Hello,
For some time now I have been struggeling with my router to find the correct settings to isolate my home, guest, iot and public networks from eachother. I have been trying for a year now to fix it, but my ESET Internet Security Network Inspector seems to still find the isolated devices in the IoT, Public and Guest network.
For example when using port scanners, ping and other software to directly scan some device from the network then I can get no answer. So I would say that my firewall settings are correct. But for some reason ESET still get's through somehow.
I have tried disabling IPv6 from my computer network adapter but that didn't really fix the issue. ESET still finds other devices.
The point of isolating those networks is that if someone connects an infected device for example to my network then it doesn't move across the network to my other devices.
The router code is as below. I have removed some things not really important to this issue.Thank you!
For some time now I have been struggeling with my router to find the correct settings to isolate my home, guest, iot and public networks from eachother. I have been trying for a year now to fix it, but my ESET Internet Security Network Inspector seems to still find the isolated devices in the IoT, Public and Guest network.
For example when using port scanners, ping and other software to directly scan some device from the network then I can get no answer. So I would say that my firewall settings are correct. But for some reason ESET still get's through somehow.
I have tried disabling IPv6 from my computer network adapter but that didn't really fix the issue. ESET still finds other devices.
The point of isolating those networks is that if someone connects an infected device for example to my network then it doesn't move across the network to my other devices.
The router code is as below. I have removed some things not really important to this issue.
Code:
/interface bridgeadd fast-forward=no name=bridge_guestadd fast-forward=no name=bridge_homeadd admin-mac=B8:69:F4:26:5B:F4 auto-mac=no fast-forward=no name=bridge_iotadd fast-forward=no name=bridge_iptv protocol-mode=noneadd admin-mac=B8:69:F4:26:5B:F5 auto-mac=no fast-forward=no name=\ bridge_public/interface ethernetset [ find default-name=ether1 ] comment=WAN loop-protect=on mtu=1518set [ find default-name=ether2 ] comment="TV" loop-protect=on \ mtu=1518set [ find default-name=ether3 ] comment=AP loop-protect=on mtu=1518set [ find default-name=ether4 ] comment=TV Box loop-protect=on mtu=1518set [ find default-name=ether5 ] comment="Unmanaged Switch" \ loop-protect=on mtu=1518/interface vlanadd interface=ether3 mtu=1518 name=vlan10_guest vlan-id=10add interface=ether3 mtu=1518 name=vlan20_iot vlan-id=20add interface=ether3 mtu=1518 name=vlan30_public vlan-id=30/interface lte apnset [ find default=yes ] ip-type=ipv4 use-network-apn=no/ip pooladd name=pool_home ranges=192.168.1.150-192.168.1.200add name=pool_guest ranges=192.168.2.150-192.168.2.200add name=pool_iot ranges=192.168.3.150-192.168.3.200add name=pool_public ranges=172.16.71.50-172.16.71.250/ip dhcp-serveradd add-arp=yes address-pool=pool_home bootp-support=dynamic interface=\ bridge_home lease-script=":local recipient \"email removed\"\r\ \n/ip dhcp-server lease\r\ \n:if (\$leaseBound = 1) do={\r\ \n :if ([:len [/ip dhcp-server lease get [find address=\$leaseActIP] comm\ ent]] = 0) do={\r\ \n :do {\r\ \n :tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC\ : \$leaseActMAC]\" body=\"The following MAC address [\$leaseActMAC] receiv\ ed an IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName].\ \"\r\ \n :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\ \n } on-error={\r\ \n :log error \"Failed to send alert email to \$recipient\"\r\ \n }\r\ \n } else={\r\ \n :log info \"Ignoring MAC \$leaseActMAC with IP \$leaseActIP due to a\ n existing comment.