Networks

Question

Multi Level Router Rules

By thepeachfarmer ·
First Post!

I've been growing my network on my farm. Its been a crazy journey from a simple dumb switch with a few office clients and a couple servers to NOW... 20 wireless backhauls, pump stations, automation, PLC, remote cameras, the list goes on.

I made some big changes this summer. We basically created a "backhaul" or "backbone" network 10.0.0.0 that connects all of my sites and locations. "Router 0" 10.0.0.1 is my main firewall and gateway to the WWW. Along this network are wireless links that connect my various locations. I have roughly 20 routers sitting on this network that serve a variety of locations. When I deployed these routers I was careful to create subnets behind them that would be reflective of each location:

10.0.0.20 - Main Office Router
10.20.1.0 - Main Office Management Subnet
10.20.2.0 - MO Data
10.20.3.0 - MO Phone
10.20.4.0 - MO Camera
10.20.5.0 - MO PLC

I replicated this structure across all of my locations. For example the Grain Elevator location has this structure:

10.0.0.30 - Grain Elevator Router
10.30.1.0 - GE Management
10.30.2.0 - GE Data
.... and so on

There are network resources such as file servers, DNS servers, domain controllers, camera NVRs, MQTT brokers, and others that sit behind specific routers. Currently I have everything wide open (as this is basically the security I had prior), with my Router 0 having the main security rules for the WWW.

Moving forward I would like to add additional users to my network that need limited to zero access to my server resources. Specifically it may be a particular subnet behind a router. For example:

WWW
Router 0 - 10.0.0.1
--
MO Router - 10.0.0.20
GE Router - 10.0.0.30
--
MO Server Subnet - 10.20.10.0
GE DATA - 10.30.2.0
GE GUEST - 10.30.7.0
--
I want the GE DATA subnet to access the MO Server Subnet but I do not want the GE Guest subnet to access the MO Server Subnet.

One solution that I was thinking of could be to move my global resources (MO Server subnet) to a subnet of the backhaul (10.0.100.0). Then grant access to this subnet based on the subnet from which they originated before entering the 10.0.0.0 network.

Is this possible? What solutions would you recommend?

My current hardware is as follows:
Ubiquiti Security Gateway - Router 0 and MO Router
Ubiquiti Edge Router - GE Router and various endpoints

I run the unifi and unms platforms and hardware because I am a one man IT show. I am open to small hardware changes if needed.

THANKS FOR LISTENING!
Thread display: Collapse - | Expand +

All Answers

Collapse -

Reply

by abartkiewicz In reply to Multi Level Router Rules

Well just remember that the internal networks that don't go through your firewall will not be blocked by your firewall. I recommend directly connecting (or via a switch) any resources that are needed across the network to your firewall. After that it should be a simple matter of controlling access. Hope that helps.

Collapse -

Reply again

by abartkiewicz In reply to Multi Level Router Rules

Also I would recommend denying access from you guest network to everything except outside access. This can be done on the router that your guest devices are connected to with some sort of access list depending on the type of routers you have.

Related Discussions

Related Forums