Very Basic Firewall Question

banjopicker · Sat Jul 01, 2017 10:12 pm

Thoroughly frustrated and would appreciate some help.

Have a vanilla sb750 setup with basically the default configuration and an added wireless accesspoint:

Mikrotik Network Diagram.PNG

I would like to lock the network down so that IoT devices can only talk to the Raspberry Pi server, and untrusted laptops are locked out of the LAN. To do this, I have organized most of the devices on the network into different static IP ranges in the 192.168.88.x subnet (I had originally tried to place devices with different levels of trust into their own 192.168.x.x subnets, but was unsuccessful, so I went back to this simpler configuration and am still failing).

Banjopicker desired connections.PNG

My plan is to have the firewall manage internal traffic based on a device's IP. I have an untrusted laptop on the network which is given an IP of 192.168.88.252 by DHCP. To test the firewall out at the most basic level, I attempt to block ALL traffic (I can refine it later once I get this most basic task working) from this IP:

add action=drop chain=forward src-address=192.168.88.252

But even if this is the ONLY entry in the firewall, laptop 192.168.88.252 can still access the the picostation setup page (192.168.88.2), and the RPi server (192.168.88.3:1880 and 192.168.88.3:9000).

Here is my router setup:

[swallace@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; defconf
     address=192.168.88.1/24 network=192.168.88.0 interface=ether2-master actual-interface=ether2-master

 1 D address=199.180.167.216/32 network=173.209.108.15 interface=pppoe-out1 actual-interface=pppoe-out1

[swallace@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 0 ADS  dst-address=0.0.0.0/0 gateway=173.209.108.15 gateway-status=173.209.108.15 reachable via  pppoe-out1 distance=1 scope=30 target-scope=10

 1 ADC  dst-address=173.209.108.15/32 pref-src=199.180.167.216 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=0 scope=10

 2 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether2-master gateway-status=ether2-master reachable distance=0 scope=10
[swallace@MikroTik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
 0  R  name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1600 max-l2mtu=4076 mac-address=D4:CA:6D:DB:7B:64 fast-path=yes
       last-link-up-time=jun/30/2017 15:06:11 link-downs=0

 1  R  name="ether2-master" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:DB:7B:65 fast-path=yes
       last-link-up-time=jun/30/2017 15:06:11 link-downs=0

 2  RS name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:DB:7B:66 fast-path=yes
       last-link-up-time=jun/30/2017 15:06:11 link-downs=0

 3  RS name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:DB:7B:67 fast-path=yes
       last-link-up-time=jun/30/2017 15:06:12 link-downs=0

 4   S name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:DB:7B:68 fast-path=yes link-downs=0

 5  R  name="pppoe-out1" type="pppoe-out" mtu=1492 actual-mtu=1492 fast-path=yes last-link-down-time=jun/30/2017 15:06:15 last-link-up-time=jun/30/2017 15:06:17 link-downs=1
[swallace@MikroTik] > /ip firewall export
# jul/01/2017 14:23:08 by RouterOS 6.39.2
# software id = SR21-JTTV
#
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward src-address=192.168.88.252
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out1
[swallace@MikroTik] >

And here is some information on my wireless:

Device Model:PicoStation M2
Device Name:PicoStation M2
Network Mode:Bridge
Wireless Mode:Access Point
...
Version:v6.0.4 (XM)

This is obviously the most basic possible function of the firewall, yet I can't get it to block my laptop. What am I doing wrong?

Many thanks

stshaw · Sun Jul 02, 2017 1:09 am

You said, "But even if this is the ONLY entry in the firewall, laptop 192.168.88.252 can still access the the picostation setup page (192.168.88.2), and the RPi server (192.168.88.3:1880 and 192.168.88.3:9000)."

Your laptop is on the same subnet as the pico station and the RPi server, therefore the laptop communicates directly to these devices without going through the router. So, there is no way the router can block the traffic.

To filter the traffic you can put the devices on separate interfaces with different subnets, or on different VLANs, then setup appropriate firewall rules.

banjopicker · Sun Jul 02, 2017 4:11 am

Thanks for the explanation.

What I understand you to be saying is that since both trusted and untrusted IPs will be coming in through the same interface on the wireless (unless I set up a second physical AP dedicated to each subnet), that even if they are assigned ips from different subnets, I still will not be able to filter them. Is this correct?

