Hello!
I put my hands on subj just 8 hours ago. This router is controlled remotely and I do not have any other info than what is written on the front panel.
I want to ask those in charge of the router to organize for my company 0\50\100 scheme: 100 secure LAN, 50 secure DMZ and 0 secure internet subnets. I have a very simple scheme for this plan. So here is the question, can a RouterBOARD 1100AHx2 be used for such a solution (DMZ setup) or any other MiktoTik device is needed here?
In case it is possible any point to online resource where I can find a simple scheme\example of configuration would be very much appreciated here!
Thank you!
Yes.
You can accomplish this goal several ways and you have 100x more flexibility than any Sonicwall or other product that promotes “DMZ”.
To get started you need to decide if your DMZ will be: Public routed with the devices getting public IP’s, 1 to 1 nat with a seperate or mixed in with the other private address space.
Hello!
Thank you for your reply.
I plan DMZ as a separate subnet 192.168.1.0/24 that gonna be NATed to my 212.34.43.x/28 real subnet.
212.34.43.17 => 192.168.1.17
212.34.43.30 => 192.168.1.30
Then I would like to closed all ports except for the ones I need for each host.
Let’s say
17 for ftp must have only 21 port open
30 for email must have only 25 and 110 ports open
I guess flexibility suggests it can be done easily. Is there any online resource I can get an example from?
Thank you!
Hello!
Here is something else that bugs me:
I use WinBox, open NAT table (see screeshot)
redirect dsnat 10.210.51.0/24 17(udp) 53
I don’t understand what it means.
accept srcnat 10.210.51.0/24 10.10.0.0/16
This means that all packets going from my internal subnet to 10.10.0.0/16 subnet are sent there as is (no translation). No futher processing is needed for these packets. Right?
masquerade srcnat 10.210.51.0/24
This means that all packets going from my internal subnet to anywhere and those that were not processed by the rule above, get outside IP address (get masqueraded) of the mikrotik. Right?
If so, than how does mikrotik fugure out which IP address must be used for masquerading?
I found this:
10.210.51.1/24 10.210.51.0/24 ether2
212.34.43.30/30 212.34.43.28 ether1
Now, it seems reasonable that "masquerade srcnat 10.210.51.0/24 " tells mikrotik to masquerade 10.210.51.0/24 with 212.34.43.30 on ether1 but what if I had another interface, let say ether3 with 212.34.43.45/29. How to masquerade an internal subnet on specific interface?
Before you do anything else you should determine if your IP’s are shipped to you on a broadcast network or if you have a separate wan route and IP assignment. A /28 is not a full class C network, only 16 addresses, so what is the usable range?
For example: If my ISP assigned me 192.168.100.0/24 but gave me a WAN IP of 192.168.55.64/30 with a gateway of 192.168.55.66 I would infer that my usable WAN IP is 192.168.55.65 and I would have full 254 addresses that I could route any way I wanted in my network.
But if they gave me 192.168.100.32/28 with a gateway of 192.168.100.33, I would have to bridge, switch, tunnel or nat any IP’s I wanted to use from 192.168.100.34 to 192.168.100.47
Next you can get rid of that redirect.
You should src-nat masquerade the entire internal address space.
You should create a dst-nat and src-nat for each internal IP you want to map to an external IP
– Specifying an Out Interface of your wan if you are being routed the IP’s
– or if you are on a broadcast network, you will need to add the public IP’s on to the router on the Wan side so that the router is listening for that traffic.
If you determine how your IP’s are being sent to you, I can help with some more details.
