Community discussions

MikroTik App
 
User avatar
gyropilot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Sep 10, 2016 10:49 pm
Location: SE Arizona USA

Best Way to Isolate Untrusted Device on My Home Network?

Thu Oct 11, 2018 11:45 pm

Greetings,

I have a super simple network setup in our RV which consists of a single hAP ac Lite (RB952Ui-5ac2nD) running RouterOS v6.43.2. WAN is ether1 or the single USB port to a cellular LTE modem. either2-either5 and wlan1-wlan2 are bridged into a single LAN. Hardware offloading is being used on the ethernet ports. The firewall filters and NAT rules are stock, except a couple of filters and one NAT rule added to cover the cellular LTE modem as WAN. In other words, there's nothing too fancy here.

I have a ham radio (a.k.a.: amateur radio) communications device that I want to connect to this network through one of the hAP ac lite's ethernet ports so it access the internet. This device requires opening various ports to work (port forwarding) which normally isn't possible upstream through a cellular network. To "pierce through" the blocked ports of the cellular provider, the device establishes a VPN connection. The VPN provider has ALL ports open with no way to turn any of them off, so it's similar to having the device in a DMZ. Because of the security risk associated with this, I don't trust having this device on my main (and currently only) network. So I'd like to isolate it so it can't interact with my network just in case it becomes compromised. The catch is I still need to access to the device from my main network to control it using SSH and via its built-in web server.

So here's my question:

What's the best way for me to isolate this device to a single ethernet port on the hAP ac lite, but still allow me to connect to it from at least one PC on my main network, but not the other way around?

I presume I need to somehow set up a second isolated LAN and create new firewall filters and NAT rules?

I've read about Port Isolation, VLAN's, Private VLAN's, trunks, creating multiple bridges, creating multiple switches... and I'm so confused!

Thanks in advance,

John
AA7US
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21918
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Best Way to Isolate Untrusted Device on My Home Network?

Thu Oct 11, 2018 11:49 pm

I will try my best at some advice.
Methinks the ham radio needs to be on a different subnet and not on the same bridge as the homeLAN.
Your firewall rules ((FORWARD)) should include a drop all rule at the end.
Your firewall rules ((FORWARD)) should include a 192.168.x.x (your pc on homelan) to 192.168.y.x (the ham local IP) accept rule.

In this regard the ham radio will only be able to access its own subnet and the internet. I think!
 
User avatar
gyropilot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Sep 10, 2016 10:49 pm
Location: SE Arizona USA

Re: Best Way to Isolate Untrusted Device on My Home Network?

Fri Oct 12, 2018 12:07 am

I will try my best at some advice.
Methinks the ham radio needs to be on a different subnet and not on the same bridge as the homeLAN.
Your firewall rules ((FORWARD)) should include a drop all rule at the end.
Your firewall rules ((FORWARD)) should include a 192.168.x.x (your pc on homelan) to 192.168.y.x (the ham local IP) accept rule.

In this regard the ham radio will only be able to access its own subnet and the internet. I think!
Thank you anav,

So if I understand you correctly, your recommendation is to create a new subnet and assign one of the ethernet ports to it, then add a firewall rule to allow communication to pass from the current LAN to the new subnet. Check! I think I already have the catch-all drop at the end of my firewall filters, but here are my current firewall filter list for you to check please:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix="Drop invalid"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all from LTE modem" in-interface=lte1-USB-Modem log-prefix="Dropped from LTE modem"
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1-WAN log-prefix="Dropped from WAN"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop all from LTE modem not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface=lte1-USB-Modem
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1-WAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
Thank you,

John
AA7US
 
User avatar
gyropilot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Sep 10, 2016 10:49 pm
Location: SE Arizona USA

Re: Best Way to Isolate Untrusted Device on My Home Network?

Fri Oct 12, 2018 2:47 am

OK, I gave it my best shot but but I can't figure out how to isolate one ethernet port to create a second network under the current RouterOS (with hardware offloading). I found plenty of tutorials and blog posts, but they apply to the old firmware with master/slave switch settings.

