Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

Topic # 204759 16-Oct-2016 09:47
Send private message

I am not networking expert but I have spent a bit of time configuring my Mikrotik and have it doing most of the things I want.

 

I have just upgraded to a smart switch and now have a series of VLANs for splitting up my IP cameras, IOT devices, VOIP, guest and main data devices. I run a couple of Unifi UAPs and have the Unifi Controller running on a VM. I used to use the *guest* network stuff on the Unifis for my guest WIFI network but I wanted to monitor certain guest access (to allow rules in my openHAB presence detection for when the grandparents are babysitting etc to stop the alarm being armed etc).

 

So I have setup the guest VLAN as a normal VLAN and have rule on the Mikrotik to drop any traffic;

 

 

I have a few address lists, one for devices allowed to access the Mikrotik (<winbox-access>), and <guest-drop> which includes every VLAN address range except for vlan-guest. Finally there is <wan-access> which is an interface list including the data, voip and guest vlans. 

 

So rule (4) only allows new connections to the router for data/voip/guest vlans. Then rule (8) drops anything from vlan-guest destined for any other vlan. The idea here being that vlan-guest can get to the internet, but not anywhere inside my LAN.

 

Does this look sensible? Am I missing anything? I have tested it and it seems to work well - joining vlan-guest on my laptop gives me full internet access but I can see anything on my LAN. Just wondering if this is the best way or if there are better ways to secure vlans like this?


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2


1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1651834 16-Oct-2016 10:11
Send private message

FYI - there are a few extra rules after (11) which allow access to certain ports from the outside world and then a final rule which drops anything (forward) on any interface. Just so you don't think my router is missing that important piece!




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1653042 18-Oct-2016 16:11
Send private message

No Mikrotik gurus in here? Surely not...


 
 
 
 


cisconz
1193 posts

Uber Geek
+1 received by user: 80

Trusted
Lifetime subscriber

  Reply # 1653047 18-Oct-2016 16:18
One person supports this post
Send private message

I would utulise the interfaces and the not "!"

 

Click to see full size





Hmmmm




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1653052 18-Oct-2016 16:25
Send private message

Nice one - thanks @cisconz - that is much cleaner - done, tested, and deployed!


3673 posts

Uber Geek
+1 received by user: 1384

Subscriber

  Reply # 1653057 18-Oct-2016 16:31
Send private message

That's how I would probably do it for just blocking a single segment.

 

One thing though, have you updated your router recently? I see you still have separate established/related rules. Since ages ago you can have this as a single rule. Won't affect security but just means less rules to process.




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1653061 18-Oct-2016 16:40
Send private message

It is running firmware v3.33. I upgraded a few months back. 

 

Is this what you mean?

 


cisconz
1193 posts

Uber Geek
+1 received by user: 80

Trusted
Lifetime subscriber

  Reply # 1653068 18-Oct-2016 16:48
Send private message

Yup - that's the one.

 

Merge rules 2 and 3, 9 and 10





Hmmmm




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1653069 18-Oct-2016 16:49
Send private message

Done - thanks for the tip. 


3673 posts

Uber Geek
+1 received by user: 1384

Subscriber

  Reply # 1653106 18-Oct-2016 18:31
Send private message

We are up to 6.37.1 now.

6.36 (I think) did a heap of bug fixes probably worth loading. Although from memory they might have just been centered around some of the new routerboards.... so actually no big deal... don't quote me though, probably worth a quick read.



1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1653189 18-Oct-2016 22:08
Send private message

Thanks @chevrolux - I was looking at the RouterBoard firmware when I reported v3.33 (idiot). My router software was actually 6.36 and I have just upgraded to 6.37.1.

 

Would welcome any further tips or suggestions about how to lock down my LAN if anyone has any...I saw some posts on other forums with rules for stopping various attacks by dynamically adding bad IP addresses to lists and dropping based on that dynamic list. Does anyone go to those lengths on here?


27250 posts

Uber Geek
+1 received by user: 6684

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1653247 19-Oct-2016 07:18
Send private message

SumnerBoy:

 

Thanks @chevrolux - I was looking at the RouterBoard firmware when I reported v3.33 (idiot). My router software was actually 6.36 and I have just upgraded to 6.37.1.

 

Would welcome any further tips or suggestions about how to lock down my LAN if anyone has any...I saw some posts on other forums with rules for stopping various attacks by dynamically adding bad IP addresses to lists and dropping based on that dynamic list. Does anyone go to those lengths on here?

 

 

I've posted my default rules quite a few times lately which add blacklists for SYN and ICMP flood.

 

In regards to locking down your LAN you really need to explain what you're ultimate goal is.

 

 




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1653278 19-Oct-2016 08:29
Send private message

sbiddle:

 

I've posted my default rules quite a few times lately which add blacklists for SYN and ICMP flood.

 

In regards to locking down your LAN you really need to explain what you're ultimate goal is. 

 

 

I will have a search and look at your rules - thanks for the heads up.

 

My ultimate goal is to ensure no one can access my internal network. I have quite a complex home automation setup and run various in house servers/services (on OpenVZ containers), such as owncloud, openhab, gitlab, grafana, motion, icinga2 etc. A big part of the home automation stuff is MQTT based so I have an instance of mosquitto which needs to be accessible from the outside world (our phones publish location updates via MQTT). I also require access to openhab from outside. I have a number of IP cameras on their own VLAN with an instance of *motion* running on my data VLAN which connects to them and handles motion detection and storage of snapshots/videos. It also provides a simple HTTP server for viewing camera streams which I use for remote viewing via reverse proxies (apache). 