I haven't looked into VLANs yet. Can multiple VLANs use the same interface? Looks like I have to do some more research.

Thanks for your help.

Update: It does look like VLANs are the solution to my problem. Thanks for pointing me in the right direction.

stshaw · Sun Jul 02, 2017 6:19 am

Thanks for the explanation.

What I understand you to be saying is that since both trusted and untrusted IPs will be coming in through the same interface on the wireless (unless I set up a second physical AP dedicated to each subnet), that even if they are assigned ips from different subnets, I still will not be able to filter them. Is this correct?

I haven't looked into VLANs yet. Can multiple VLANs use the same interface? Looks like I have to do some more research.

Thanks for your help.

Update: It does look like VLANs are the solution to my problem. Thanks for pointing me in the right direction.

If you want to isolate an untrusted host, the normal approach is to either 1) put it on a separate physical interface, or 2) put it on a separate VLAN. Then you can control access using firewall rules. You don't necessarily need to use VLANs here--you could associate the untrusted host with a second WAP that was plugged into a different interface on the Mikrotik.

You could assign the untrusted host an IP on a separate subnet and attach everything to the same interface on the router, and filter using a firewall. The problem with that is the untrusted host could easily defeat the filtering by assigning itself an IP address on the trusted subnet and communicating directly, thereby bypassing the router.

banjopicker · Sun Jul 02, 2017 7:07 pm

Since this is a home system, my biggest concern is really not guest users, but all the IoT devices "phoning home" if they shouldn't (cheap webcams have very poor security, and there is no telling what vulnerabilities are built into the code). But it would be nice to prevent curious guests from poking around the network, or spreading malware if they have practised poor security hygiene on their own systems.

I had tried separate subnets on the same interface, but apparently my skills are not yet up to snuff. I never got the gateways for each subnet working properly so that the subnets could communicate with each other. But if VLANs are more robust (and better documented), I will certainly try that.

I am learning a lot (at the expense of some sleep). I love the flexibility, power, and price of these Routerboards, but with great power comes great responsibility....

stshaw · Sun Jul 02, 2017 8:08 pm

Since this is a home system, my biggest concern is really not guest users, but all the IoT devices "phoning home" if they shouldn't (cheap webcams have very poor security, and there is no telling what vulnerabilities are built into the code). But it would be nice to prevent curious guests from poking around the network, or spreading malware if they have practised poor security hygiene on their own systems.

I had tried separate subnets on the same interface, but apparently my skills are not yet up to snuff. I never got the gateways for each subnet working properly so that the subnets could communicate with each other. But if VLANs are more robust (and better documented), I will certainly try that.

I am learning a lot (at the expense of some sleep). I love the flexibility, power, and price of these Routerboards, but with great power comes great responsibility....

I'm not exactly sure what model router you have. I have a RB750Gr3. With this model, the default setup is for eth2-5 to be grouped into a switch. You could simply remove say eth5 from the switch group, assign a new subnet and DHCP server to eth5, and run all your IoT devices off that interface. You could use firewall rules to isolate traffic as desired.

banjopicker · Sun Jul 02, 2017 9:36 pm

I'm not exactly sure what model router you have. I have a RB750Gr3. With this model, the default setup is for eth2-5 to be grouped into a switch. You could simply remove say eth5 from the switch group, assign a new subnet and DHCP server to eth5, and run all your IoT devices off that interface. You could use firewall rules to isolate traffic as desired.

I guess I still don't understand very well. Most connections to the Routerboard--IoT or not--come in through one wireless AP, which I have connected to ether2-master. Unless I add an additional physical wireless AP dedicated to IoT on ether5, how would peeling off ether5 help? I am on a farm property, so I have set up WiFi to reach where I need it, and have sensors and cameras sprinkled over several acres. I want phones and laptops to get wifi in the same areas that the IoT devices do. I don't want to install duplicate physical wireless networks, one for humans and one for IoT.

I recognize that I am making assumptions in setting up this network that a security professional responsible for an institutional network should not. In this environment, however, it should be sufficient, and will be significanlty more secure than the setup I had running on the same router for several years until this week.
1. Any device that is on the network is invited by me, either because I have given it a WiFi passcode or have let it physically plug in to one of my switches, and thus has some level of trust to stay with the IP that I have assigned it.
2. Serving up files and media easily to a variety of devices within the LAN is convenient, but guests to the network have no reason for access to these files, and only need access to the internet.
3. No webcam, IoT switch or sensor should have unmediated access to the Internet.
4. Guests have no reason to access these IoT devices directly either, nor should they (or malware running unintentionally on their system) be able to reach the setup pages for the router, AP, etc.