\"\r\ \n }\r\ \n}" lease-time=1w3d name=dhcp_homeadd address-pool=pool_guest interface=bridge_guest lease-script=":local recipi\ ent \"email removed\"\r\ \n/ip dhcp-server lease\r\ \n:if (\$leaseBound = 1) do={\r\ \n :if ([:len [/ip dhcp-server lease get [find address=\$leaseActIP] comm\ ent]] = 0) do={\r\ \n :do {\r\ \n :tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC\ : \$leaseActMAC]\" body=\"The following MAC address [\$leaseActMAC] receiv\ ed an IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName].\ \"\r\ \n :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\ \n } on-error={\r\ \n :log error \"Failed to send alert email to \$recipient\"\r\ \n }\r\ \n } else={\r\ \n :log info \"Ignoring MAC \$leaseActMAC with IP \$leaseActIP due to a\ n existing comment.\"\r\ \n }\r\ \n}" lease-time=1w3d name=dhcp_guestadd address-pool=pool_iot interface=bridge_iot lease-script=":local recipient \ \"email removed\"\r\ \n/ip dhcp-server lease\r\ \n:if (\$leaseBound = 1) do={\r\ \n :if ([:len [/ip dhcp-server lease get [find address=\$leaseActIP] comm\ ent]] = 0) do={\r\ \n :do {\r\ \n :tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC\ : \$leaseActMAC]\" body=\"The following MAC address [\$leaseActMAC] receiv\ ed an IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName].\ \"\r\ \n :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\ \n } on-error={\r\ \n :log error \"Failed to send alert email to \$recipient\"\r\ \n }\r\ \n } else={\r\ \n :log info \"Ignoring MAC \$leaseActMAC with IP \$leaseActIP due to a\ n existing comment.\"\r\ \n }\r\ \n}" lease-time=1w3d name=dhcp_iotadd address-pool=pool_public interface=bridge_public lease-script=":local reci\ pient \"email removed\"\r\ \n/ip dhcp-server lease\r\ \n:if (\$leaseBound = 1) do={\r\ \n :if ([:len [/ip dhcp-server lease get [find address=\$leaseActIP] comm\ ent]] = 0) do={\r\ \n :do {\r\ \n :tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC\ : \$leaseActMAC]\" body=\"The following MAC address [\$leaseActMAC] receiv\ ed an IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName].\ \"\r\ \n :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\ \n } on-error={\r\ \n :log error \"Failed to send alert email to \$recipient\"\r\ \n }\r\ \n } else={\r\ \n :log info \"Ignoring MAC \$leaseActMAC with IP \$leaseActIP due to a\ n existing comment.\"\r\ \n }\r\ \n}" lease-time=2d name=dhcp_public/routing bgp templateset default disabled=no output.network=bgp-networks/interface bridge portadd bridge=bridge_home ingress-filtering=no interface=ether3add bridge=bridge_home ingress-filtering=no interface=ether2add bridge=bridge_home ingress-filtering=no interface=ether5add auto-isolate=yes bridge=bridge_guest ingress-filtering=no interface=\ vlan10_guest restricted-role=yes restricted-tcn=yesadd auto-isolate=yes bridge=bridge_iot ingress-filtering=no interface=\ vlan20_iot restricted-role=yes restricted-tcn=yesadd auto-isolate=yes bridge=bridge_public ingress-filtering=no interface=\ vlan30_public restricted-role=yes restricted-tcn=yes/interface bridge settingsset use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \ use-ip-firewall-for-vlan=yes/ip neighbor discovery-settingsset discover-interface-list=none/ip settingsset rp-filter=strict tcp-syncookies=yes/ip addressadd address=192.168.1.1/24 interface=bridge_home network=192.168.1.0add address=192.168.2.1/24 interface=bridge_guest network=192.168.2.0add address=192.168.3.1/24 interface=bridge_iot network=192.168.3.0add address=172.16.71.1/24 interface=bridge_public network=172.16.71.0/ip dhcp-clientadd interface=ether1 use-peer-dns=no/ip dhcp-server configset