Hey there you lovely peeps!

I was given the task to allow remote management and utility for our security contractor from the internet, whilst providing access from our machines, to the CCTV subnet.

We have two independent LANs:
1) One is used by the CCTV/Alarm/Firealarm system. The lan resides on 192.168.3.0/24
2) The other LAN is used for everything else in the workplace. The lan resides on 192.168.248.0/22

I could place their point of access on a different ethernet connector (as I have 6 free eth slots left, so no need for trunking).

I'd like to provide remote management and NTP access for these guys, meanwhile segregating their network from ours, as much as possible.
They'd still use the same broadband connection that we do.

Can you guys help me out with the config?

Thanks in advance!


Kind regards,
IBR


Here is the current (very basic) config I have on my device; Its an RB2011:

# jan/04/2018 15:49:58 by RouterOS 6.41
# software id = 5IAZ-WMI5
#
# model = 2011UiAS
# serial number = 724F066F9C98
/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=*************
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch port
set 6 !egress-rate !ingress-rate
set 7 !egress-rate !ingress-rate
set 8 !egress-rate !ingress-rate
set 9 !egress-rate !ingress-rate
set 10 !egress-rate !ingress-rate
set 12 !egress-rate !ingress-rate
/ip pool
add name=dhcp_pool_1 ranges=192.168.249.1-192.168.251.254
/ip dhcp-server
add address-pool=dhcp_pool_1 disabled=no interface=ether5 lease-time=2d10m \
name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.248.1/22 interface=ether5 network=192.168.248.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.248.0/22 dns-server=193.110.57.4,8.8.8.8 gateway=\
192.168.248.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.248.0/22
/ip service
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.248.0/22
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=MF-M-GW
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org,3.hu.pool.ntp.org

Hi

The sec contractor need to access "3" net right, and you all too?

Then:
* define new "3" net on the router
* setup vpn for sec contractor, a separate net, say "5"
* deny access from "3" to anything else in forward, except ntp on firewall
* grant access from "5" to "3" (+established / related) in forward
* grant access from "248" to "3" (+established / related) in forward

Hi

The sec contractor need to access "3" net right, and you all too?

Then:
* define new "3" net on the router
* setup vpn for sec contractor, a separate net, say "5"
* deny access from "3" to anything else in forward, except ntp on firewall
* grant access from "5" to "3" (+established / related) in forward
* grant access from "248" to "3" (+established / related) in forward

Thanks mate, I'll head to try this config tomorrow!

Hi

The sec contractor need to access "3" net right, and you all too?

Then:
* define new "3" net on the router
* setup vpn for sec contractor, a separate net, say "5"
* deny access from "3" to anything else in forward, except ntp on firewall
* grant access from "5" to "3" (+established / related) in forward
* grant access from "248" to "3" (+established / related) in forward

Hey there!

Turns out, they won't use a VPN.

Instead, we are thinking about some sort of destination NAT and DDNS for my router's outside IP (as unfortunately, we do not have a static address yet).
I was told that I should try to use RAW firewall instead of filter rules (to conserve CPU/RAM).

Could you help me on what the altered config should look like?

Thanks in advance!


Best regards,
– IBR

That dnat will be wide-open to anyone on internet. So depending on what will be dnat-ed, it might be an issue. Does the contractor use a fixed ip? If so that dnat rule could be quite selective => safe.
If no fixed ip, but if you have authentication available on the target device and you feel comfortable with it sitting in the internet (what it effectively is), then why not.

RAW firewall: -> plain forwarding with NO connection tracking / NO state-full firewall
(RAW only allows configuration in output & prerouting chains)
which means:
* no selective forwarding between subnets: like 3 & 248 -> every ip from 3 will have access to every ip from 248

Are you planning on running more than say 50k concurrent connections through that router? If not I wouldn't worry about conntrack. Also remember you can FastTrack connections selectively reducing the impact on routing.