Community discussions

 
BHollowell
just joined
Topic Author
Posts: 12
Joined: Thu Apr 18, 2013 8:26 pm

Isolating Network Traffic

Tue May 28, 2013 9:15 pm

Hello!

I posted a thread once before regarding a project I was working on, but apparently I wasn't doing it correctly, so I'm here to ask for your assistance in configuring my MikroTik RB2011UAS to isolate two different sets of network traffic.

My current setup is simple. I have one large network at 192.168.3.0 and everything connects into two Netgear unmanaged switches. These two switches plug into port 2 and 3 in the MikroTik. Switch 1 connects all of our internal office machines and printers, while Switch 2 connects all of the cat5e cables that run to our workbenches where we repair client computers in-house.

We would like to separate these two switches so that their network traffic is independent of each other. Basically, we don't want client computers in the lab to have access to our internal office machines, and vice versa. Ultimately we want to end up with the internal machines on the 192.168.3.0 network, and lab devices on the 192.168.4.0 network. Both of them need to have Internet access, but they need to act as though nothing else is connected to the MikroTik except the switch and the internet connection.

Could someone please point me in the right direction on how to accomplish this? I originally set out to use VLANs for this, but was told that the router will send tagged traffic along to the proper VLAN interface, but that I needed something within each network (like a managed switch) to tag the traffic before it reached the MikroTik. It was recommended that I use filters to isolate the interfaces so that only ether1 and ether2 could communicate for the internal network, and the same with ether1 and ether3 for the lab network, however I don't know how to accomplish this.

I appreciate any help that you guys are able to give me in accomplishing this project. I'll also be handing out cookies for those who are extra helpful :)
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Isolating Network Traffic

Tue May 28, 2013 9:50 pm

Have a look at Filters:

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

In particular look at filters in the Forward chain. If you have no config on the router there will be no filters in the forward chain. If you have run something like quickset you may have a few filter rules.

If you have no filter rules in the forward chain add a rule with no criteria selected (e.g. src address etc.) and action=drop. At that point you have told the router not to forward any traffic.

Now add the following basic rules above the "drop all" filter rule:

Allow (action=accept) traffic from your office PCs with connection state = NEW to the ISP connection
Allow (action=accept) traffic from your repair PCs with connection state = NEW to the ISP connection
Allow (action=accept) traffic from the ISP connection with connection state = ESTABLISHED
Allow (action=accept) traffic from the ISP connection with connection state = RELATED
Deny (action = drop) any traffic with connection state = INVALID

At that point you have a basic firewall which allows the office and repair networks both to access the ISP but neither LAN can access the other.

Whether you use IP ranges or in=interfaces when creating these rules depends on the specifics of what you are trying to achieve - sometimes either will work.

Also remember to masquerade the outbound traffic on the ISP connection.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
BHollowell
just joined
Topic Author
Posts: 12
Joined: Thu Apr 18, 2013 8:26 pm

Re: Isolating Network Traffic

Tue May 28, 2013 10:59 pm

Hello again CelticComms! Hopefully I'm approaching this project the proper way this time!

Here is an output of my current firewall setup:

ros code

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
I'm not honestly sure what the first three lines are supposed to filter.

The next two lines I believe are meant to drop any traffic that comes IN to the router from the SFP1 or Ether1 gateways unless it's been requested by an internal device. This makes sense, since we don't want random packets from the outside world being allowed into the network as they could be potentially malicious.

The two lines under NAT appear to already masquerade outgoing traffic, so there shouldn't be anything else to setup for that, even after my changes, correct?

If I'm understanding you properly, I need to add the following filters to achieve my goals here.

ros code

add action=accept chain=forward connection-state=new in-interface=ether2 out-interface=ether1-gateway
add action=accept chain=forward connection-state=new in-interface=ether3 out-interface=ether1-gateway
add action=accept chain=forward connection-state=established in-interface=ether1-gateway
add action=accept chain=forward connection-state=related in-interface=ether1-gateway
add action=drop chain=forward connection-state=invalid
add action=drop chain="forward"
I would need to reconfigure ether3 with the desired 192.168.4.0 network settings and configure a DHCP server within that network as well since this will prevent Ether2's DHCP server from assigning IP addresses to devices connected to Ether3, correct?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Isolating Network Traffic

Tue May 28, 2013 11:52 pm

Those proposed forward rules look correct. Try them out and in particular try disabling the drop all and check yourself that with it disabled the two LANs can access each other but not when it is enabled.

