Community discussions

MikroTik App
 
pwac092
just joined
Topic Author
Posts: 21
Joined: Tue Oct 04, 2022 9:44 pm

Firewall in two router network

Tue Oct 04, 2022 11:16 pm

Good afternoon people!

I am sorry, this will be something basic, I am sure. I have some experience with nftables (via iptables, but still), and almost none with mikrotik. Fantastic machines!

Anyhow, I have a weird setup that has worked so far.

I have a hAP ac3 which connects to the internet through a bridged GPON device (i.e. the hAP gets the fixed, public IP address). hAP handles all the configuration in the network, VLANs etc.
A second router, a hEX (RB750Gr3) connects through ether1 into ether3 of the hAP. The hEX is configured as a Bridge, where all interfaces can access the internet. DHCP servers are disabled on the hEX, and ether1 on the hEX gets a fixed IP from the hAP (.88.2). Clients connected to hEX get all connection information from hAP. There are only 4 devices connect to it hEX (1 PC (.88.33), a server (.88.5), a NAS (.88.6) and a network printer (.88.7).

The role of the hEX used to be filled by a gigabit switch, I created a bridge in the hEX by disabling the DHCP server,assigning an address to the default bridge and added ether1 to the bridge. The rest, is the default configuration that came with the router, including firewall rules.

The network "looks" like this

internet <--> (184..) hAP (.88.1)
  • (.88.2) hEX
    • * |--> PC (.88.33)
      * |--> NAS (.88.6)
      * |--> server (.88.5)
      * |--> printer (.88.7)

I want to take advantage of the additional capabilities provided by the hEX. In particular, I want to isolate the NAS from the internet, while still allowing all devices in the local network to access it. I think the best way to do it would be through firewall rules.

So, I added a rule to the forward chain, dropping all packages destined for outside LAN from the IP of the NAS (i.e. .88.6 to !LAN). I have sshd into the NAS to ping google, but nothing gets dropped, nothing gets logged. I have tried several variations of this rule, to no avail. This works from from the hAP, just not from the hEX.

So far, the only thing I have not yet tried is to disable hardware offloading, but I am hesitant to do this as it makes no sense. Am I missing something?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14494
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall in two router network

Wed Oct 05, 2022 2:26 am

I do something similar with my hex, but my main router all runs on vlans.
The trusted vlan gives the hex its IP address and is the only van needed to be identifed to the bridge.
The other vlans are solely identified on the /interface bridge ports and /bridge vlans, works great,

here is a link - viewtopic.php?t=182276

The nice touch on this is that the firewall rules for the vlans on the main router do the work, no need for any firewall rules on the hex.
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: Firewall in two router network

Wed Oct 05, 2022 2:48 am

IP firewall by default doesn't apply to bridged traffic. It can be changed, but then everything will go through it, which won't be good for performance. Unless your NAS is completely untrusted (meaning that something running on it could e.g. spoof packets), the right place for doing what you want is first router (hAP).
 
pwac092
just joined
Topic Author
Posts: 21
Joined: Tue Oct 04, 2022 9:44 pm

Re: Firewall in two router network

Wed Oct 05, 2022 3:49 am

Cheers sob! This was my guess, but I just could not find a way to do it. Could you point me in the right direction?

Also, performance is not really an issue. It is really only me using the network. I work in a somewhat large research lab, and this is my own personal copy of my working data, it is not much, just a few terabytes. The server mentioned in my post is a syncthing instance, it keeps my data repository at work and at home synced. The NAS is just there to keep a local, redundant, versioned copy of the synced data. This makes it easier for quick data recovery when something goes wrong with my working data. Syncing the server and NAS is done at night, so load is not really an issue. There is an external backup as well, but again, done nightly, after verification of the copy on the NAS server.

The NAS is really not untrusted, quite the contrary, it's only me using it and the data is copied onto it without human interference. I want to isolate it from the internet because I don't trust the manufacturers. It's an ASUSTOR, and they were hit with a ransomware attack a few months ago, distributed through the update network. I just want to make sure it does not go online, since it really should not go online.

