Divided Network

[Dark_Llama]

Hey everyone,

 

I want to buy a MikroTik RouterBOARD RB2011UiAS-RM but I need to have some ports open for my servers. My dad however needs a secure network for business reasons. I was wondering if I could configure it, and if so how, to have two separate networks with my server network having open ports and the house network protected. I don't want to buy another firewall and was wondering if anyone knew how to do this.

 

Thanks

-The_Auditor

[dj_ripcord]

What you want are subnets.

 

Subnets allow you to have discrete LAN networks that all have access to your WAN. Take that with a grain of salt though. Say for example you have 2 subnets. 1 subnet is under 10.0.0.0/24 and another is under 10.0.10.0/24. We'll call them HOME and BUSINESS. By default, both of these networks will have access to the WAN, but they will not  be able to access each other. You can of course set firewall rules to allow BUSINESS to access HOME, but not vice versa. This would mean that any servers or open ports you have on HOME, will not be vulnerable to attacks on computers on BUSINESS. Because in the eyes of the clients on HOME, BUSINESS does not even exist. But if you had say a printer or something on HOME, then you would want to make sure that people running on the BUISNESS subnet have access to it, and you would need to add a firewall rule for that.

 

This is probably what you want to set up. Keep in mind that you may also have to set up VLANs and seperate wireless networks for each. But that shouldn't be too difficult with the proper research.

 

Then again, I've never used microtik. So I don't even know for sure if the stuff I said above will even work. But it's worth a shot I suppose.

[Dark_Llama]

1 hour ago, dj_ripcord said:

What you want are subnets.

 

Subnets allow you to have discrete LAN networks that all have access to your WAN. Take that with a grain of salt though. Say for example you have 2 subnets. 1 subnet is under 10.0.0.0/24 and another is under 10.0.10.0/24. We'll call them HOME and BUSINESS. By default, both of these networks will have access to the WAN, but they will not  be able to access each other. You can of course set firewall rules to allow BUSINESS to access HOME, but not vice versa. This would mean that any servers or open ports you have on HOME, will not be vulnerable to attacks on computers on BUSINESS. Because in the eyes of the clients on HOME, BUSINESS does not even exist. But if you had say a printer or something on HOME, then you would want to make sure that people running on the BUISNESS subnet have access to it, and you would need to add a firewall rule for that.

 

This is probably what you want to set up. Keep in mind that you may also have to set up VLANs and seperate wireless networks for each. But that shouldn't be too difficult with the proper research.

 

Then again, I've never used microtik. So I don't even know for sure if the stuff I said above will even work. But it's worth a shot I suppose.

Thanks but I was also wondering if I can make it so that the ports are open on Server side and not home side.

 

Is this possible or do I need to get another firewall

-Also, sub question here, If I need another firewall can I just use a firewall or does it need a router behind it?

 

Thanks

-The_Auditor

 

[dj_ripcord]

Firewalls often serve as a router as well. So you should only need one device.

 

And yes, You can absolutely set up your port forwarding such that different ports are open on each subnet. That's the reason for them. It's literally like having multiple routers plugged into the same modem.

 

To go a bit more into more detail for you though, What you probably want for your server is called a DMZ. DMZ is often a simple setting you can enable inside your firewall, and it often has an accompanying port to use. The DMZ by default is denied all access to any network other than itself. So if some attacker got into your server, they would not be able to "climb up the ladder" into your other LAN networks.

 

Catch my drift?

 

 

[Dark_Llama]

Thanks, Got it now.

[LAwLz]

17 hours ago, dj_ripcord said:

By default, both of these networks will have access to the WAN, but they will not  be able to access each other.

Not sure what equipment you are used to but on Cisco devices they most certainly will be able to access each other.

In order to restrict access between the two you would need either a DMZ setup or some access list.

 

I am not sure what options you got on your MikroTik router, but the proper way of setting this up would be a zone-based firewall.

[Lurick]

3 minutes ago, LAwLz said:

Not sure what equipment you are used to but on Cisco devices they most certainly will be able to access each other.

In order to restrict access between the two you would need either a DMZ setup or some access list.

 

I am not sure what options you got on your MikroTik router, but the proper way of setting this up would be a zone-based firewall.

VACLs (or any other ACL, depending on the setup) can stop them from talking to each other but yes, so long as both VLANs and their L3 interfaces live on the same box, they can talk by default  

[leadeater]

9 hours ago, Lurick said:

so long as both VLANs and their L3 interfaces live on the same box, they can talk by default  

VDOMs . One of the actually nice things about virtual firewall instances is the segregation of local directly connected routes, if you need that.

[Lurick]

3 hours ago, leadeater said:

VDOMs . One of the actually nice things about virtual firewall instances is the segregation of local directly connected routes, if you need that.

True, if you've got a firewall in the mix then you can set security levels. I did forget about that  

[schizznick]

With Mikrotik you can create 2 Bridges and separate them with a firewall. The firewall in Routerboards use IPTables so no Cisco like ACL's. The DMZ/LAN idea is definitely a good idea.