As regards the existing input chain rules the first line allows ICMP to the router and the next two rules allow return traffic to the router for connections that the router created.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
User avatar
payday
Member Candidate
Member Candidate
Posts: 233
Joined: Thu Aug 16, 2012 11:05 pm

Re: Isolating Network Traffic

Wed May 29, 2013 12:22 am

You have it on separate physical interfaces so it is really easy:

1. Disconnect port 3 from internal switch to make it standalone port:

ros code

/interface ethernet set ether3 master-port=none
...and remove port 3 from bridge (if you have bridged ports):

ros code

/interface bridge port remove numbers=[find where interface=ether3]
2. Assign IP number on this new standalone port:

ros code

/ip address add address=192.168.4.1/24 interface=ether3
3. Now you have two separate networks. Both can access internet and can connect to each other, so you should block traffic between them:

ros code

/ip firewall filter add chain=forward src-address=192.168.4.0/24 dst-address=192.168.3.0/24 action=drop
4. Create DHCP server for 192.168.4.0 network:

ros code

/ip dhcp-server setup
This will ask you some questions:
Select interface to run DHCP server on 

dhcp server interface: ether3
Select network for DHCP addresses 

dhcp address space: 192.168.4.0/24
Select gateway for given network 

gateway for dhcp network: 192.168.4.1
Select pool of ip addresses given out by DHCP server 

addresses to give out: 192.168.4.2-192.168.4.254
Select DNS servers 

dns servers: <your-dns-server1>,<your-dns-server2>
Select lease time 

lease time: 3d
Please test if both networks have access to internet and that traffic is blocked between them.

I think there is a bug in /ip dhcp-server setup command (it does not assign dns address). After you execute it please paste output of command:

ros code

/ip dhcp-server network print
 
BHollowell
just joined
Topic Author
Posts: 12
Joined: Thu Apr 18, 2013 8:26 pm

Re: Isolating Network Traffic

Wed May 29, 2013 1:49 am

Payday, that did the trick! I appreciate your help with that and definitely appreciate how easy to made it. I made the changes through the webfig instead of the CLI but everything appears to be working fantastically.

Celtic, I'll be trying out your suggestion tomorrow morning before our office opens, but I wanted to give Payday's suggestion a shot real quick before I left for the evening as it seemed pretty simple and easy. I think that Payday's suggestion might work better for me long term, though, because I also have a plan in the works to get a UniFi access point setup in our office to reduce the number of wireless routers we have here. This way I can setup the UniFi with three different SSIDs and just separate the traffic from there.

Eventually I plan to have 3 completely separate networks, one for internal, one for lab, and one for public access wifi.

I appreciate both of your help, and I'm glad to finally have the first piece of the puzzle in place! Cookies all around!
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Isolating Network Traffic

Wed May 29, 2013 6:18 am

The suggestions are not mutually exclusive. One word of warning - on a device behaving as a firewall do not fall into the trap of blocking specific traffic that you don't want - instead, as I suggested earlier, ensure that you have a drop all rule at the bottom and then explicitly allow the forwarding that you want. There are some cases where explicit blocks are warranted, but on a firewall device it is safer to start with a default drop of all routed traffic and work back from there.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
BHollowell
just joined
Topic Author
Posts: 12
Joined: Thu Apr 18, 2013 8:26 pm

Re: Isolating Network Traffic

Wed May 29, 2013 6:22 am

Celtic,

Would adding a drop all filter to my current setup accomplish what you're suggesting here?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Isolating Network Traffic

Wed May 29, 2013 6:33 am

Celtic,

Would adding a drop all filter to my current setup accomplish what you're suggesting here?
You had one in the rules that you you listed earlier - if you go with that approach as regards forward chain filters you will not need item 3 on payday's list.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

Who is online

Users browsing this forum: No registered users and 26 guests