Mikrotik VLAN - IOT Isolation
17 Dec 2020 #Network #LinuxThis is a summary of setting up VLANs in order to isolate my smart devices. The instructions here can be used for any other similar purpose to organize a home network. The goal is to allow these devices internet connectivity, but deny access to my personal devices.
In order to allow this network isolation the goal is to create dedicated virtual LANs for each type of device, then utilize a firewall to prevent traffic between these two.
- Trusted VLAN ID 100 - Trusted wireless devices on 5GHz and those connected via ethernet. In addition, any devices on the default VLAN ID 1 are able to communicate with this VLAN.
- Untrusted VLAN ID 200 - All devices connected over 2.4GHz. Luckily most IOT devices only support 2.4GHz which makes this straightforward. Another benefit is these devices don’t slow downthe network for others.
Hardware
- Mikrotik hap ac2 - Home router. Tiny device with enterprise level capabilities. These devices are so capable many run entire community ISPs using Mikrotik hardware. Also, all Mikrotik devices run RouterOS, so the same techniques used for an ISP on enterprise grade hardware will work on this home device.
- Netgear GS108PE - POE switch for wireless access points and security cameras. It’s important to utilize a “smart” switch or one that is VLAN aware or else much of the following may not work. In addition, this switch provides 4 powered ports and 3 unpowered gigabit ethernet ports.
- TP-Link EAP 225 - Business grade wireless access points. Allows for multiple SSIDs and VLAN configuration. Much better than any consumer grade wireless router and by using a wired backhaul the performance/capabilities are much better than any consumer grade “mesh” system.
Defining VLANs
First, we need to actually define and setup DHCP for our VLANs. Without this step, the clients will be unable to even connect to our router or the internet.
- Define VLANs on
Interfaces > VLAN
menu using either the web configuration or Winbox. Ensure you define the correct interface that is physically connected to the switch. This isether5
in my case. Finally, define the desired VLAN ID for each VLAN. Later, on the switch we’ll set the VLAN ID for specific ports or specific wireless networks. This will define a special VLAN tag on every associated packet that the router will use to correctly route data to the appropriate VLAN.- VLAN 100 - Trusted wireless network
- VLAN 200 - Untrusted wireless network (IOT devices)
- Add IP address gateway - on the
IP > Addresses
we next need to define the gateway address for each VLAN interface. Use the plus button, and add a gateway- VLAN 100 - use
192.168.100.1/24
on interfacevlan100
from the previous step - VLAN 200 - use
192.168.200.1/24
on interfacevlan200
from the previous step By default we already have the192.168.88.1/24
network for everything else.
- VLAN 100 - use
- IP Pool - Now we define a “pool” of addresses for each VLAN, and the subsequent DHCP server.
This is basically defining the set of addresses that can be assigned to each VLAN.
Go to the
IP > Pool
menu and define a pool for each- VLAN 100 - Pool of
192.168.100.20-192.168.100.254
- VLAN 200 - Pool of
192.168.200.20-192.168.200.254
I usually ensure there are a few IPs available for static leases that will never be assigned dynamically by the DHCP.
- VLAN 100 - Pool of
- DHCP Network - Now on the
IP > DHCP Server > Networks
menu we define the DHCP network for each VLAN. Also here is where we define the DNS servers for the network.- VLAN 100 - Address
192.168.100.0/24
and gateway of192.168.100.1
same as defined above - VLAN 200 - Address
192.168.200.0/24
and gateway of192.168.200.1
same as defined above I utilize both Cloudflare and Google DNS servers for extra redudancy and speed. - Cloudflare -
1.1.1.1
and1.0.0.1
- Google -
8.8.8.8
and8.8.4.4
- VLAN 100 - Address
- DHCP server - Now define the DHCP servers on the
IP > DHCP Server > DHCP
menu to distribute addresses to clients on each VLAN. Our servers will utilize the IP pools we defined previously.
Now we have two VLANs and a DHCP server for each. Any packet tagged with a VLAN ID of 100 or 200 will be routed to the respective interface, then be assigned an IP from the respective DHCP server. Next, we need to configure the switch and wireless access points to set the VLAN ID on specific clients.
