Connect from a DMZ to LAN

woody01 · September 25, 2025, 6:03pm

Dear all,

I've built a home network and need help, because I'm very hard fighting against a Mikrotik router in my home. I have a little experience of networking, but for routing I am beginner. My setup is as follows:

Internet
I
Modem/Router with integrated switch provided by ISP, located in living room
IP (valid for LAN, Gateway, DNS-Server): 10.0.0.138
I
I-- PC1 (Win10, living room, streaming, Internet surfing etc.), IP: 10.0.0.10
I-- PC2 (Win10, another room, same use as PC1), IP: 10.0.0.20
I
WAN on Ethport 1 of Router Mikrotik RB3011, located in work room, IP: 10.0.0.1
Bridge to private LAN, IP: 192.168.88.1
I
I-- NAS (work room, Supermicro with Xeon-CPU, OpenMediavault), IP: 192.168.88.10
I-- PC3 (working with documents, CAD, photoeditor), IP: 192.168.88.20

The reason for this wiring is to connect PC1 and 2 in "DMZ" as direct as possible to Internet, no bottleneck should be between.
Devices in private LAN have access to internet and are not visible in DMZ and are administrated in private LAN, this works without problems. NOw I want to have ONLY LOCAL access from my devices in DMZ to shares of NAS or PC3 in LAN. Internet is not needed. How can I solve it?

With NAT and SMB I am restricted to port 445 on router and can only access one device in LAN, FTP needs a client like FileZilla on my PCs in DMZ, both ways are also unsecure.
Concerning IPv6, I can find out local IP's of all NICS, but how to connect them is for me alchemy.

Now I' trying VPN with WireGuard and have many questions:

Is it possible to set up a VPN-tunnel from DMZ to LAN? For my understanding, it's the same like access via Internet.
My router has possibility of WireGuard. Can I use WireGuard without Internet connection?
Is it possible to set up my router as WireGuard-server and build a tunnel from PC to router?
Do I need to install WireGuard client only on PC's in DMZ or also on devices in LAN?
And if all previous is possible, could somebody give me a small example, how to set up the router, e.g. connect PC1 to NAS?

I've seen many tutorials and more or less good videos in Internet, but nothing what matches my needs.

Any help would be very appreciated!

anav · September 25, 2025, 8:37pm

Okay so you made a setup for the two PCS, under the control of the ISP router (which I wouldnt do) to have only internet access and now youve changed the plan.

Good!, Bring all devices behind the Router. YOu have two options, the one I prefer is two have two subnets, two vlans, home and DMZ.

Or, you could have a second subnet separate from the bridge supplying ports X, Y going to PC1 and PC2.
In both case you will need proper firewall rules to ensure that pc1 and 2 only have access to the home subnet and the more specific the better From specific PCs to specific serverIPs....... etc. as required.

woody01 · September 26, 2025, 12:53am

Hello anav,

thank you for your fast reply and comments.
You're right, my first idea was also, to put each device behind the Mikrotik, because I could have full control via Mikrotik firewall. But I've done network cabling in my home a lot of time before, the idea to connect to NAS came later. In your proposal I would have to lead signal from ISP-router, which is located directly beneath PC1 on ground floor to Mikrotik, located in my working room on 1st floor and then back again. The ISP router is a simple thing, it has 4 LAN ports and by connecting multiple clients to internet I think, it assigns each port to this client which is connected t it. So by passing it to a router cascade, all internet traffic to multiple clients would pass one port of ISP router. I fear decrease of internet speed, but I could test it.
Anyhow, my intention for a VPN, could it work?

CGGXANNX · September 26, 2025, 7:59am

One way to achieve it (assuming RB3011 has a firewall setup close to the defconf setup).

