Community discussions

MikroTik App
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Wed Jan 25, 2023 2:50 pm

Hello all,

hopefully someone can gude me how to archive the following result:

At the moment I have a default configuration with a subnet 10.0.0.0/24 and a wireguard Interface 10.0.99.0/24.
I want to setup a new "semi-isolated" subnet (10.11.1.0/24) on port 5 with internet access.
The Clients of the subnet 10.11.1.0/24 should have internet access but they MUST NOT have access to all other subnets.
The Clients of the subnet 10.0.0.0/24 and 10.0.99.0/24 should have access to the clients of the subnet 10.11.1.0/24

As I understood, the following tasks must be performed:

1. Remove Port 5 from default bridge
2. Setup subnet on Port 5
2a. Create new bridge oder VLAN on for port 5?
3. Setup Adresspool dhcp_tigo (10.11.1.50-10.11.1.100) for Subnet on Prot 5
4. Setup DHCP Server for Subnet on Port 5 with adresspool dhcp_tigo
5. Firewall config

Maybe I´m something missing.

It would be great if someone can guide me step-by-step how to archive this scenario via command-line.

Thank you very much.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Wed Jan 25, 2023 3:00 pm

Best to provide the config you have currently

/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc.)
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Wed Jan 25, 2023 4:02 pm

Here we go.

Hopefully I removed all critical information.

Thanks.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Wed Jan 25, 2023 4:30 pm

(1) This is not correct for wireguard. Not required. WG only gets an IP address not any other noise..............
/ip dhcp-server network
.................................
add address=10.0.99.0/24 comment=defconf dhcp-option=domain-search-list \
dns-server=10.0.0.254 domain=intra.xxxxxxxxxxxx.de gateway=10.0.0.254 \
netmask=24


(2) Assuming you have this rule so that the admin can come over WG to config the router...............
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
10.0.99.0/24


(3) Curious as to where is located 192.168.50 its not a subnet identified on the router? ( probably another ipsec?)
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.50.0/24


Note: In general access to config the router should be specific IPs, not entire subnets but thats an ADMIN choice.

(4) Missing Wireguard peer settings ???? Maybe I am blind........

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In terms of isolation...........
Yes remove ether5 from the bridge
/ip address
add interface=ether5 address=10.1.11.1/24 network=10.1.11.0


I see you already have a pool but you also need the rest
/ip dhcp-server
add address-pool=dhcp-tigo interface=ether5 name=Isolated


/ip dhcp-server network
add address=10.1.11.0/24 comment=defconf dhcp-option=domain-search-list \
dns-server=10.0.0.254 domain=intra.xxxxxxxxxxxx.de gateway=10.0.0.254 \
netmask=24


Add ether5 to the LAN interface list.........
/interface list member
add interface=ether5 list=LAN
add comment=defconf interface=bridge list=LAN

..........

+++++++++++++++++++++++++++++++++++++++++++
Then the firewall rules.........

REMOVE THIS AND REPLACE
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log-prefix="44444: "


WITH

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward src-address-list=LAN dst-address=10.1.11.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept Drop chain=forward comment="drop all else"
edit action should be drop!!!


you get lan to wan access for all LAN interface list members
both vpn and LAN subnet get access to new subnet.
port forwarding is allowed.
all other traffic is dropped.
Last edited by anav on Wed Jan 25, 2023 10:36 pm, edited 3 times in total.
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Wed Jan 25, 2023 5:17 pm

Hi anav,

thanks for reply.

1) will remove this.
2) yes, that ist to configure the router remotely when I'm aon vacation for example.
3) This was for testing porposes. This is the Subnet of my Traveling PI router
4) I removed this in the config export due ti security reasons - Wireguard is working well.

Will try the isolation and firewall part. I will report back when done. :-)

Thanks for your input.
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Wed Jan 25, 2023 9:48 pm

Short update.

after setting up and changing the IP adresses in your post to the correct one (10.1.11.x -> 10.11.1.x) the DHCP server runs properly on ether5.
I also changed the DNS Server and Gateway IP from 10.0.0.254 to 10.11.1.1 as defined in the Adress List because 10.0.0.254 was not reachable.

Issues I´m facing now:

1. No internet access from the subnet on ether5
2. cannot ping a client from the subnet 10.0.0.0/24 in the subnet 10.11.1.0/24
3. ping is possible from subnet 10.11.1.0/24 to 10.0.0.0/14. for example 10.0.0.150

Do you have any ideas?

Should the command
add action=accept chain=forward comment="drop all else"
not be changed to 'drop' instead of 'accept'?

Thanks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Wed Jan 25, 2023 10:34 pm

YES!!
My bad, I have the flu, so not 100%

Good catch.
Add action=DROP chain=forward comment="drop all else"

Another reason to have comments, as any discrepancies can be discerned more readily!

as for ether5 internet, hard to say without the latest config, need evidence LOL.
I would guess you forgot to add it as a LAN interface list member?
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Thu Jan 26, 2023 9:00 am

YES!!
My bad, I have the flu, so not 100%

Good catch.
Add action=DROP chain=forward comment="drop all else"

Another reason to have comments, as any discrepancies can be discerned more readily!

as for ether5 internet, hard to say without the latest config, need evidence LOL.
I would guess you forgot to add it as a LAN interface list member?

