I have following setup with linux (3 eth cards, wan,lan,dmz) and IP tables.
(isp) ==netA== wan(linux R1)lan ==netB== (lan)
(linux-R1)(dmz) === netC === (computers with ip from pub-ip-range-sub1)
My company owns Pub-IP-range (public c-class) and our ISP routes the entire pub-ip-range we own to R1. That is our ISP brodcasts routes to our pub-ip-range on the internet (R1 dont broadcast route to pub-ip-range)
NetA is a 10.1.x.x network
NetB is a 10.2.x.x network
NetC is a subnet of pub-ip-range (DMZ)
R1 masquerades outbound connections from NetB with arbitrary ip from pub-ip-range
R1 does port forward (incoming connections) using pub-ip-range to specific ip from netB.
I am thinking to retire linux box and use routerboard/mikrotik.
Can I achieve such setup with routerboard/mikrotik router ?
The answer is most likely yes that RouterOS can do the job. If the ISP actually routes the public block to you via a distinct IP number outside of that block (can be RFC1918 number even) then there are no real complications.
R1 would just be doing classic WAN/NAT Firewall/NAT activities between the WAN and Net B then overlay some rules/exceptions for the public IP subnet on Net C.
R1 would just be doing classic WAN/NAT Firewall/NAT activities between the WAN and Net B then overlay some rules/exceptions for the public IP subnet on Net C.
yes,
Actually pub-ip-range is split into two subnets/parts
netC/dmz - here the computers get a public IP assigned to the NICs, eth-dms gets pub IP from that subnet. So the public IPs are actually assigned to NICs here.
netB - hosts get private IPs and access internet through NAT (and port fowarding) on R1. Here the public IPs are not assigned to any interface, they just are used in masquerade and port forwarding rules on R1.
I have done setups on mikrotik/RB where there is a single or multiple public IPs on the wan interfaces, but not when the WAN is a routing target for entire IP range.
You would allocate an address / mask from the DMZ subnet to the DMZ interface in RouterOS.
You can then select a single or multiple addresses from the remaining subnet, and use those addresses in SRC NAT rules for traffic from the RFC 1918 hosts. You can apply those addresses to a bridge or the WAN interface depending on the exact circumstances/desired effect.