Add two additional IP addresses to the WAN interface of RB3011, which is ether1 as you wrote:

/ip address
add interface=ether1 address=10.0.0.110 network=10.0.0.110
add interface=ether1 address=10.0.0.120 network=10.0.0.120

Add two DSTNAT rules that map 10.0.0.110 to 192.168.88.10 and 10.0.0.120 to 192.168.88.20:

/ip firewall nat
add action=dst-nat chain=dstnat comment="To NAS" \
    in-interface=ether1 dst-address=10.0.0.110 to-addresses=192.168.88.10
add action=dst-nat chain=dstnat comment="To PC3" \
    in-interface=ether1 dst-address=10.0.0.120 to-addresses=192.168.88.20

Use the addresses 10.0.0.110 and 10.0.0.120 on PC1 and PC2 to access the resources. Please note that on PC3 and NAS the firewall must allow access from 10.0.0.0/24, which is not by default under Windows (which only allows access from same subnet to file sharing and ping - You can change the scope in Windows Defender Firewall With Advanced Security).

This brings back decade old memory for me . Are you located in Austria, per chance?

anav · September 26, 2025, 1:54pm

Cannot be Austria (jealous) as anyone there would be on the ski slopes, hiking the hills, biking (either trails or roads), playing tennis or drinking beer and no where near stalking MT forums

Nice work there CGG, avoids routing issues in both directions, so the only caveat besides normal firewall rules etc, is ensuring that there exists no other .110 and .120 on the ISP router network?

@Woody, understand the physical limitations, you could put a small managed switch next to the ISP router and attache the cable coming from afar ( from MT router) into the managed switch and from there to the ISP router and from the switch also to the two PCs. All controlled by the magic of vlans. In this way you get all PCs behind the firewall of the MT. I use old hexes for this function, or any cheap managed netgear or dlink etc......

CGGXANNX · September 26, 2025, 2:13pm

Exactly, but OP said that the ISP router only has 4 ports and he only connects single devices plus the RB3011 to it, so probably no other devices use those two addresses.

And because his LAN still uses the 192.168.88.0/24 address range, I hope that the firewall configuration is still based on the defconf one, where forwarding for DSTNAT connections is allowed.

CGGXANNX · September 26, 2025, 2:23pm

If for some reason you are unable to do this change on the NAS and PC3 firewall, then as workaround you write can an additional SRCNAT masquerade rule:

/ip firewall nat
add action=masquerade chain=srcnat src-address-list=PC1-PC2 dst-address-list=PC3-NAS

With the two address lists PC1-PC2 and PC3-NAS populated with the proper IP addresses.

woody01 · September 27, 2025, 12:55am

@ CGGXANNX:
And yes, I am located in Austria. You seem to know adresses of A1-routers.

@ anav:
For me, it's drinking beer and hiking the hills. And if there's once been one Mikrotik RB3011 sold to Austria, it's probably mine.

Thank you for your advices! At the moment I'm busy, but in the next days I will make a setup like your suggestions. If I could solve my problem simple by firewall setting, I would be happy. Otherwise, I've checked physical wiring, a connection of LAN-ports of MB to PCs in other rooms to bring all devices behind MB should be possible. A solution with different VLANS looks attractive.
I am aware of IP conflicts; I assigned proper adresses to devices and disabled DHCP everywhere.

anav · September 27, 2025, 1:38pm

Yes it would appear just by firewalls is not possible, one has to make the additional config modifications as per CGGX's advice. I personally would go the vlan route and stick a small managed switch by the ISP router which would also service PC1 and PC2. Here is an example setup with a router and hex as switch.

