Community discussions

MikroTik App
 
User avatar
swa69er
just joined
Topic Author
Posts: 19
Joined: Sat Jan 02, 2021 11:54 am

Efficient way to Isolate client / IP address

Mon Feb 06, 2023 7:12 pm

Greetings,
There was a breach long time ago because I'm still learning Mikrotik and managing hundreds of client in multiple sites.
I want to check my sanity level on firewall. My raw firewall is 150 lines because I'm a little anxious.

At the moment, I'm isolating client just like in the attachment.
Is there any efficient way to isolate client or IP address?

I have different brand of APs and its controller
You do not have the required permissions to view the files attached to this post.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Efficient way to Isolate client / IP address

Mon Feb 06, 2023 8:56 pm

What are you trying to accomplish with all that?
Can you supply a network drawing and your configuration. Else, we're just guessing.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Efficient way to Isolate client / IP address

Mon Feb 06, 2023 10:04 pm

Insanity is handling many clients with inadequate knowledge of MT.
The easiest way to block clients from each other is to use VLANs and a block all rule at the end of the forward chain.
Done...............
 
User avatar
swa69er
just joined
Topic Author
Posts: 19
Joined: Sat Jan 02, 2021 11:54 am

Re: Efficient way to Isolate client / IP address

Tue Feb 07, 2023 7:16 am

To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish".
Is hide sensitive only for password?
Is there any way to hide Wireguard public key, comments, mac address?
or should I manually review it first?

Insanity is handling many clients with inadequate knowledge of MT.
The easiest way to block clients from each other is to use VLANs and a block all rule at the end of the forward chain.
Done...............
Yes I agree, this is insane. I was in CCIE but then I realize Mikrotik is better :D
I don't like tinkering VLAN because I have to config on the APs
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Efficient way to Isolate client / IP address

Tue Feb 07, 2023 2:58 pm

V6 firmware
/export hide-sensitive file=anynameyouwish (minus router serial number, public WANIP information, keys etc )

V7 firmware
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc )
 
User avatar
swa69er
just joined
Topic Author
Posts: 19
Joined: Sat Jan 02, 2021 11:54 am

Re: Efficient way to Isolate client / IP address

Wed Feb 08, 2023 9:49 am

V6 firmware
/export hide-sensitive file=anynameyouwish (minus router serial number, public WANIP information, keys etc )

V7 firmware
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc )
I'm on V7.7 and tried everything, even hide sensitive still I can found public IP on openvpn config. I believe this is some kind of bug

I tried my best to block sensitive information. Please inform me if any. Here it is

Last edited by swa69er on Sun Feb 12, 2023 6:20 am, edited 1 time in total.
 
User avatar
rumahnetmks
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Mon Dec 21, 2020 10:00 am

Re: Efficient way to Isolate client / IP address

Wed Feb 08, 2023 2:13 pm

From your config, better using VLAN. All port except WAN into bridge-port. I use viewtopic.php?t=143620 for my RB4011 and hAP-AC3. In my case I dont need VLAN tag for my dumb-AP after the mikrotik.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Efficient way to Isolate client / IP address

Wed Feb 08, 2023 4:22 pm

Simplify as much as possible.
Enough complexity without all the extra security crapola.

As suggested break up users into vlans. By that fact alone they are separated at layer 2.
Not sure what your clients are based on...
Age?
Floor they live on?
etc...

How do users access your network, WIFI? or Wired?

What is wireguard used for? ( is router server for initial handshake or the client ).

In terms of security a good basic firewall ruleset to start.
If you want to address bogons, then blackhole the ones you think are problems.
If you are afraid of people connecting to bad sites, on purpose or by accident, then your best bet is
a service provided here, for pennies.........
https://itexpertoncall.com/promotional/moab.html
 
User avatar
swa69er
just joined
Topic Author
Posts: 19
Joined: Sat Jan 02, 2021 11:54 am

Re: Efficient way to Isolate client / IP address

Thu Feb 09, 2023 6:06 am

From your config, better using VLAN. All port except WAN into bridge-port. I use viewtopic.php?t=143620 for my RB4011 and hAP-AC3. In my case I dont need VLAN tag for my dumb-AP after the mikrotik.
Thank you for your suggestion. Will consider learning VLAN

Not sure what your clients are based on...
Age?
Floor they live on?
How do users access your network, WIFI? or Wired?
I live between office, store, rented room, and home and want to separate those users.
Office and store are wired
Others are wireless

What is wireguard used for? ( is router server for initial handshake or the client ).
I have multiple sites with no public IP (double NATed) and 1 public IP as relay with CHR on AWS
I was using IPsec IKEv2 and OpenVPN but now Wireguard to make it simple
Love the UDP hole punching on ZeroTier but most of my devices are MMIPS

Is there any other way than VLAN?

Who is online

Users browsing this forum: dioeyandika, Google [Bot], rplant and 37 guests