 80's magazines.

Who is online

Users browsing this forum: rapix61, scoobyn8 and 50 guests