this post was submitted on 23 Dec 2023
8 points (100.0% liked)

Mikrotik

192 readers
5 users here now

A community-contributed sublemmy for all things Mikrotik. General ISP and network discussion also permitted. Please ensure if you're asking a question you have checked the Wiki First: https://help.mikrotik.com

Mikrotik Rules: Don't post content that is incorrect or potentially harmful to a router/network.

This in itself is not a bannable offence but answers that are verifiably incorrect or will cause issues for other users will be edited or removed.

Examples: Factual errors - "EOIP is always unsecure" Configuration problems - Config that would disable all physical interfaces on a router Trolling - "Downgrade it to 5.26"

founded 11 months ago
MODERATORS
rayman30
8
Securing my network even more (self.mikrotik)
submitted 6 months ago by Nogami to c/mikrotik
4 comments fedilink hide all child comments
 

My home network is firewalled and reasonably secure (all permanent devices and IOT devices have MAC addresses tracked and registered) but I’d like to improve it even more:

  • Home devices (servers, printers, laptops, etc) with registered MAC addresses which can’t be accessed from my registered IOT devices or from unregistered guest devices.

  • QOS rules for all guest devices.

Using a HEX to run the network with unifi AP hardware.

top 4 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 6 months ago (1 children)

I’d split your network into 3 vlans. One for home, one for IoT and one for guest access (probably over WiFi). That way your firewall can handle the access rules.

[–] Nogami 1 points 6 months ago

That sounds like a good starting point. I’ll need to read up on setting up VLANs.

[–] Synthead 3 points 6 months ago* (last edited 6 months ago) (1 children)

What do you mean by "tracked and registered?" What is your goal for "securing even more?"

MAC addresses are visible to anyone sniffing traffic for a wireless LAN, even if they haven't joined your network. If you are having anonymous folks join your network and you're granting them access based on MAC addresses, then you could consider this a security risk. They can sniff a MAC, spoof it, and join your network.

Two devices with the same MAC address may cause some routing issues, but it will likely work well enough to have privileged access and be a bad actor. Plus, there are tools that can spoof a network disconnect request as your access point to temporarily kick off the legitimate client.

The easiest way to handle this would be to host two access points. You can typically serve both with one physical piece of hardware. One would be for your private stuff, and you can pretty much give it a full-trust model. Join the network, get the privileges. The other would be for guests. Join that, and you just get Internet access. You can separate these networks with VLANs to achieve this.

[–] Nogami 1 points 6 months ago

It’s just my home network so only people who have the wifi password are getting on. This is more a learning project than rock-solid production security.

Ideally I’d like to keep IOT things on a separate VLAN so if one has an exploit it doesn’t have access to my regular home lan with servers and printers and such.

And I’d like to QOS the devices from family who visit over the holidays so they don’t crush my network with downloading and such.