 

I have setup port forwarding for a few things, MQTT, openhab, mail server and my web server, and these all live in my main *data* VLAN. They all have TLS (via letsencrypt) and authentication enabled with very strong passwords. 

 

I am reasonably happy things are pretty secure but I am always looking to improve and learn.




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1656930 24-Oct-2016 14:28
Send private message

Ok - here is my full config, which has a few additions after reviewing your configs @sbiddle and @madengineer. If anyone can see any holes or things which are not right feel free to comment! I have done a lot of reading and think I have a reasonable grasp but I suspect there is a better way to do a few things, for example the filters for my various dstnat pass-thrus, can these be distilled into a single rule?

 

The *wan-access* interface list doesn't contain vlan-iot (.40) which is why I have the specific rules to allow devices to access the main vlan-data (.10) servers (e.g. mqtt broker etc). 

 

I also have the new rule for dropping anything non-internet bound from vlan-guest (.50) which is where this thread started.

 


0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid log=no log-prefix=""

2 ;;; Block access to winbox except for <winbox-access-list>
chain=input action=drop connection-state="" protocol=tcp src-address-list=!winbox-access dst-port=8291 log=no log-prefix=""

 

3 ;;; Allow established/related connections from the LAN
chain=input action=accept connection-state=established,related log=no log-prefix=""

 

4 ;;; Port scanner detector & add to port-scanner blacklist for 7 days
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port-scanner address-list-timeout=1w log=no log-prefix=""

 

5 ;;; Syn flood detector & add to syn-flooder blacklist for 30 mins
chain=input action=add-src-to-address-list tcp-flags=syn connection-limit=30,32 protocol=tcp address-list=syn-flooder address-list-timeout=30 log=no log-prefix=""

 

6 ;;; Allow access to internet and router for <wan-access-list>
chain=input action=accept connection-state=new in-interface-list=wan-access log=no log-prefix=""

 

7 ;;; Allow access to ntp server on router
chain=input action=accept connection-state=new protocol=udp in-interface=!internet dst-port=123 log=no log-prefix=""

 

8 ;;; Disallow anything from anywhere on any interface
chain=input action=drop log=no log-prefix=""

 

9 ;;; Drop invalid connections
chain=forward action=drop connection-state=invalid log=no log-prefix=""

 

10 ;;; Drop all from internet not dstnat'd
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=internet log=no log-prefix=""

 

11 ;;; Drop any non-internet traffic from vlan-guest (eth2.50)
chain=forward action=drop connection-state=new in-interface=eth2.50 out-interface=!internet log=no log-prefix=""

 

12 ;;; Allow established/related connections from the LAN
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

 

13 chain=forward action=accept connection-state=established,related log=no log-prefix=""

 

14 ;;; Allow access to router and internet for <wan-access-list>
chain=forward action=accept connection-state=new in-interface-list=wan-access log=no log-prefix=""

 

;;; Allow access to internal services for vlan-iot (eth2.40)
15 chain=forward action=accept connection-state=new protocol=tcp dst-address=192.168.10.xxx in-interface=eth2.40 dst-port=1883 log-prefix="mqtt"
16 chain=forward action=accept connection-state=new protocol=tcp dst-address=192.168.10.xxx in-interface=eth2.40 dst-port=9080 log-prefix="homie-ota"
17 chain=forward action=accept connection-state=new protocol=tcp dst-address=192.168.10.xxx in-interface=eth2.40 dst-port=9090 log-prefix="nuki"

 

;;; Allow access to various servers from the internet
18 chain=forward action=accept protocol=udp dst-address=192.168.1.xxx dst-port=1194 log=no log-prefix="vpn"
19 chain=forward action=accept protocol=tcp dst-address=192.168.10.xxx dst-port=8883 log=no log-prefix="mqtt"
20 chain=forward action=accept protocol=tcp dst-address=192.168.10.xxx dst-port=8443 log=no log-prefix="openhab"
21 chain=forward action=accept protocol=tcp dst-address=192.168.10.xxx dst-port=443 log=no log-prefix="http"
22 chain=forward action=accept protocol=tcp dst-address=192.168.10.xxx dst-port=993 log=no log-prefix="imap"
23 chain=forward action=accept protocol=tcp dst-address=192.168.10.xxx dst-port=25 log=no log-prefix="imap"
24 chain=forward action=accept protocol=tcp dst-address=192.168.10.xxx dst-port=587 log=no log-prefix="smtp"

 

25 ;;; Disallow anything from anywhere on any interface
chain=forward action=drop log-prefix=""

 

 

 

And *raw*...

 

0 ;;; Drop port-scanners
chain=prerouting action=drop log=no log-prefix="" src-address-list=port-scanner

 

1 ;;; Drop syn-flooders
chain=prerouting action=drop log=no log-prefix="" src-address-list=syn-flooder




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1656933 24-Oct-2016 14:34
Send private message

OT question - but if/when I move to UFB is it going to be a problem since I already have VLAN.10 for my main data VLAN?!


cisconz
1193 posts

Uber Geek
+1 received by user: 80

Trusted
Lifetime subscriber

  Reply # 1657077 24-Oct-2016 20:00
One person supports this post
Send private message

SumnerBoy:

 

OT question - but if/when I move to UFB is it going to be a problem since I already have VLAN.10 for my main data VLAN?!

 

 

 

 

No, just have a vlan10 on your WAN interface, and a vlan10 on your LAN.

 

As long as they are not bridged, it will work fine.





Hmmmm


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.