Firewall and Defense in Depth
ISPs are big targets: public ASN, BGP-visible prefixes, exposed OLTs. Loose rules on Mikrotik become backdoors. Defense must be designed, not stacked.
What firewall means in ISP context
Not just "block port 22 from the world." In ISPs, the firewall protects infrastructure (management, RADIUS, monitoring, database), segments traffic (residential customers can't reach corporate network, IoT can't reach cameras), applies per-VLAN/VRF policies, and absorbs edge attacks before they hit the core.
What RASYS does with firewall
- Edge hardening — infrastructure ACLs (management only from authorized IPs, deny default on control plane), strict uRPF to prevent spoofing, control-plane rate limits (CoPP).
- VLAN/VRF isolation — segmenting management network, RADIUS/database, residential customers, corporate customers, IoT, cameras. L3 firewall between segments.
- NAT and port forwarding — for internal services needing exposure (web, email, VPN), with clear policy.
- Edge anti-DDoS — rate-limit per flow, drop abusive protocols (NTP amplification, open DNS recursors), integrated BGP RTBH.
- Site-to-site VPN — IPSec or WireGuard between PoPs or to corporate customers. L2TP/SSTP for remote access.
- RADIUS, DB, management hardening — fail2ban, IP whitelist, MFA where applicable.
- Logging and alerts — centralized Syslog, alert on blocked-traffic spike, SIEM integration if the ISP has one.
Equipment we work with
Mikrotik RouterOS, FortiGate, pfSense, OPNsense, iptables/nftables on Linux, IPSec/WireGuard. On large edge, integration with Huawei/Juniper router service modules.
When it makes sense to talk to us
You have firewall rules piled up for years with nobody reviewing; OLT management is on the public internet; suffered a recent DDoS without mitigation; want to separate corporate from residential network but don't know how; need site-to-site VPN for customers.
Talk to us. See also: BGP (RTBH anti-DDoS), Monitoring.