store-leases-disk=never/ip dnsset allow-remote-requests=yes cache-max-ttl=10m cache-size=512KiB/ip firewall filteradd action=drop chain=forward comment="Drop public network to home network" \ dst-address=192.168.1.0/24 src-address=172.16.71.0/24add action=drop chain=forward comment="Drop public network to IoT network" \ dst-address=192.168.3.0/24 src-address=172.16.71.0/24add action=drop chain=forward comment="Drop public network to guest network" \ dst-address=192.168.2.0/24 src-address=172.16.71.0/24add action=drop chain=forward comment="Drop home network to public network" \ dst-address=172.16.71.0/24 src-address=192.168.1.0/24add action=drop chain=forward comment="Drop home network to guest network" \ dst-address=192.168.2.0/24 src-address=192.168.1.0/24add action=drop chain=forward comment="Drop home network to IoT network" \ dst-address=192.168.3.0/24 src-address=192.168.1.0/24add action=drop chain=forward comment="Drop guest network to home network" \ dst-address=192.168.1.0/24 src-address=192.168.2.0/24add action=drop chain=forward comment="Drop guest network to public network" \ dst-address=172.16.71.0/24 src-address=192.168.2.0/24add action=drop chain=forward comment="Drop guest network to IoT network" \ dst-address=192.168.3.0/24 src-address=192.168.2.0/24add action=drop chain=forward comment="Drop IoT network to home network" \ dst-address=192.168.1.0/24 src-address=192.168.3.0/24add action=drop chain=forward comment="Drop IoT network to guest network" \ dst-address=192.168.2.0/24 src-address=192.168.3.0/24add action=drop chain=forward comment="Drop IoT network to public network" \ dst-address=172.16.71.0/24 src-address=192.168.3.0/24add action=accept chain=input comment="Allow established, related" \ connection-state=established,relatedadd action=accept chain=input comment=\ "Allow LAN connection to router - DO NOT DISABLE" src-address=\ 192.168.1.0/24add action=accept chain=input comment=\ "Accept ping" \ disabled=yes protocol=icmpadd action=drop chain=input comment=\ "Drop everything else to router - DO NOT DISABLE"add action=fasttrack-connection chain=forward comment=FastTrack \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="Established, Related" \ connection-state=established,relatedadd action=drop chain=forward comment="Drop invalid" connection-state=invalid \ log=yes log-prefix=invalidadd action=drop chain=forward comment=\ "Drop tries to reach not public addresses from LAN" dst-address-list=\ not_in_internet in-interface=bridge_home log=yes log-prefix=\ !public_from_LAN out-interface=!bridge_homeadd action=drop chain=forward dst-address-list=not_in_internet in-interface=\ bridge_guest log=yes log-prefix=!public_from_LAN out-interface=\ !bridge_guestadd action=drop chain=forward dst-address-list=not_in_internet in-interface=\ bridge_iot log=yes log-prefix=!public_from_LAN out-interface=!bridge_iotadd action=drop chain=forward dst-address-list=not_in_internet in-interface=\ bridge_public log=yes log-prefix=!public_from_LAN out-interface=\ !bridge_public/ip firewall natadd action=masquerade chain=srcnat out-interface=ether1/ip firewall service-portset ftp disabled=yesset tftp disabled=yesset h323 disabled=yesset sip disabled=yesset pptp disabled=yesset udplite disabled=yesset dccp disabled=yesset sctp disabled=yes/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh address=192.168.1.0/24 port=portset www-ssl certificate=*1Eset api disabled=yesset winbox address=192.168.1.0/24 port=portset api-ssl disabled=yes/ip sshset forwarding-enabled=remote host-key-size=4096 strong-crypto=yes/ip upnpset show-dummy-rule=no/tool bandwidth-serverset enabled=no/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=none/tool mac-server pingset enabled=noStatistics: Posted by martin3444 — Sun Jan 14, 2024 5:11 pm