MikroTik

Posted: **Sun Nov 12, 2023 4:22 pm**

Hi all,

Long time user, but still big time newbie of MikroTik routers here.

I have a Home Assistant server set up and have bought a couple of Tuya devices. These work great, but are notorious for sending network data to China. Obviously I want to prevent that.
What I was hoping to do is the following:

1) Create a separate VLAN for the IoT devices (but not with the HA server)
2) Create a DHCP rule so that all devices in a certain MAC-range get assigned an IP on that VLAN
3) block all outgoing WAN traffic on that VLAN
4) allow traffic from the IoT VLAN to the HA assistant on the default VLAN and vice versa. (Or maybe 1 direction is enough? Not sure)

I tried reading the manuals, but I drown in the overload of information unfortunately.
Anyone who can guide me through this?
I am using a hAp ax2 with RouterOS v7.7

This is the export of my configuration:

# nov/12/2023 15:14:57 by RouterOS 7.7
# software id = REDACTED
#
# model = C52iG-5HaxD2HaxD
# serial number = REDACTED
/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge-guestVLAN
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid=REDACTED disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid=REDACTED disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 security
add authentication-types=wpa2-psk group-key-update=5m management-protection=\
    allowed name=sec-guest
/interface wifiwave2
add configuration.mode=ap .ssid="REDACTED" disabled=no \
    mac-address=REDACTED master-interface=wifi1 name=wifi-guest1 \
    security=sec-guest security.wps=disable
add configuration.mode=ap .ssid="REDACTED" disabled=no \
    mac-address=REDACTED master-interface=wifi2 name=wifi-guest2 \
    security=sec-guest
/interface vlan
add interface=wifi-guest1 name=vlan-guest vlan-id=10
add interface=wifi-guest2 name=vlan-guest2 vlan-id=10
/ip pool
add name=dhcp ranges=192.168.99.10-192.168.99.254
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge-guestVLAN name=dhcp1-guest
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*9
# no interface
add action=drop chain=forward out-interface=*9
# no interface
add action=drop chain=forward in-interface=*A
# no interface
add action=drop chain=forward out-interface=*A
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=*9
add bridge=bridge interface=*A
add bridge=bridge-guestVLAN interface=wifi-guest1
add bridge=bridge-guestVLAN interface=wifi-guest2
add bridge=bridge-guestVLAN interface=vlan-guest
add bridge=bridge-guestVLAN interface=vlan-guest2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.99.1/24 comment=defconf interface=bridge network=\
    192.168.99.0
add address=10.10.10.1/24 interface=bridge-guestVLAN network=10.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.99.227 client-id=1:dc:a6:32:f3:2e:f mac-address=\
    REDACTED server=defconf
add address=192.168.99.236 client-id=1:0:f1:40:42:0:3d mac-address=\
    REDACTED server=defconf
add address=192.168.99.204 mac-address=8C:CE:4E:18:A2:D5 server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 comment="Guest network" dns-server=\
    10.10.10.1,8.8.8.8,1.1.1.1 gateway=10.10.10.1
add address=192.168.98.0/24 comment="IOT (no WAN)" gateway=192.168.99.1
add address=192.168.99.0/24 comment=defconf dns-server=192.168.99.1 gateway=\
    192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.99.1 comment=defconf name=router.lan
add address=192.168.99.227 comment=3dprinter name=octopi.lan
add address=192.168.99.227 comment=3dprinter name=3dprinter.lan
add address=192.168.99.227 comment=3dprinter name=octopi
add address=192.168.99.227 comment=3dprinter name=3dprinter
add address=192.168.99.236 name=ha.lan
add address=192.168.99.236 name=ha.local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAn" \
    in-interface-list=!LAN
add action=drop chain=forward in-interface=bridge-guestVLAN out-interface=\
    bridge
add action=drop chain=forward dst-address=192.168.88.0/24 in-interface=\
    bridge-guestVLAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Brussels
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks for your help!

Posted: **Sun Nov 12, 2023 4:29 pm**

Draw a network diagram so that its clearer for all.........
Not sure about mac address finessing, but the rest is very doable.

Posted: **Sun Nov 12, 2023 4:40 pm**

You don't need a separate vlan for that.
Just make sure your IoT devices get fixed IP's based on their MAC
Then block these IP on their way out.

Posted: **Sun Nov 12, 2023 5:13 pm**

Thanks for the suggestion @janvanhambelgium! That indeed worked!
Wasn't really what I was looking for, but the simplicity of this solution... It makes me give up the search for a more automated one

Unfortunately though... I just found out that these newer Tuya devices apparently don't work if they can't connect to their own servers... So blocking WAN traffic won't work anymore... Doh!