/interface bridge
add name=bridge protocol-mode=none vlan-filtering=no  { as last changes to make, set to yes and add frame types equal to only vlan tagged }
/interface ethernet
set [ find default-name=ether10 ] name=OffBridge10
/interface vlan
add interface=bridge name=homeVLAN  vlan-id=88
add interface=bridge name=dmzVLAN vlan-id=10
add interface=bridge name=ISPVLAN  vlan-id=33
/interface list
add name=WAN
add name=LAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=home_POOL ranges=192.168.88.2-192.168.88.100
add name=dmz_POOL ranges=10.10.10.2-10.10.10.100
/ip dhcp-server
add address-pool=home_POOL interface=homeVLAN name=home_DHCP
add address-pool=dmz_POOL interface=dmzVLAN name=dmz_DHCP
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1  comment="to man switch"
add bridge=bridge frame-types=admit-priority-and-untagged interface=ether2  pvid=88 \
comment="NAS server"
add bridge=bridge frame-types=admit-priority-and-untagged interface=ether3  pvid=88 \
comment="PC3"
add bridge=bridge frame-types=admit-priority-and-untagged interface=ether4  pvid=88 \
 comment="home device1"   { could be PC, or printer for example }
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1  untagged=ether2,ether3,ether4  vlan-ids=88
add bridge=bridge,ether1 vlan-id=10
add bridge=bridge,ether1 vlan-id=33
/interface list member
add interface=ISPVLAN list=WAN
add interface=homeVLAN list=LAN
add interface=dmzVLAN list=LAN
add interface=OffBridge10 list=LAN
add interface=homeVLAN list=BASE
add interface=OffBridge10 list=BASE
/ip address
add address=192.168.88.1/24 interface=homeVLAN network=192.168.88.0
add address=192.168. interface=dmzVLAN network=10.10.10.0
add address=192.168.100.1/30 interface=OffBridge10 network=192.168.100.0
/ip dhcp-client
add comment=WAN interface=ISPVLAN add default-route=yes
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=10.10.10.0.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.0
add action=accept chain=input comment="Admin access" in-interface-list=BASE
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else" { put in this location but last of all rules }
++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access" in-interface-list=BASE \
    out-interface-list=LAN
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip service
set api disabled=yes
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl disabled=yes
/system clock
set time-zone-name=?????
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.ch.pool.ntp.org
add address=1.ch.pool.ntp.org
add address=2.ch.pool.ntp.org
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

NOW for the HEX.

/interface bridge-sw
add name=bridge-sw protocol-mode=none vlan-filtering=no  { as last changes to make, set to yes and add frame types equal to only vlan tagged }
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/interface vlan
add interface=bridge name=baseVLAN  vlan-id=88
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-sw frame-types=admit-only-priority-and-untagged interface=ether1  pvid=33 \ comment="to ISP"
add bridge=bridge-sw frame-types=admit-only-vlan-tagged interface=ether2  comment="to MT"
add bridge=bridge-sw frame-types=admit-priority-and-untagged interface=ether3  pvid=10 \ comment="PC1"
add bridge=bridge-sw frame-types=admit-priority-and-untagged interface=ether4  pvid=10 \ comment="PC2"
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge-sw tagged=bridge-sw,ether2  vlan-ids=88
add bridge=bridge-sw tagged=ether2  untagged=ether3,ether4  vlan-id=10
add bridge=bridge-sw tagged=ether2 untagged=ether1   vlan-id=33
/interface list member
add interface=baseVLAN list=BASE
add interface=OffBridge5 list=BASE
/ip address
add address=192.168.88.2/24 interface=baseVLAN network=192.168.88.0
add address=192.168.100.1/30 interface=OffBridge5 network=192.168.100.0
/ip dns
set  servers=192.168.88.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main
/ip service
set api disabled=yes
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl disabled=yes
/system clock
set time-zone-name=?????
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

woody01 · October 1, 2025, 12:57am

Hello all, now I had time to update my setting.

@CGGXANNX: You saved my day! It's so simple, when to know, how to do it. I didn't know, how to add adresses to ethport 1 of my RB. Following you, I added some firewall rules, extended them to allow only traffic between the devices where needed (PC1-PC3, PC1-NAS, etc.) and it works. It's exactly what I wanted. Now I'm beginning to like my RB...

@anav: Your level is much higher than mine. I know, that I have not the perfect security. To improve this, I will keep up your suggestions for future to bring all devicese behind the router.

anav · October 1, 2025, 12:15pm

All is good, CGGX recommendation is solid and logical.