Hello ladies and gents,
I have a MTK switch, routerOS 7.15 CRS312-4C.
The switch is par of a home/office network with a single bridge and multiple VLANs sonfigured. Router on a stick is a pfsense box.
I would like to now connect an untrusted network (central building switch) to it, and isolate this VLAN from a security standpoint - so that the switch itself is safe, administration can not be done from this interface and so on.
I dont use any L3/4 stuff on the switch, just basic VLANs so no FW is configured on the SW yet.
How best to do this? Do I need to isolate this port to another bridge?
Re: Securing the switch from untrusted network
If the pfsense box is the gateway for all vlans, you can block inter-vlan access with firewall rules. It's not blocked as standard on pfsense when creating vlans on it. But it all depends on how everything else also is configured.
Re: Securing the switch from untrusted network
Concur, do you control the pfsense router?
Re: Securing the switch from untrusted network
Yes, I control the pfsense box. The L3/4 is not an issue, I was thinking more MAC winbox access, discovery protocols and such. So the switch itself is the question.
So from an attacker perspective I would go for the 'tik. So just the L2 stuff. I did all the stuff (that applies) from here. Looking for some extra stuff to look into.
So from an attacker perspective I would go for the 'tik. So just the L2 stuff. I did all the stuff (that applies) from here. Looking for some extra stuff to look into.
Re: Securing the switch from untrusted network [SOLVED]
ip neighbor/discovery-settings/set discover-interface-list=!all (??)
ip service/disable (everything what you don't need)
tool/mac-server/set allowed-interface-list=!all (??)
and, of course, STRONG username and password combo
ip service/disable (everything what you don't need)
tool/mac-server/set allowed-interface-list=!all (??)
and, of course, STRONG username and password combo
Re: Securing the switch from untrusted network
ip neighbor/discovery-settings/set discover-interface-list=!all (??)
ip service/disable (everything what you don't need)
tool/mac-server/set allowed-interface-list=!all (??)
and, of course, STRONG username and password combo
Yup did all this (just configured service discovery for a VLAN interface on a separate mgmt lan so mtiks in the net can talk). All other as you have suggested!
Re: Securing the switch from untrusted network
Except for regular hardening as in disable services not needed (there are a few) and adding firewall rules another option to enhance the security or rather the segmentation is to use VRF's.
Unfortunately not all services supports VRF today (as of 7.15.2 stable) such as DNS (currently broken), FTP and remote logging.
So a workaround for that is to let the main VRF be your mgmt and create a new VRF that you call lets say VRF-LAN to which you put all other interfaces into which isnt the mgmt-interface (who normally is ether1 or whatever it can be called on your box).
Also make sure that the mgmt IP is configured directly on ether1 (or whatever physical interface you will be using) and that this interface is NOT part of the bridge.
The block diagram tells me that ether1 is the interface labeled as MGMT/BOOT on your device: https://i.mt.lv/cdn/product_files/CRS31 ... 190703.png
Unfortunately not all services supports VRF today (as of 7.15.2 stable) such as DNS (currently broken), FTP and remote logging.
So a workaround for that is to let the main VRF be your mgmt and create a new VRF that you call lets say VRF-LAN to which you put all other interfaces into which isnt the mgmt-interface (who normally is ether1 or whatever it can be called on your box).
Also make sure that the mgmt IP is configured directly on ether1 (or whatever physical interface you will be using) and that this interface is NOT part of the bridge.
The block diagram tells me that ether1 is the interface labeled as MGMT/BOOT on your device: https://i.mt.lv/cdn/product_files/CRS31 ... 190703.png
