Hi, I'm new to networking. I need to isolate network A from network B. Network B needs only internet access.
Silvio,
Thank you for the network diagram and the question. I know you'll come to enjoy the things MikroTik can do for you. While not perfect, and we need more features, they are really fun to work with.
Answer:
On a purely
technical level, there are several ways to do this. There are ways (port isolation), better ways (vlan, pvlan), and then
better performing ways (wire speed vlan) if you have the hardware. Without going into all the ends and outs of what's best, let's just start with some good
ducktape. Others can chime in to make it more clear or say I'm wrong. : - P
Conceptual Design 1:
- Router B's port 1, is plugged into Router A's port 10.
- Router A's port 10 will be set isolated (removed from a switch group or bridge).
- Router A will set a unique ip address and DHCP server on it's port 10 interface.
- Firewall rules will block port 10 from accessing other ports, except to flow out the wan interface.
- Router B is turned into a simple switch.
There are quite a few commands to enter to make all this actually work in practice. Let's get Router B setup first. Turn it into a simple switch.
/interface bridge
add name=bridge-LAN protocol-mode=none
/interface bridge port
add bridge=bridge-LAN interface=ether1
add bridge=bridge-LAN interface=ether2
etc ...
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
etc ..
/ip address
add address=192.168.1.2/24 interface=bridge-LAN
# route out Router A's port 10
/ip route
add distance=1 gateway=192.168.1.1
Now, let's setup Router A to serve this
switch and thus anything connected to it.
/interface ethernet
set [ find default-name=ether10 ] master-port=none
# will be the default gateway for Router B
/ip address
add address=192.168.1.1/24 interface=ether10
/ip pool
add name=dhcp_pool10 ranges=192.168.1.10-192.168.1.254
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool10 always-broadcast=yes authoritative=yes disabled=no interface=ether10 name=dhcp10
Now that we have the routing setup, we'll have to setup firewall rules to allow things to work. So, edit Router A's settings. Change
bridge-LAN to match your interface name. Note the way we introduce
ether10, thus enabling it to work.
/interface bridge settings
set use-ip-firewall=yes
/ip settings
set rp-filter=strict secure-redirects=no send-redirects=no tcp-syncookies=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Accept established related"
add action=accept chain=input in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
# since ether10 does not exist in bridge or switch, we set an allow on it
add action=accept chain=input in-interface=ether10 comment="Allow RouterB access to router and Internet"
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward connection-state=established,related comment="Accept established related"
add action=accept chain=forward connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
# Anything trying to access Router A's network, if not coming from A we drop.
add action=drop chain=forward in-interface=!bridge-LAN out-interface=bridge-LAN comment="Isolate RouterA"
# since ether10 does not exist in bridge or switch, we set an allow on it
add action=accept chain=forward connection-state=new in-interface=ether10 comment="Allow RouterB access to router and Internet"
add action=drop chain=forward comment="Drop all other forward"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masq" out-interface=ether-WAN
# Optionally if you have the package installed
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
A note about the way I've created the rules. I allow access to Router A
itself, from Router B, thus you'll be able to ping 192.168.x.1 from the B x.x.1.1 network. Why? To allow services, like DNS, DHCP, etc. running on Router A to serve the B network.
