3 LANs, each with an own router device. Each router has an uplink port (WAN),
and the other ports are bridged.
All these LAN routers are connected to a WAN router that provides Internet access,
and its other ports are bridged alike.
The WAN router does the usual NAT translation and by default does not allow any connects from the WAN.
Now, to simplify administration, can NAT and firewall be removed on all the internal LAN routers?
B/c the threat is coming from outside (WAN), not the LANs.
But then, will the WAN router be able to do the NAT for all the attached LANs?
B/c since there is no NAT translation on the LANrouters then the packets of the LAN clients
have the original source IP when they arrive at the WANrouter.
Can this work? Anybody tried this out?
Does this setup make sense, or is there a better alternative?
This can work without NAT on LRs.
Instead you have to configure routing on WR. Either by adding a number of static routes or by running a routing protocol (e.g. BGP or OSPF) on the interconnection segment … In either case you have to make sure all those LAN segments (off LR routers) have unique address spaces or else WR willl get confused. I don’t think this makes administration any simpler …
Sure this is possible. Nothing out of the ordinary, but somewhat strange.
If the WAN router is some decent gear, it can do NAT for whatever is coming in from the LAN, be it through different physical interfaces, VLAN’s, ranges whatever.
The typical “consumer” Internet-router provided by an ISP will most likely not be able to do this. Remember because you are NOT doing any NAT on the LAN-Routers, the original packets from behind each LAN-router will hit the WAN-router unchanged, so coming from 192.168.1.x , 192.168.2.x and 192.168.3.x.
Your setup sure makes sense if you want it to make sense
You probably have a reason for these 3 “LAN’s”
One can create such 3 LANs also on just 1 LAN router.
Theoretically it should be possible to do that also on the WAN router, but such ISP WAN routers are mostly castrated “dumb” routers which usually don’t allow to create more than 1 LAN,
so doing it on a LAN router, after removing the bridge (switch), is a better design choice, IMO.
If the WAN router can manage the 4 LAN’s (DHCP per subnet, NAT to WAN, interLAN FW rules, … etc).
Then the 3 LR would just bridge the network. Actually acting as a switch
Bridged connections bypass FW (NAT and filter) by default in MT.
ISP internet router is often very limited or you get limited config possibility. Making workarounds with 192.168.0.1/22 , or splitting the only 192.168.0.1/24 can be difficult.
Can I design something better? Of course, but nobody would design for free on a forum.
Just tell us the main components of your design, ie. the general concept.
I hope it doesn’t include such overkills like VLAN, BGP, OSPF etc , or does it?
I need a bare bones standards conform IPv4 segmentation for such 3 LANs.
As said in prev posting, I think doing it behind a single LAN router is the best & most cost effective solution, IMO.
I suggest you reach out to any certified MikroTik consultant for a proper design.
That’s an overkill for such a mini 3 LAN network, and also can’t afford to pay such a certified consultant
I am a CCNA myself (10+ yrs ago ) and have even some more such (now outdated) certifications, though not much done in that field; rather done and doing programming instead.
Your IPv4 standard for sure should include “east-west” security these days.
By default each of the 3 LAN’s can just chit-chat with each other and that is not really a good plan…
Next-generation networks (SDx) would be intent-driven with micro-isolation already at the switchport/host.
By default each of the 3 LAN’s can just chit-chat with each other and that is not really a good plan…
That’s intended as all 3 LANs are just subsections of the same company, all in the same multi-storey building.
And the whole case is just a hypothetical/theoretical study case
Next-generation networks (SDx) would be intent-driven with micro-isolation already at the switchport/host.
I guess such new age stuff will see the same fate like this stupid IPv6 design by the crack-pipe smoking braindamaged so called ape-engineers…
Imagine they create a totaly new crap that is incompatible to existing IPv4, instead of creating a backwards compatible next version of IPv4.
It very well was (and still is) possible to extend IPv4 by using the “Options” field in the IPv4 header :
east-west security simply means “horizontally”. Can be within a datacenter, but also between different vlan’s eg on a smaller scale. It is a generic wording.
depending on the environment, often the security hazards are not coming “from the outside world” alone anymore but often internally or through partner connections etc. to give an example.
