Multi Level Router Rules
I’ve been growing my network on my farm. Its been a crazy journey from a simple dumb switch with a few office clients and a couple servers to NOW… 20 wireless backhauls, pump stations, automation, PLC, remote cameras, the list goes on.
I made some big changes this summer. We basically created a “backhaul” or “backbone” network 10.0.0.0 that connects all of my sites and locations. “Router 0” 10.0.0.1 is my main firewall and gateway to the WWW. Along this network are wireless links that connect my various locations. I have roughly 20 routers sitting on this network that serve a variety of locations. When I deployed these routers I was careful to create subnets behind them that would be reflective of each location:
10.0.0.20 – Main Office Router
10.20.1.0 – Main Office Management Subnet
10.20.2.0 – MO Data
10.20.3.0 – MO Phone
10.20.4.0 – MO Camera
10.20.5.0 – MO PLC
I replicated this structure across all of my locations. For example the Grain Elevator location has this structure:
10.0.0.30 – Grain Elevator Router
10.30.1.0 – GE Management
10.30.2.0 – GE Data
…. and so on
There are network resources such as file servers, DNS servers, domain controllers, camera NVRs, MQTT brokers, and others that sit behind specific routers. Currently I have everything wide open (as this is basically the security I had prior), with my Router 0 having the main security rules for the WWW.
Moving forward I would like to add additional users to my network that need limited to zero access to my server resources. Specifically it may be a particular subnet behind a router. For example:
Router 0 – 10.0.0.1
MO Router – 10.0.0.20
GE Router – 10.0.0.30
MO Server Subnet – 10.20.10.0
GE DATA – 10.30.2.0
GE GUEST – 10.30.7.0
I want the GE DATA subnet to access the MO Server Subnet but I do not want the GE Guest subnet to access the MO Server Subnet.
One solution that I was thinking of could be to move my global resources (MO Server subnet) to a subnet of the backhaul (10.0.100.0). Then grant access to this subnet based on the subnet from which they originated before entering the 10.0.0.0 network.
Is this possible? What solutions would you recommend?
My current hardware is as follows:
Ubiquiti Security Gateway – Router 0 and MO Router
Ubiquiti Edge Router – GE Router and various endpoints
I run the unifi and unms platforms and hardware because I am a one man IT show. I am open to small hardware changes if needed.
THANKS FOR LISTENING!