Edit: quoted text removed.
Last edited by pwac092 on Wed Oct 05, 2022 5:37 am, edited 1 time in total.
 
pwac092
just joined
Topic Author
Posts: 21
Joined: Tue Oct 04, 2022 9:44 pm

Re: Firewall in two router network

Wed Oct 05, 2022 3:50 am

I do something similar with my hex, but my main router all runs on vlans.
The trusted vlan gives the hex its IP address and is the only van needed to be identifed to the bridge.
The other vlans are solely identified on the /interface bridge ports and /bridge vlans, works great,

here is a link - viewtopic.php?t=182276

The nice touch on this is that the firewall rules for the vlans on the main router do the work, no need for any firewall rules on the hex.
Cheers anav! Thank you for your time, i'll have a look and get back to you.
 
pwac092
just joined
Topic Author
Posts: 21
Joined: Tue Oct 04, 2022 9:44 pm

Re: Firewall in two router network

Wed Oct 05, 2022 5:50 am

Cheers sob! This was my guess, but I just could not find a way to do it. Could you point me in the right direction?

Also, performance is not really an issue. It is really only me using the network. I work in a somewhat large research lab, and this is my own personal copy of my working data, it is not much, just a few terabytes. The server mentioned in my post is a syncthing instance, it keeps my data repository at work and at home synced. The NAS is just there to keep a local, redundant, versioned copy of the synced data. This makes it easier for quick data recovery when something goes wrong with my working data. Syncing the server and NAS is done at night, so load is not really an issue. There is an external backup as well, but again, done nightly, after verification of the copy on the NAS server.

The NAS is really not untrusted, quite the contrary, it's only me using it and the data is copied onto it without human interference. I want to isolate it from the internet because I don't trust the manufacturers. It's an ASUSTOR, and they were hit with a ransomware attack a few months ago, distributed through the update network. I just want to make sure it does not go online, since it really should not go online.

Edit: quoted text removed.

Really stupid of me. I simply enabled ip filtering in the bridge and that was that. I will report back on CPU usage for my usecase. Thank you!
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: Firewall in two router network  [SOLVED]

Wed Oct 05, 2022 2:17 pm

That's it. Or you can try bridge filters (/interface/bridge/filter). Something like:
/interface bridge filter
add chain=forward in-bridge=<bridge> in-interface=<NAS interface> mac-protocol=ip dst-address=!192.168.88.0/24 action=drop
Main difference is that IP firewall is stateful, while bridge filters are stateless. So e.g. port forwarded to NAS from outside wouldn't work, because you couldn't tell whether the remote address is part of such connection, or if NAS is trying to connect to it. But since you'd skip connection tracking, it could be faster (I'm not sure how much).
 
pwac092
just joined
Topic Author
Posts: 21
Joined: Tue Oct 04, 2022 9:44 pm

Re: Firewall in two router network

Wed Oct 05, 2022 7:59 pm

Thank you very much!! I have marked the answer as accepted.

Now, You know what is odd?

This idea that IP firewall by default doesn't apply to bridged traffic. (which makes total sense by the way, is not quite so.

That is, some of the traffic is "dectected" by the IP filter in that packages and bytes are counted. So, what gives?

For instance, for established, related and untracked packages, the forward chain is completely able to count packages and bytes. The total count has got to be WAY off, as I did my usual backup yesterday and it is only tracking a few megabytes (attached image). Maybe DNS?
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: Firewall in two router network

Wed Oct 05, 2022 8:46 pm

It depends. If you have bridged ports with connected devices using same IP subnet, and you don't enable "Use IP Firewall" on bridge, communication between those devices won't be seen by IP firewall. If you enable this option, then it will. Another way how IP firewall (forward chain) could see something, is if some device would use this bridge device as its gateway (gateway=<IP address on bridge>). It shouldn't, if this is just bridge, gateway should be main router. And of course firewall will see bridge's own traffic (input and output chains). If you're not sure what packets is some rule seeing and counting, you can enable logging for any rule (log=yes or Log checkbox on Action tab in WinBox).
 
pwac092
just joined
Topic Author
Posts: 21
Joined: Tue Oct 04, 2022 9:44 pm

Re: Firewall in two router network

Tue Oct 25, 2022 2:43 am

Sob, thank you very much for your help.

I took some time to answer as I wanted to make sure I got things right.

As you might have guessed, this is indeed the case.

I have solved this now, things are working fine.

Thank your very much!

Who is online

Users browsing this forum: Ahrefs [Bot], anav and 32 guests