If anyone can point me to a tutorial I be extremely grateful.

Thank you,

John
AA7US
 
schrotn
just joined
Posts: 14
Joined: Sat Sep 13, 2014 8:23 am

Re: Best Way to Isolate Untrusted Device on My Home Network?

Fri Oct 12, 2018 5:06 am

Hey fellow ham, KW4KF here.
First off, what device are you trying to connect? Might help me determine the ports needed.

The easier way to handle this is first get it working on the new network, then worry about security.

Create a new bridge on the main bridge tab.
On the ports tab, find the port the device is plugged into, and change it to the new bridge.

In IP->Addresses: Assign the new bridge an ip of 192.168.89.1/24 (Doesn't really matter what you use, I'm assuming you haven't changed the default 192.168.88.0/24 network)
If you need DHCP: Open IP->DHCP Server, click the DHCP Setup button on the main tab and just click through the boxes that pop up.

Reboot or power on the device. It should pick up an IP in the new network.
Double check your local connectivity. Internet might not be available on the new network yet.

Let me know if you get that far. Then we'll deal with security.
If you'd like, depending on the time, I might be available by echolink
 
User avatar
gyropilot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Sep 10, 2016 10:49 pm
Location: SE Arizona USA

Re: Best Way to Isolate Untrusted Device on My Home Network?

Fri Oct 12, 2018 5:43 am

First off, what device are you trying to connect? Might help me determine the ports needed.

Hi Jim,

Thanks for the help.

This is a Nano-Node from Micro-Node Intl (http://micro-node.com/nano-m1.shtml) for IRLP communication.

For it to work correctly the following ports need to be open:

Ports 15425 through 15427, TCP
Ports 2074 through 2093, UDP
Ports 5198 and 5199, UDP

Since forwarding these ports isn't possible through a normal cellular carrier's network, I have to enable a VPN on the Nano-Node, which as I mentioned in a previous post, opens ALL ports to the Nano-Node.

The easier way to handle this is first get it working on the new network, then worry about security.

I do have it successfully working on my network... my wife just used it to participate in the Denver Pet Net on IRLP reflector 9618... but I'm getting increasingly nervous about the security risk it posses to my network. I generally only power it on to use it then power it back down. However, an IRLP device is really designed to be left on and connected 24/7, so the way I'm doing it isn't ideal. And of course other hams can't call me when it's turned off!

Create a new bridge on the main bridge tab.
On the ports tab, find the port the device is plugged into, and change it to the new bridge.

In IP->Addresses: Assign the new bridge an ip of 192.168.89.1/24 (Doesn't really matter what you use, I'm assuming you haven't changed the default 192.168.88.0/24 network)
If you need DHCP: Open IP->DHCP Server, click the DHCP Setup button on the main tab and just click through the boxes that pop up.

Reboot or power on the device. It should pick up an IP in the new network.
Double check your local connectivity. Internet might not be available on the new network yet.

Let me know if you get that far. Then we'll deal with security.

I did get that far, but I must have missed some settings because I couldn't ping the device from my main LAN (192.168.88.0/24), nor could the device reach the internet.

For example, what about setting up an entry in IP -> Routes? I tried that but really didn't know what I was doing.

Also, the Nano-Node needs to have the network's gateway IP programmed in. Assuming the new isolated network is using 192.168.89.1/24, would the gateway be 192.168.89.1 or 192.168.88.1 (from the existing LAN)?

Probably what I should try to do first is create the new isolated network and plug a laptop into that ethernet port to test and troubleshoot connectivity before worrying about the Nano-Node. Once I get this isolated network setup, long term I plan to examine the Nano-Node OS (Raspbian Wheezy) to verify it has good secure firewall settings (presumably it's using iptables). But first I really want it off my main LAN.

Thanks again and 73,

John
AA7US
 
schrotn
just joined
Posts: 14
Joined: Sat Sep 13, 2014 8:23 am

Re: Best Way to Isolate Untrusted Device on My Home Network?