Solved the interenet issue. Had to change the NAT Rule "defconf: masquerade" from 10.0.0.0/16 to 10.0.0.0/8. Now it works.

But i´m still struggling with the isolation. Will test a view things. I will keep you posted.
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Thu Jan 26, 2023 11:08 am

I do not get any blocking rule working.
Even if I place the rule in the second position in the firewall rule list as you can see in the attachment.

Ping is from device 10.11.1.253 -> 10.0.0.150

I think I have a generic problem with the firewall here.

The rules you mentiones will also not prevent this ICMP traffic. Even when i put these rules above the ICMP rule.

Do you have any ideas?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Thu Jan 26, 2023 3:03 pm

Please be advised, that any interface on the MT can ping any other interface, just the way MT works even with layer 3 blocking rules in the forward chain.
It does NOT mean however that anyone can access any devices behind that interface. It is safe.
Try it to prove it to your self!!

If you want to block pinging of interfaces to happen there is a way to do this on the input chain rule set I believe.........
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Thu Jan 26, 2023 5:25 pm

Here is how to do it.........
In the default rules one has a general allow ping rule so that the admin can easily troubleshoot and ping interfaces on the LAN and from the external when testing VPN or connectivity etc......
Therefore what needs to be done is to stop the pinging of users to a particular subnet interface address................. Remember as stated just because you can ping a subnet interface address doesnt mean you can reach the users/devices on that subnet.

So the key here is before the allow all ICMP rule we block what you desire.........

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add chain=input action=drop src-address=10.11.1.0/24 dst-address=!10.11.1.0.0/24 protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" log=yes log-prefix="Ping CHECK" protocol=icmp
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Thu Jan 26, 2023 5:33 pm

Please be advised, that any interface on the MT can ping any other interface, just the way MT works even with layer 3 blocking rules in the forward chain.
It does NOT mean however that anyone can access any devices behind that interface. It is safe.
Try it to prove it to your self!!

If you want to block pinging of interfaces to happen there is a way to do this on the input chain rule set I believe.........
Ahh, ok. I thought only the MT interfaces are "pingable". I will check access.

Thanks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Thu Jan 26, 2023 5:37 pm

yes only the interface addresses should be pingable, as they are considered part of the router ( Router=input chain).
Thus the rules I provided will block anyone on the "BAD" subnet from pinging any other interfaces. This is separate from access to users and devices which we blocked in the forward chain.

Note its not a usual request or additional rule needed but sometimes admins need it due to company policies or expectations..........
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Fri Jan 27, 2023 11:13 am

Thanks for your help. It works as expected.

Now, I have a last challenge. Hopefully you can also help me here.

In the Subnet 10.11.1.0/24 i have a webserver running wich only accepts access from clients located in his subnet.
I have clients on subnet 10.0.0.0/24 that has to get access to the webserver.

So I need a solution, where the webserver "thinks" that the client with the IP 10.0.0.1 (Subnet 10.0.0.0/24) has an IP of the Subnet 10.11.1.0/24 for example 10.11.1.1

Now the question: Is It possible to configure a rule (maybe src-nat) to archive that goal?

Thanks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Fri Jan 27, 2023 2:17 pm

So basically you have two problems.

a. firewall rules that essentially block 10.0 to 10.1 traffic.
b. you have a server on 10.1 that will only accept 10.0 IP address as source addresses.

Can you not change the server why so inflexible? One can punch holes through the firewall easily for specific IP, or groups of IPs and thus the firewall rules are not a show stopper.
In other words, you should do this work on the server........

I am not savvy enough to set this one up, perhaps someone else knows a way????
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Fri Jan 27, 2023 2:26 pm

So basically you have two problems.

a. firewall rules that essentially block 10.0 to 10.1 traffic.
b. you have a server on 10.1 that will only accept 10.0 IP address as source addresses.

Can you not change the server why so inflexible? One can punch holes through the firewall easily for specific IP, or groups of IPs and thus the firewall rules are not a show stopper.
In other words, you should do this work on the server........

I am not savvy enough to set this one up, perhaps someone else knows a way????
Nope. Maybe I described it wrong.

a. 10.0.0.0/24 has access to 10.11.1.0/24
b server on 10.11.1.0/24 accepts only from IP 10.11.1.x
c. client on 10.0.0.0/24 with IP 10.0.0.1 must be able to connect the server in the subnet 10.11.1.0/24 and the server should think that the client is located in 10.11.1.0/24

Imho for example I have to nat the 10.0.0.1 IP to an 10.11.1.1 IP Adress
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Fri Jan 27, 2023 2:28 pm

Okay got it, so no firewall blocking just a stewpid server LOL
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Fri Jan 27, 2023 2:35 pm

Okay got it, so no firewall blocking just a stewpid server LOL
yeah. Its n ugly server form a monitoring device. Access is additionally limited to specific IP ranges. But i have to access from 10.0.0.0/24 with iobroker to get necessary realtime data.
 
rb77
just joined
Topic Author
Posts: 13
Joined: Mon Jan 25, 2021 10:16 am

Re: Remove Port from bridge | setup "semi-isolated" subnet | manage routing/firewalling between subnets

Sun Jan 29, 2023 6:22 pm

Okay got it, so no firewall blocking just a stewpid server LOL
Do you have an idea how to realize this?

Thank you.

Who is online

Users browsing this forum: No registered users and 38 guests