I am not networking expert but I have spent a bit of time configuring my Mikrotik and have it doing most of the things I want.I have just upgraded to a smart switch and now have a series of VLANs for splitting up my IP cameras, IOT devices, VOIP, guest and main data devices. I run a couple of Unifi UAPs and have the Unifi Controller running on a VM. I used to use the *guest* network stuff on the Unifis for my guest WIFI network but I wanted to monitor certain guest access (to allow rules in my openHAB presence detection for when the grandparents are babysitting etc to stop the alarm being armed etc).So I have setup the guest VLAN as a normal VLAN and have rule on the Mikrotik to drop any traffic;I have a few address lists, one for devices allowed to access the Mikrotik (<winbox-access>), and <guest-drop> which includes every VLAN address range except for vlan-guest. Finally there is <wan-access> which is an interface list including the data, voip and guest vlans. So rule (4) only allows new connections to the router for data/voip/guest vlans. Then rule (8) drops anything from vlan-guest destined for any other vlan. The idea here being that vlan-guest can get to the internet, but not anywhere inside my LAN.Does this look sensible? Am I missing anything? I have tested it and it seems to work well - joining vlan-guest on my laptop gives me full internet access but I can see anything on my LAN. Just wondering if this is the best way or if there are better ways to secure vlans like this?
↧