Fri Oct 12, 2018 7:01 am

Edit @ 10/12/18 - 12:40am EDT
This might be getting outside the area of Mikrotik's forum, but after looking at the product I think the security worries might be on the paranoid-ish side.

Since the device is probably behind Mikrotik's default firewall and uses a VPN, the only ports truly open to the internet are are only open to the VPN endpoint and that device.
While using the VPN, the security of the device rests on the VPN provider.

While it's connected to the VPN provider, you cannot modify the ports available to the public internet using your Mikrotik router.
Hopefully the manufacturer has restricted the usage to only the ports needed to function. It being a semi-closed source device, we might not truly know.
But you can control what access it has to your local network.

In this case, I believe it's ok to leave it connected to your default network.
But to lock it down hard, do the following:

Assign it a static DHCP address under IP->DHCP Server->Leases

Under IP->Firewall->Filter
(The position of these rules depends on your current setup. I can't be 100% sure of the position unless I can see your current setup. Should probably be near the end before the deny all rule.)
Add Rules (In this order, order is important):
src-address: **nanonode ip** dst-address=**network subnet/24** protocol=tcp dst-port-80 action=accept **WEB Interface**
src-address: **nanonode ip** dst-address=**network subnet/24** protocol=tcp dst-port-22 action=accept **SSH interface**
src-address: **nanonode ip** dst-address=**network subnet/24** action=reject

Those 3 rules will only allow other devices on your network to talk to it through HTTP and SSH, but not allow it to talk to anything it tries to establish.

I'd like to say that would protect you from 100% of attacks, but with all things connected to the internet that is impossible to truly accomplish due to bugs and security holes.
As a corporate network administrator myself, I would feel confident in those rules to generally protect my network from intrusion with this device.
 
User avatar
gyropilot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Sep 10, 2016 10:49 pm
Location: SE Arizona USA

Re: Best Way to Isolate Untrusted Device on My Home Network?

Fri Oct 12, 2018 4:48 pm


This might be getting outside the area of Mikrotik's forum, but after looking at the product I think the security worries might be on the paranoid-ish side.

I thought you couldn't be too paranoid with network security? :D Just kidding.

Thank you for the suggestions. I appreciate your time. I'll give this a try.

I'd still feel even better if the Nano-Node were on a separate, mostly-isolated subnet, but as you suggested maybe that's really not necessary.

Best regards,

John
AA7US
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Best Way to Isolate Untrusted Device on My Home Network?

Fri Oct 12, 2018 5:05 pm

It's easy. Remove one port from bridge. Assign another subnet to it and set up dhcp server (unless static config is enough). Fix the firewall. Done.
I think I already have the catch-all drop at the end of my firewall filters, ...
You don't. Such rule would be unconditional "add action=drop chain=forward". That's one way to do it, but you'd have to add accept rules for everything you want to allow (LAN to internet, LAN to DMZ, perhaps DMZ to internet). I think it's best way, but others are possible too. You can add one rule to block access from DMZ to LAN and it could be enough.
 
User avatar
gyropilot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Sep 10, 2016 10:49 pm
Location: SE Arizona USA

Re: Best Way to Isolate Untrusted Device on My Home Network?

Mon Oct 15, 2018 4:21 am


Under IP->Firewall->Filter
(The position of these rules depends on your current setup. I can't be 100% sure of the position unless I can see your current setup. Should probably be near the end before the deny all rule.)
Add Rules (In this order, order is important):
src-address: **nanonode ip** dst-address=**network subnet/24** protocol=tcp dst-port-80 action=accept **WEB Interface**
src-address: **nanonode ip** dst-address=**network subnet/24** protocol=tcp dst-port-22 action=accept **SSH interface**
src-address: **nanonode ip** dst-address=**network subnet/24** action=reject

Hi schrotn,

Can you please tell me why did you suggest to use a "reject" action in the last firewall filter rule instead of the usual "drop" action?

I ask because I'm trying to understand when it's appropriate (or necessary?) to issue a reject response instead of just silently dropping traffic?

Thank you,

John
AA7US

Who is online

Users browsing this forum: No registered users and 17 guests