I have a MT Router (2.8.11) with a 4-port Ethernet card. I’m using 2 ports, one (Public) connected to the T1 router, one (Private) connected to all the servers and radios. The 2.4ghz network is routed (Proxim MP.11) and the 900mhz network is bridged (Alvarion). All the clients have private IP’s and are NAT’ed through the MT firewall. All the radios and servers have private IP’s. The servers are linked to their public IP’s by 1:1 NAT. (I have a /26 with the T1).

I want to get things in order before the network gets real big. I would like to put public IP’s on the servers, but still run the traffic through the MT firewall. I want to be able to give public IP’s to certain customers. Since they are only for management, I want to leave private IP’s on all the radios.

If I understand correctly, I can add a Bridge interface that will let me put public IP’s on the servers and Alvarion clients, while keeping private IP’s on the radios, and still have all traffic go through the MT firewall. Will this also work for the (routed) Proxim clients, or do I continue 1:1 NAT for them. (This is working so far, but I’ve read it can cause trouble for clients needing to use a VPN).

Any comments, suggestions, and advice greatly appreciated.

Thanks,
Bill

I have a similair setup but with 3 interfaces… I used the following config:

/ interface ethernet
set Internal name=“Internal” mtu=1500 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps
disabled=no
set External name=“External” mtu=1500 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps
disabled=no
set Management name=“Management” mtu=1500 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
long-cable=no speed=100Mbps disabled=no
/ interface bridge
add name=“bridge1” mtu=1500 arp=enabled forward-protocols=ip,arp,ipv6,other
stp=no priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
disabled=no
/ interface bridge port
set Internal bridge=bridge1 priority=128 path-cost=10
set External bridge=bridge1 priority=128 path-cost=10
set Management bridge=bridge1 priority=128 path-cost=10

/ ip address
add address=10.10.10.200/24 network=10.10.10.0 broadcast=10.10.10.255
interface=bridge1 comment=“Management IP” disabled=no
add address=XXX.124.100.102/25 network=XXX.124.100.0
broadcast=XXX.124.100.127 interface=bridge1 comment=“Outside Address for Natd Clients” disabled=no

Which gives me:

1. A Management Network, which has my servers on it, using both public and private addresses.

2. An Internal Network, which allows users/routers/AP’s etc to access the internet via Public or Private IP’s.

3. An External Network, which is directly connected to my Frame router using a cross over cable.

4. The ability to firewall the Management interface for each IP range independantly, ie VPN Access on the Private Range but not on Public etc etc.

5. Traffic Monitoring and Bandwidth Throttling for all IP’s

6. NAT for the 10.10.10.0 network, using 10.10.10.200 (Private Bridge IP) for my NATed Default Gateway.

7. Direct Access to my frame router (with the router as my default gateway) for all Public IP based systems.

If it sounds like what your after, I can email you the full config file…

Thanks for the response. That looks real close to what I am after. I would like to look at the full config, if you don’t mind sending it.

baustin at nvinet dot net

Thanks,
Bill

Sent

WJW,

For some reason it didn’t show up. Could you send again when you get a chance?

Thanks,
Bill

Hmm it bounced, okay the config is below, with my public ip’s edited:

jul/02/2004 21:04:49 by RouterOS 2.8.11

software id = B05M-NTT

/ interface ethernet
set Internal name=“Internal” mtu=1500 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps
disabled=no
set External name=“External” mtu=1500 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps
disabled=no
set Management name=“Management” mtu=1500 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
long-cable=no speed=100Mbps disabled=no
/ interface bridge
add name=“bridge1” mtu=1500 arp=enabled forward-protocols=ip,arp,ipv6,other
stp=no priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
disabled=no
/ interface bridge port
set Internal bridge=bridge1 priority=128 path-cost=10
set External bridge=bridge1 priority=128 path-cost=10
set Management bridge=bridge1 priority=128 path-cost=10
/ ip accounting
set enabled=yes threshold=256
/ ip accounting web-access
set accessible-via-web=yes address=10.10.10.0/24
/ ip address
add address=10.10.10.200/24 network=10.10.10.0 broadcast=10.10.10.255
interface=bridge1 comment=“added by setup” disabled=no
add address=XXX.XXX.XXX.102/25 network=XXX.XXX.XXX.0
broadcast=XXX.XXX.XXX.127 interface=bridge1 comment=“” disabled=no
/ ip arp
/ ip dns
set primary-dns=202.124.98.98 secondary-dns=202.124.98.99
allow-remote-requests=yes cache-size=“2048 kB” cache-max-ttl=7d
/ ip firewall
set input name=“input” policy=accept comment=“”
set forward name=“forward” policy=accept comment=“”
set output name=“output” policy=accept comment=“”
add name=“Management” policy=none comment=“”
add name=“Private” policy=none comment=“”
add name=“Public_Man” policy=none comment=“”
/ ip firewall rule Management
add protocol=tcp tcp-options=non-syn-only connection-state=established
action=accept comment=“Allow established TCP connections” disabled=no
add protocol=udp action=accept comment=“Allow UDP connections” disabled=no
add protocol=icmp action=accept comment=“Allow ICMP messages” disabled=no
add dst-address=10.10.10.10/32:53 protocol=tcp action=accept comment=“Allow
DNS” disabled=no
add dst-address=XXX.XXX.XXX.101/32:53 protocol=tcp tcp-options=syn-only
action=accept comment=“” disabled=no
add dst-address=10.10.10.10/32:80 protocol=tcp tcp-options=syn-only
action=accept comment=“Allow http connections to the server” disabled=no
add dst-address=XXX.XXX.XXX.101/32:80 protocol=tcp tcp-options=syn-only
action=accept comment=“” disabled=no
add dst-address=10.10.10.10/32:443 protocol=tcp tcp-options=syn-only
action=accept comment=“” disabled=no
add dst-address=XXX.XXX.XXX.101/32:443 protocol=tcp tcp-options=syn-only
action=accept comment=“” disabled=no
add dst-address=XXX.XXX.XXX.101/32:1723 protocol=tcp tcp-options=syn-only
action=accept comment=“Allow VPN connections to the server” disabled=no
add dst-address=XXX.XXX.XXX.101/32 protocol=gre action=accept comment=“”
disabled=no
add dst-address=10.10.10.10/32:1723 protocol=tcp tcp-options=syn-only
action=accept comment=“Allow VPN connections to the server” disabled=no
add dst-address=10.10.10.10/32 protocol=gre action=accept comment=“”
disabled=no
add dst-address=XXX.XXX.XXX.101/32:25 protocol=tcp tcp-options=syn-only
action=accept comment=“Allow SMTP connections to the server " disabled=no
add dst-address=XXX.XXX.XXX.101/32:110 protocol=tcp tcp-options=syn-only
action=accept comment=“Allow POP3 connections to the server” disabled=no
add dst-address=10.10.10.10/32:3389 protocol=tcp action=accept comment=“Allow
TS connections to the server” disabled=no
add dst-address=XXX.XXX.XXX.101/32:3389 protocol=tcp action=accept comment=”"
disabled=no
add dst-address=10.10.10.10/32:21 protocol=tcp tcp-options=syn-only
action=accept comment=“Allow FTP connections to the server " disabled=no
add dst-address=XXX.XXX.XXX.101/32:21 protocol=tcp tcp-options=syn-only
action=accept comment=”" disabled=no
add dst-address=XXX.XXX.XXX.101/32:20 protocol=tcp
connection-state=established action=accept comment=“” disabled=no
add src-address=:20 dst-address=XXX.XXX.XXX.101/32 protocol=tcp
tcp-options=syn-only action=accept comment=“” disabled=no
add dst-address=10.10.10.10/32 protocol=tcp tcp-options=syn-only
connection-state=related action=accept comment=“” disabled=no
add dst-address=XXX.XXX.XXX.101/32 protocol=tcp tcp-options=syn-only
connection-state=related action=accept comment=“” disabled=no
add dst-address=XXX.XXX.XXX.101/32:22518 protocol=tcp action=accept
comment=“DC Connection” disabled=no
add action=reject log=yes comment=“Reject and log everything else”
disabled=no
/ ip firewall rule Private
add src-address=10.100.100.0/24 action=reject comment=“” disabled=no
/ ip firewall rule forward
add out-interface=Management action=jump jump-target=Management comment=“”
disabled=no
add out-interface=Management action=jump jump-target=Private comment=“”
disabled=no
