WBS210 and all pharos product : add some protection rules on layer 2

WBS210 and all pharos product : add some protection rules on layer 2
WBS210 and all pharos product : add some protection rules on layer 2
2018-08-27 19:39:46 - last edited 2018-08-27 19:40:07

Hi,

 

Pharos product are pretty good but i can't use it because some security functionnality are needed.

Actualy we work with UBIQUITI rocket M2 or Bullet M2 (rocket M2 pretty same as WBS210).

 

Actualy we need the possibilty in AP mode bridge to allow wifi client traffic to 2 mac address only (client must speak only with the routeur).

We achieve that with this EBTABLES rules on ubiquiti AP (on AP WDS mode) :

 

eth0 is the LAN port connected to the router ath0 is Wifi interface.

 

ebtables -I FORWARD -i ath0 -o eth0 -j DROP
ebtables -I FORWARD -i eth0 -o ath0 -j DROP
ebtables -I FORWARD -i ath0 -o eth0 -d FF:FF:FF:FF:FF:FF -j ACCEPT //allow broadcast like DHCP request from client to the entire network
ebtables -I FORWARD -i ath0 -o eth0 -d $ROOTER_MAC -j ACCEPT
ebtables -I FORWARD -i eth0 -o ath0 -s $ROOTER_MAC -j ACCEPT
ebtables -I INPUT -i ath0 -j DROP //block traffic from client to the ap

 

is possible to do that on WBS210 ?

 

and we need to add a DHCP server protection on WIFI interface for blocking rogue DHCP.

 

Of course we add static mac table with routeur IP but this functionnality already exist on WBS210.

 

thanks by advance.

0
0
#1
Options
2 Replies
Re: WBS210 and all pharos product : add some protection rules on layer 2
2018-08-27 20:49:00 - last edited 2018-08-27 20:54:32

krok wrote

is possible to do that on WBS210 ?

 

AFAIK, WBS210 does not support ebtables. I would recommend to use ACLs on the L2 switch the WBS and the router are connected to rather than configuring each WBS. Enabling AP isolation will effectively prevent access between wireless clients.

 

As for denying access to the WBS itself I would use a mgmt VLAN or restrict access to certain MAC addresses, which disables access for all other MACs. All other services (ssh, CDP) can be disabled on the WBS, so that there is no attack vector left.

 

As for the DHCP server you could set up dnsmasq in force/authoritative mode.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
2
2
#2
Options
Re:WBS210 and all pharos product : add some protection rules on layer 2
2018-08-28 06:28:15

"Actualy we need the possibilty in AP mode bridge to allow wifi client traffic to 2 mac address only (client must speak only with the routeur)."

 

no other way to do that, no switch on the network.

 

the real question is : TP-LINK can you add this functionality ? Bind arp/ip is already available.

 

 

0
0
#3
Options