MikroTik

This is a SOHO/SMB focused question for the most part. I typically create a management network for devices like managed switches, APs, Power Devices, and other various widgets that are directly related to core network operations. I let them pull DCHP and then set a reservation out of the DHCP scope. I wish more devices were dhcp out of the box.... IoT devices do not go on this network. I also typically use this network for router management and allow it in via and input rule. Do you think this is a bad idea? If I an idiot for doing it this way please feel free let me know - I am OK with a good public shaming.

Would it make more sense to create a separate "router access" network, no DHCP and apply it to a physical port on the router for direct management? It would limit the "physical" security risk to the router itself VS other devices (thinking APs) scattered through the premises.

I suppose I could leave it open to the management network and limit one IP address that I could use for router management.

The "available from" in the IP service list could also be used, but I am not sure how this layers in with a firewall rule. I would think the firewall rules would supersede anything but maybe not. If they were in conflict that would be bad me thinks.

Thoughts?

I would really appreciate any feedback.

Questions like this are very difficult to answer because not only of security and best network practices outside of potential laws and regulations many don't consider but because of laws that often come into play with a lot of Mikrotik stuff that may be using say for example one or more of the ISM frequency bands. The technical and best practices issues I would let others address. However, I am quite certain it's outside of the intent of the ISM band and likely illegal to use the ISM band to create a private network for a network operator to use. That's why it specially forbid those types of telecommunication usages of the ISM band that are things done by many utility companies these days. That's why large companies that use the ISM band to manage their network such as many power companies, etc. are likely to end up in court against WISP's like mine that have not illegally used the ISM band to create a private management network over ISM resources ever and have not created private networks using those bands but have used only Internet services over those bands. In many cases these companies arguably illegally using ISM bands have in fact harmed or even disabled Internet services otherwise able to be delivered or more reliably delivered before the illegal interference stemming from international standards of using ISM bands. If you need to setup management network using ISM bands consider the legal risks of that and be clear to your customers in any agreements that you can only do so with their consent as otherwise it is very likely easy to argue as trespassing in court if you push it as a necessary component of your service depending on your jurisdiction.

We use Managment Network to, it is not reachable from Coustomers side and not direct from the Internet, no Port Forward!

Externel use only via L2tp/IPSec

Thank you both for your replies.

It's a great idea to have a management network if your end devices can be separated like that. Once you are in a SOHO/SMB environment then this becomes almost standard to have multiple LANs (/vlans). The trick is ensuring nobody simply plugs in to your MGMT network to access the devices.
Ensuring you have a strong username and password on all of these devices is key and try to make sure your access is limited, if on site then a specific IP is an OK idea.

IP>Services "available from" comes after the firewall, ideally your firewall should be stopping traffic before it gets to this point.

It's a great idea to have a management network if your end devices can be separated like that. Once you are in a SOHO/SMB environment then this becomes almost standard to have multiple LANs (/vlans). The trick is ensuring nobody simply plugs in to your MGMT network to access the devices.
Ensuring you have a strong username and password on all of these devices is key and try to make sure your access is limited, if on site then a specific IP is an OK idea.

IP>Services "available from" comes after the firewall, ideally your firewall should be stopping traffic before it gets to this point.

Thanks Steve for the information!

On one of my bigger networks I have a dedicated management VLAN. RouterOS is firewalled on every interface except this VLAN, so it only performs routing. I have a Linux box on the management network running wireguard that allows me to remote in, I trust wireguard far more than any of the RouterOS VPN services. All switches, access points, etc all have their main IP on the management network. One other benefit of a dedicated management network is that that I can block all WAN access, this helps prevent devices phoning home when they shouldn't be and any potential exploits from being downloaded or propagated. When I need to update a device, it's only a few clicks to re-allow WAN access for updates etc.

On one of my bigger networks I have a dedicated management VLAN. RouterOS is firewalled on every interface except this VLAN, so it only performs routing. I have a Linux box on the management network running wireguard that allows me to remote in, I trust wireguard far more than any of the RouterOS VPN services. All switches, access points, etc all have their main IP on the management network. One other benefit of a dedicated management network is that that I can block all WAN access, this helps prevent devices phoning home when they shouldn't be and any potential exploits from being downloaded or propagated. When I need to update a device, it's only a few clicks to re-allow WAN access for updates etc.

Thanks @R1CH. I too have had frustrations with the built in VPN servers. I will check out wireguard. I wish there was proper OVPN support -

I appreciate the response.

@R1CH - do you leave Neighbors Discover on for your management VLAN?

It appears you have a need to manage devices beyond the demarcation point but are also providing traditional Internet services. I would suggest you work with your customers to create a way where a box you can still manage if they want hands off all the management traffic off to a patch panel be it copper or fiber but I would suggest not wireless where you then can pick it back up and send it on to you or they can send it somewhere else of have the ability to investigate while unplugging the patch panel on their end isolating the management at the lower 2 ISO layers from your other communication services. In this way if they chose to or are even forced to unplug the management traffic hand off and you lose your ability to manage that box I talked about when they do so your Internet services would still function.