add out-interface=Management action=jump jump-target=Public_Man comment=“”
disabled=no
/ ip firewall mangle
add src-address=10.10.10.0/24 dst-address=10.10.10.0/24 action=passthrough
mark-flow=10.10.10.0_Local comment=“” disabled=no
add src-address=XXX.XXX.XXX.0/25 dst-address=XXX.XXX.XXX.0/25
action=passthrough mark-flow=XXX.XXX.XXX.0_Local comment=“” disabled=no
add src-address=XXX.XXX.XXX.100/32 action=passthrough
mark-flow=XXX.XXX.XXX.100_Out comment=“” disabled=no
add dst-address=XXX.XXX.XXX.100/32 action=passthrough
mark-flow=XXX.XXX.XXX.100_In comment=“” disabled=no
add src-address=XXX.XXX.XXX.101/32 action=passthrough
mark-flow=XXX.XXX.XXX.101_Out comment=“” disabled=no
add dst-address=XXX.XXX.XXX.101/32 action=passthrough
mark-flow=XXX.XXX.XXX.101_In comment=“” disabled=no
add src-address=10.10.10.0/24 action=passthrough
mark-flow=10.10.10.0_Public_Out comment=“” disabled=no
add dst-address=XXX.XXX.XXX.102/32 action=passthrough
mark-flow=10.10.10.0_Public_In comment=“” disabled=no
add dst-address=XXX.XXX.XXX.4/32 action=passthrough
mark-flow=XXX.XXX.XXX.4_In comment=“” disabled=no
add src-address=XXX.XXX.XXX.4/32 action=passthrough
mark-flow=XXX.XXX.XXX.4_Out comment=“” disabled=no
add dst-address=XXX.XXX.XXX.6/32 action=passthrough
mark-flow=XXX.XXX.XXX.6_In comment=“” disabled=no
add src-address=XXX.XXX.XXX.6/32 action=passthrough
mark-flow=XXX.XXX.XXX.6_Out comment=“” disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=no
set gre disabled=no
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall src-nat
add src-address=10.10.10.0/24 action=masquerade comment=“” disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m
tcp-established-timeout=5d tcp-fin-wait-timeout=2m
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip neighbor discovery
set Internal discover=yes
set External discover=yes
set Management discover=yes
set bridge1 discover=yes
/ ip route
add dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=10.10.10.250
distance=1 comment=“added by setup” disabled=no
add dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=XXX.XXX.XXX.120
distance=1 comment=“” disabled=no
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip policy-routing
/ ip policy-routing rule
add src-address=0.0.0.0/0 dst-address=0.0.0.0/0 flow=“” interface=all
action=lookup table=main comment=“” disabled=no
/ ip policy-routing table main
add dst-address=0.0.0.0/0 gateway=10.10.10.250 preferred-source=0.0.0.0
comment=“added by setup” disabled=no
add dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.120 preferred-source=0.0.0.0
comment=“” disabled=no
/ ip upnp
set enabled=no
/ ip ipsec proposal
add name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=no src-address=0.0.0.0 port=8080 hostname=“proxy”
transparent-proxy=yes parent-proxy=0.0.0.0:0
cache-administrator=“webmaster” max-object-size=“9999 kB”
cache-drive=system max-cache-size=2048
/ ip web-proxy access
add dst-port=!443,563 method=connect action=deny comment=“allow CONNECT only
to SSL ports 443 [https] and 563 [snews]” disabled=no
add src-address=XXX.XXX.XXX.0/25 action=allow comment=“” disabled=no
add src-address=10.10.10.0/24 action=allow comment=“” disabled=no
/ ip web-proxy cache
add url=“cgi-bin \?” action=deny comment=“don’t cache dynamic http pages”
disabled=no
/ system identity
set name=“WNK_BB4_BR”
/ system logging
set default-remote-address=10.10.10.10 default-remote-port=514
disk-buffer-lines=100 memory-buffer-lines=100
/ system logging facility
set Firewall-Log local=memory remote=syslog remote-address=0.0.0.0
remote-port=0 prefix=“” echo=no
set System-Info local=memory remote=syslog remote-address=0.0.0.0
remote-port=0 prefix=“” echo=no
set System-Error local=memory remote=none remote-address=0.0.0.0
remote-port=0 prefix=“” echo=no
set System-Warning local=memory remote=syslog remote-address=0.0.0.0
remote-port=0 prefix=“” echo=no
set Web-Proxy-Access local=memory remote=none remote-address=0.0.0.0
remote-port=0 prefix=“” echo=no
set IPsec-Event local=memory remote=none remote-address=0.0.0.0 remote-port=0
prefix=“” echo=no
set IKE-Event local=memory remote=none remote-address=0.0.0.0 remote-port=0
prefix=“” echo=no
set IPsec-Warning local=memory remote=none remote-address=0.0.0.0
remote-port=0 prefix=“” echo=no
set System-Echo local=memory remote=none remote-address=0.0.0.0 remote-port=0
prefix=“” echo=yes
/ system serial-console
set enabled=yes port=serial0
/ system upgrade upgrade-package-source
add address=10.10.10.200 user=“admin”
/ system upgrade mirror
set enabled=no primary-server=10.10.10.72 secondary-server=0.0.0.0
check-interval=1d user=“”
/ system watchdog
set reboot-on-failure=no watch-address=none watchdog-timer=no
ping-start-after-boot=5m
/ port
set serial0 name=“serial0” baud-rate=9600 data-bits=8 parity=none stop-bits=1
flow-control=hardware
