Hi,
I’m currently trying to port my existing network structure to a RB5009 and would like to ask for help on how to configure it in a proper way. I have done some experiments with multiple bridges, but it looks messy and the forwarding between subnets is not working as expected.
Perhaps it is better to start from scratch. I have tried to draw a very simplified model in the attached picture. The basic components/parts:
external WAN with public IP via DHCP
internal Network (trusted) with simple untagged stuff (the basic router configuration wiith source NAT to WAN)
several APs with several SSIDs, each SSID has a different VLAN tag (plus management VLAN)
an untrusted internal Network part
Now I want to achieve the following things:
Separated DHCP for all internal subnets
SRC-NAT from all subnets to WAN
strict separation between the subnets
filtered routing (or bridging if faster? I just need L3-Firewall-rules) between all subnets. E.g., allow ssh from one host in one subnet to another in a different one. stateful is optional.
What would be a good approach that works well with the routerboard, especially with regards to performance? Thanks in advance!
Yes, this is the topic from where I tried to derive my first attempt from. Edit: I just saw the router example above, I believe at least one part could be solved by combining those two. I’ll try this.
What is left is the question about firewalling and routing between the subnets. Are there any links which offer better explanation how the packet flow works in such setups? I know https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS, it’s just a bit difficult to see what the actual path is in these examples.
