Question

  • Creator
    Topic
  • #2143599

    Multi Level Router Rules

    by thepeachfarmer ·

    Tags: 

    First Post!

    I’ve been growing my network on my farm. Its been a crazy journey from a simple dumb switch with a few office clients and a couple servers to NOW… 20 wireless backhauls, pump stations, automation, PLC, remote cameras, the list goes on.

    I made some big changes this summer. We basically created a “backhaul” or “backbone” network 10.0.0.0 that connects all of my sites and locations. “Router 0” 10.0.0.1 is my main firewall and gateway to the WWW. Along this network are wireless links that connect my various locations. I have roughly 20 routers sitting on this network that serve a variety of locations. When I deployed these routers I was careful to create subnets behind them that would be reflective of each location:

    10.0.0.20 – Main Office Router
    10.20.1.0 – Main Office Management Subnet
    10.20.2.0 – MO Data
    10.20.3.0 – MO Phone
    10.20.4.0 – MO Camera
    10.20.5.0 – MO PLC

    I replicated this structure across all of my locations. For example the Grain Elevator location has this structure:

    10.0.0.30 – Grain Elevator Router
    10.30.1.0 – GE Management
    10.30.2.0 – GE Data
    …. and so on

    There are network resources such as file servers, DNS servers, domain controllers, camera NVRs, MQTT brokers, and others that sit behind specific routers. Currently I have everything wide open (as this is basically the security I had prior), with my Router 0 having the main security rules for the WWW.

    Moving forward I would like to add additional users to my network that need limited to zero access to my server resources. Specifically it may be a particular subnet behind a router. For example:

    WWW
    Router 0 – 10.0.0.1

    MO Router – 10.0.0.20
    GE Router – 10.0.0.30

    MO Server Subnet – 10.20.10.0
    GE DATA – 10.30.2.0
    GE GUEST – 10.30.7.0

    I want the GE DATA subnet to access the MO Server Subnet but I do not want the GE Guest subnet to access the MO Server Subnet.

    One solution that I was thinking of could be to move my global resources (MO Server subnet) to a subnet of the backhaul (10.0.100.0). Then grant access to this subnet based on the subnet from which they originated before entering the 10.0.0.0 network.

    Is this possible? What solutions would you recommend?

    My current hardware is as follows:
    Ubiquiti Security Gateway – Router 0 and MO Router
    Ubiquiti Edge Router – GE Router and various endpoints

    I run the unifi and unms platforms and hardware because I am a one man IT show. I am open to small hardware changes if needed.

    THANKS FOR LISTENING!

You are posting a reply to: Multi Level Router Rules

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our Community FAQs for details. All submitted content is subject to our Terms of Use.

All Answers

  • Author
    Replies
    • #2421787

      Reply

      by abartkiewicz ·

      In reply to Multi Level Router Rules

      Well just remember that the internal networks that don’t go through your firewall will not be blocked by your firewall. I recommend directly connecting (or via a switch) any resources that are needed across the network to your firewall. After that it should be a simple matter of controlling access. Hope that helps.

    • #2421784

      Reply again

      by abartkiewicz ·

      In reply to Multi Level Router Rules

      Also I would recommend denying access from you guest network to everything except outside access. This can be done on the router that your guest devices are connected to with some sort of access list depending on the type of routers you have.

Viewing 1 reply thread