/ queue type
set default name=“default” kind=pfifo bfifo-limit=15000 pfifo-limit=50
red-limit=60 red-min-threshold=10 red-max-threshold=50 red-burst=20
sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 pcq-classifier=“”
set ethernet-default name=“ethernet-default” kind=pfifo bfifo-limit=15000
pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50
red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50
pcq-classifier=“”
set wireless-default name=“wireless-default” kind=sfq bfifo-limit=15000
pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50
red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50
pcq-classifier=“”
set synchronous-default name=“synchronous-default” kind=red bfifo-limit=15000
pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50
red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50
pcq-classifier=“”
/ queue tree
add name=“In Queue” parent=global-in flow=“” limit-at=524288 queue=default
priority=5 max-limit=1048576 burst-limit=0 burst-threshold=0 burst-time=0
disabled=no
add name=“XXX.XXX.XXX.100_Out” parent=“Out Queue” flow=XXX.XXX.XXX.100_Out
limit-at=262144 queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0 disabled=no
add name=“Internal Queue” parent=Internal flow=“” limit-at=5242880
queue=default priority=1 max-limit=5242880 burst-limit=0
burst-threshold=0 burst-time=0 disabled=no
add name=“XXX.XXX.XXX.100_In” parent=“In Queue” flow=XXX.XXX.XXX.100_In
limit-at=262144 queue=default priority=8 max-limit=786432 burst-limit=0
burst-threshold=0 burst-time=0 disabled=no
add name=“XXX.XXX.XXX.101_Out” parent=“Out Queue” flow=XXX.XXX.XXX.101_Out
limit-at=131072 queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0 disabled=no
add name=“XXX.XXX.XXX.101_In” parent=“In Queue” flow=XXX.XXX.XXX.101_In
limit-at=131072 queue=default priority=8 max-limit=524288 burst-limit=0
burst-threshold=0 burst-time=0 disabled=no
add name=“Local Traffic - Private” parent=“Internal Queue”
flow=10.10.10.0_Local limit-at=0 queue=default priority=2 max-limit=0
burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name=“Local Traffic - Public” parent=“Internal Queue”
flow=XXX.XXX.XXX.0_Local limit-at=0 queue=default priority=2 max-limit=0
burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name=“Out Queue” parent=global-out flow=“” limit-at=524288 queue=default
priority=5 max-limit=1048576 burst-limit=0 burst-threshold=0 burst-time=0
disabled=no
add name=“10.10.10.0_Public_Out” parent=“Out Queue”
flow=10.10.10.0_Public_Out limit-at=262144 queue=default priority=8
max-limit=262144 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name=“10.10.10.0_Public_In” parent=“In Queue” flow=10.10.10.0_Public_In
limit-at=262144 queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0 disabled=no
add name=“XXX.XXX.XXX.4_Out” parent=“Out Queue” flow=XXX.XXX.XXX.4_Out
limit-at=131072 queue=default priority=8 max-limit=524288 burst-limit=0
burst-threshold=0 burst-time=0 disabled=no
add name=“XXX.XXX.XXX.4_In” parent=“In Queue” flow=XXX.XXX.XXX.4_In
limit-at=131072 queue=default priority=8 max-limit=524288 burst-limit=0
burst-threshold=0 burst-time=0 disabled=no
add name=“XXX.XXX.XXX.6_Out” parent=“Out Queue” flow=XXX.XXX.XXX.6_Out
limit-at=131072 queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0 disabled=no
add name=“XXX.XXX.XXX.6_In” parent=“In Queue” flow=XXX.XXX.XXX.6_In
limit-at=131072 queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0 disabled=no
/ user
add name=“admin” group=full address=0.0.0.0/0 comment=“system default user”
disabled=no
/ user group
add name=“read” policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,w
eb
add name=“write” policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,w
eb
add name=“full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ driver
/ snmp
set enabled=yes contact=“> xxx@xxx.net.nz> " location=“xxx xxx,
xxxxxx”
/ snmp community
set public name=“public” address=10.10.10.10/32 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool sniffer
set interface=Internal only-headers=no memory-limit=10 file-name=”"
file-limit=10 streaming-enabled=no streaming-server=0.0.0.0
filter-stream=yes filter-protocol=all-frames
filter-address1=0.0.0.0/0:0-65535 filter-address2=0.0.0.0/0:0-65535

All this on a P100 with 64Mb RAM and two intel server nics… sits at an average 11% CPU and 19mb mem usage

Thanks, much. I really appreciate it. I’ll have to print this out and look it over.

I’ve been using a P166 with 48mb RAM and a 2port Intel card. It worked quite well. It’s now the backup router. I found a 1ghz PIII with 512mb RAM and added a Routerboard44. I plan to add a 40gb hard drive and enable the transparent web proxy. The hard part is finding some down time to do it.

You can probalby ignore most of it, alot of it is my queues and firewall rules