Posted: **Sun Nov 12, 2023 5:22 pm**

Do you have a a "Tuya" bridge or somethings ? (like a HUE-box)
Can't you "pair" the Tuya devices nativly with Zigbee to Home Assistant ? Offcourse you need a Zigbee "radio" for that in your HA.

Posted: **Sun Nov 12, 2023 5:31 pm**

The Tuya devices are WiFi sockets. Not Zigbee.
But it wouldn't solve it. It can't connect to "the cloud", so it doesn't allow it to work =/

Posted: **Sun Nov 12, 2023 5:38 pm**

I just read this

NOTE 2: If you plan to integrate these devices on a network that has internet and blocking their internet access, you must also block DNS requests (to the local DNS server, e.g. 192.168.1.1). If you only block outbound internet, then the device will sit in a zombie state; it will refuse / not respond to any connections with the localkey. Therefore, you must first connect the devices with an active internet connection, grab each device localkey, and implement the block.

@jvanhambelgium: any idea how I can do this in MikroTik? (The blocking of DNS that is)

Posted: **Sun Nov 12, 2023 11:21 pm**

The DNS-blocking is going to be a bit harder if everything remains in the same "LAN".
If you would be using an IoT-VLAN that would be easy to also restric "internal" traffic flowing between VLAN's anyway.

Alternative could be you provide SPECIFIC DNS-servers through DHCP-options (eg. public DNS'ses 8.8.8.8 or 1.1.1.1) and then simply "block" because its Internet-facing traffic. In case these Tuya have hardcoded DNS-servers (like some android devices that call 8.8.8.8 as some fallback mechanism)

You could use something like this construction

viewtopic.php?t=165253

Posted: **Mon Nov 13, 2023 12:12 am**

I used the packet sniffer to see where it connects to immediately after plugging in.

First it connects to 192.168.99.1 on port 53. So that's the main DNS request we need to block.
Then it connects to 18.185.182.159 on port 443. WHOIS tells me it's an Amazon server.
After this another Amazon server: 52.58.249.45 on port 8886. JetStream protocol maybe?

Aside from that I only see it pinging around on the network, and broadcasting some stuff.

I tried to block all DNS traffic to the router with this command:

ip/firewall/filter/add action=drop comment="Drop DNS for IoT" src-address=192.168.99.204 dst-address=192.168.99.1 dst-port=53 protocol=udp chain=forward

Which means I now have the following rules for this device in play:

16    ;;; IoT WAN block
      chain=forward action=drop src-address=192.168.99.204 out-interface=ether1 
17    ;;; Drop DNS for IoT
      chain=forward action=drop protocol=udp src-address=192.168.99.204 dst-port=53 
18    ;;; Drop DNS for IoT
      chain=forward action=drop protocol=udp src-address=192.168.99.204 dst-address=192.168.99.1 dst-port=53

Unfortunately, no luck. Maybe I did something wrong with the above rules?

Any ideas?

EDIT: I enabled logging on these rules. It appears they are not getting triggered? I must be doing something wrong?

Posted: **Mon Nov 13, 2023 7:20 am**

It depends on how the devices are wired on your local LAN.
These Tuyas are *wireless* right, so their traffic is hitting your router through the port on which some AP is connected ?
And your DNS is the Mikrotik itself at 192.168.99.1 looking at your config.

If so, change the "chain" to INPUT and see what happens.
INPUT-chain is for traffic hitting the Mikrotik specificly, and it case it provides DNS-services that's probably what you want.

Posted: **Tue Nov 14, 2023 1:38 am**

Thanks a lot! That worked! The firewall rules are now being triggered. Also thanks for explaining the "why". I'm not that familiar with network-related technology, but am always happy to learn!

It still didn't work after this, but apparently pressing the toggle button on the device twice fixed it. I have to do this after every unplug and replug action of the device. Fair enough. At least it works now.

Again, thanks a lot! Dikke merci!

MikroTik

Creating WAN-separated VLAN

Creating WAN-separated VLAN

Re: Creating WAN-separated VLAN

Re: Creating WAN-separated VLAN

Re: Creating WAN-separated VLAN

Re: Creating WAN-separated VLAN

Re: Creating WAN-separated VLAN

Re: Creating WAN-separated VLAN

Re: Creating WAN-separated VLAN

Re: Creating WAN-separated VLAN

Re: Creating WAN-separated VLAN

Re: Creating WAN-separated VLAN