Switch and EAP 225 configuration
Configuring the switch was one of the more confusing aspects of this whole process for me. On the router we defined some network settings to handle packets tagged with a specific VLAN ID. However, we still haven’t defined how these tags are actually defined. This is where the switch comes into play. Since this is a “smart” switch we can set a specific VLAN ID for each port of the switch, or we can allow a port to pass data that is already tagged, such as from our wireless access points.
-
Define VLANs - Navigate to the
VLAN > 802.1Q > Advanced > VLAN Configuration
menu on the switch. This web configuration tool is not well defined but you can create new VLANs by adding the desired ID and then clickingADD
at the top right. Add two VLANs for our desired setup. - VLAN membership - Now go to the
VLAN > 802.1Q > Advanced > VLAN Membership
and assign each physical port of the switch to a VLAN.
Ports can either be “Tagged” (or also known as trunk) or “Untagged” (or also known as access) ports.- Tagged - Allows traffic for multiple VLANs
- Untagged - allows traffic for only a single VLAN
In my case, I set the following
- Ports 1 and 2 are connected to my wireless access points. These will be passing both VLAN 100 and VLAN 200 traffic so they are “Tagged” ports and members of both VLANs.
- Ports 3 and 4 are connected to POE security cameras. They are set as “Untagged” ports since they will pass only a single VLAN traffic data.
- Port 6 - Connected to a home server. I added it as a member of both VLANs but this is not strictly necessary. Especially since our firewall later will not allow traffic.
- Port 8 - This port connects back to the router on
ether5
and is also a “Tagged” port since it’s passing traffic for multiple VLANs.
- VLAN PVID - Finally we set the actual VLAN ID for ports. Go to
VLAN > 802.1Q > Advanced > Port PVID
and set the PVID for the desired ports. Port 3 and 4 will now always be passing only VLAN 200 traffic and nothing else.
If desired, you can set the PVID for other wired clients. In my case, I will let the wireless access point define the VLAN ID and just let the switch pass the data.
All the other ports will have VLAN ID 1 by default.
This will then utilize the default 192.168.88.0/24
DHCP network on the router.
Wireless access points
The EAP 225 are very powerful wireless access points and offer a large variety of features which are far beyond any consumer combinationo router/wireless access point. In addition, one can also run the Omada software are easily manage the access points.
For each Wireless SSID, we simply define the desired VLAN ID.
- VLAN 100 - Wireless 5GHz network for “trusted” devicessuch as smart phones and laptops
- VLAN 200 - Wireless 2.4GHz network for all the IOT/smart devices. This includes TVs, Google Home, Alexa, light bulbs, thermostats, sensors, etc.
- VLAN 200 - Wireless guest network gets dumped into this untrusted network as well. I also rate limit the guest network. Staying with me is like staying at the Mariott. If you want fast internet, you need to pay extra.
Firewall for VLAN isolation
All of this has created 2 dedicated VLANs. Clients connecting to the VLAN will be assigned specific IP address by the respective DHCP server. The router will happily route traffic between the VLANs by default, and here is where we put a stop to that. In general, I want to still be able to access the “Untrusted” network. We would like to control the smart devices, access the security cameras, or enable my Home Assistant instance to gather that data. However, we do not allow any traffic from the “Untrusted” network back to the “Trusted” side. We’ll utilize a type of “zone based” firewall to enable this type of network isolation
- Address list - We define two address lists for ease of configuration. This is under the
IP > Firewall > Address Lists
menu. You can use this menu to define groups of addresses for later use by the firewall. This eases the configuration by letting us group related addresses into a single “zone”.- Trusted - Includes all clients within
192.168.100.0/24
and192.168.88.0/24
networks - Untrusted - All VLAN 200 devices with addresses
192.168.200.0/24
- Trusted - Includes all clients within
- Firewall rule - Now on the
IP > Firewall > Filter Rule
we finally set the rule to isolate our “Untrusted” VLAN. Add two rules with the following (and extend to your use case):- Accept traffic on the forward chain from “Trusted” to “Untrusted”.
- Deny traffic on the forward chain from “Untrusted” to “Trusted”.
With these two simple rules, clients on the VLAN 200 network are completely unable to communicate with the “Trusted” network.
This is easily tested by using nmap
or a simple ping
.