#3 is trivial to implement because it crosses interfaces, and fortunately this is probably the most important requirement of my system. With the help of your original post I now understand that restricting access within the wider LAN is the tricky part.

While it is true that someone could hack into my AP and request a privileged IP/subnet, this is an unlikely scenario. I know there are better, stronger ways of protecting the network, but like home security, I am balancing cost/convenience with vulnerability. Ultimately, the goal is to make this system a less attractive target, just like we do at our houses without making them fortresses. The much bigger danger than a semi-sophisticated hacker targeting me is rogue malware running within the network leaking information to the world or compromising computers within the LAN.

Thanks for your suggestions, and if you have any more thoughts about the design of this system, please keep them coming.

stshaw · Mon Jul 03, 2017 2:11 am

Think about this: To control access between network hosts, you need a device between the hosts to segregate the hosts and manage access. If everything is on one flat network, the hosts can all directly communicate. The segregating device can be either a router, a VLAN-capable managed switch, or an access point that supports VLAN tagging.

To answer the question you asked... Splitting-off eth5 helps because when you do that you are putting the router between subnets, segregating hosts on each subnet, and forcing traffic to flow through the router, thereby allowing the router to control access.

If you want to control access for your wireless clients, you either need two APs on different interfaces, or a single AP that can provide multiple SSIDs and VLAN tagging.

macsrwe · Tue Jul 04, 2017 4:10 am

Let me suggest a totally different approach, one that obviates the firewall entirely.

Number one, you don't need a second physical AP – you can create a second virtual AP and get the same behavior. Virtual APs share the hardware characteristics of the master AP (frequency, protocol), but can have a different SSID, different security parameters, different WPA key, and so on.

Number two, you can use the feature in the wireless section that allows a wireless AP to accept or reject connections by MAC address range.

If you use these both together, you can assign one AP to accept only MAC addresses from the range assigned to the manufacturer of your security cameras, and task the other AP to do whatever you like. You can devote different address ranges and DHCP servers to each interface, and you could route between them as you best see fit.

Sent from my iPhone using Tapatalk

stshaw · Tue Jul 04, 2017 6:36 am

Let me suggest a totally different approach, one that obviates the firewall entirely.

Number one, you don't need a second physical AP – you can create a second virtual AP and get the same behavior. Virtual APs share the hardware characteristics of the master AP (frequency, protocol), but can have a different SSID, different security parameters, different WPA key, and so on.

Number two, you can use the feature in the wireless section that allows a wireless AP to accept or reject connections by MAC address range.

If you use these both together, you can assign one AP to accept only MAC addresses from the range assigned to the manufacturer of your security cameras, and task the other AP to do whatever you like. You can devote different address ranges and DHCP servers to each interface, and you could route between them as you best see fit.

Sent from my iPhone using Tapatalk

How would the OP set this up using his Picostation M2 AP, if the AP has no support for multiple SSIDs?

macsrwe · Tue Jul 04, 2017 6:43 am

How would the OP set this up using his Picostation M2 AP, if the AP has no support for multiple SSIDs?

To be honest, I'm not sure I understood the OP's existing architecture. He said he had an SB 750, which I assumed was a typo for an RB 750 because otherwise I don't know what that is. If he does indeed have an RB 750, and added a Picostation just to get an additional SSID, he could use a virtual AP and discard the Picostation. If he's using the Picostation to get extra coverage area, then that's another question entirely.

Sent from my iPhone using Tapatalk

stshaw · Tue Jul 04, 2017 6:55 am

I also assumed the OP has an RB750, which is a router I also have. The RB750 has no built-in wireless, so how would one setup a virtual AP on the RB750?

macsrwe · Tue Jul 04, 2017 8:55 pm

I guess my mind is not working well this week. My eyes saw SB 750 and my mind thought RB 711, a radio board. So it looks like none of my advice was applicable at all. Apologies.

Sent from my iPhone using Tapatalk

rllavona13 · Wed Jul 05, 2017 3:31 pm

You should use vlan then firewall those subnets.