making mikrotik network secure

[b1gshow]

Hi all. I need help on the following:

I set up a network in the following manner:

a linksys router doing a pppoe dial up with an adsl line, connected to a mikrotik router that is in APbridged mode(Primary link).

Primary link connects to a mikrotik router on a hill top with 2 wireless interfaces, each with nat enabled on them(secondary link).

Primary link connects to secondary link's wlan1(station mode), and wireless clients connects to secondary links wlan2(AP Bridge).

I have the basic wpa2 keys set up on all the routers and mac filtering on both.

My question:

If a hacker sniffs the wpa keys, will he be able to gain access my network/routers?

also, how do I allow only selected clients access to the linksys router and others not? in other words, how do I give certain clients internet access, while giving others only local network access?

Thank you

 

[Peon]

The router that touches both the linksys and Primary LINK. You will have to setup IP filtering on the Firewall section. Only allow this IP with this MAC access. Make you subnet also small. Dont leave it /24. Really calculate how many IP's you will need. Also rather use WPA2-AES where applicable. And change the passwd every 2 weeks.

Mikrotik Firewall is your friend here. IP filtering ftw!

 

[b1gshow]

thank you Peon. If I create a pptp tunnel, will this slow down network traffic? Is it worth while?

 

[Peon]

For what purpose would you want to use PPTP? Or what reason should I say. L2TP better security.

 

[b1gshow]

I am not THAT clued up with mikrotik, so if I use winbox, should I go to IP, firewall, and then choose the address list tab?

 

[portcullis]

I'll throw my hat into the ring on this one later. Just getting ready to go and spend a day up on a mountain.

 

[b1gshow]

thanks portcullis. I played around with a router last night, and I guess I should do a firewall rule: with action: accept, source address: the address of the client and destination: the linksys router?

 

[portcullis]

If a hacker sniffs the wpa keys, will he be able to gain access my network/routers?

Set up an access list so that third parties can't even connect to the access point.

also, how do I allow only selected clients access to the linksys router and others not? in other words, how do I give certain clients internet access, while giving others only local network access?

This is slightly more interesting.

You are going to have to get rid of the NATing and do proper routing. Either via static routes like we do, or via OSPF like the WUG guys do. Both have advantages and disadvantages. I think in your case a simple set of static routes would do the trick. The problem is (and I know this from own experience) is that once the number of connected subnets gets in the region of about 1,000 the routing tables become massive. I would run OSPF, but I have a large UBNT network connected to us that can't talk OSPF - or at least I've not been able to work out how to get UBNT to talk OSPF without hacking around in linux on each radio.

Once you have your ip network sorted so that any user can trace to the linksys and the mikrotik connected to the linksys can trace to any user (ie no NAT) then it's very simple to set up rules where you first block all traffic leaving the mikrotik's ethernet port connected to the linksys and then only allow traffic through for the subnets that are allowed to access the internet.

 

[b1gshow]

that makes sense thank you. I installed mikrotik on two x86 systems and played around with it, found the following to work: I disabled NAT on both routers, and then only created NAT rules for each client. For example, if the client's Ip is 192.168.1.x and the linksys is 10.0.0.x, then I added two NAT rules, one with source address as 10.0.0.x, dest 192.168.1.x, and the other just the opposite. This allowed the client to ping the linksys, and the linksys to ping the client, but other clients could not ping the linksys. Is this a valid way to do it? Or am I going about it the wrong way? If I set up static routes, as you explained, do I set up the routes on both routers? or only the "primary link"? we will never have more than 100 clients, so static routes it is.

 

[portcullis]

NAT is not a good idea unless there really us no other way. In you case that should be when you NAT the public IP on the ADSL router. Double NATing opens up a can of worms that's best left closed.

If you set up static routes, you need to set them on both routers.