Hi,
i have 3 interfaces: Public, Local, DMZ-zone
Via Public interface connect with the ISP.
The provider have give me also extra /28 subnet with static public ips.
I want to take the extra public IPs in the DMZ zone (not 1:1 nat, but the real public ips in the servers in dmz)
Also i want to block some ports of this ips with the firewall.
How i can do this? all tutorials is with 1:1 nat in DMZ.
Thanks
If the /28 is routed to an address on your WAN interface then you just route the addresses into the DMZ and apply the required filters for functionality and security.
can you show a sample?
I am seeking similar answer for this.
The Dlink615 we are using right now provide this bridging feature (using IP unnumbered) between WAN and LAN interface (PPPOE). I wonder if this is supported too in RouterOS?
See pic attached below.
You can achieve something similar. How do you use the existing service? Network layout?
It’s quite a simple layout. Once all LAN port bridge to WAN, all these devices on LAN port use public IP (such as my firewall). There is risk doing this way but I just do not want another device doing routing/NAT overhead that slow things down.
If you simply want to bridge then you can do that and either use the bridge firewall features or force the traffic through the IP firewall.
Can you elaborate? I don’t see bridge function under firewall. How do I force traffic through IP firewall?
I have PPPOE client (dial via VLAN500) configured and link comes up. I have /29 public IP assigned through PPPOE (static IP). Everything from PPPOE seems alright and I know I can’t bridge this PPPOE interface to the LAN. Since the PPPOE interface (VLAN500) is assigned with this public IP, is static arp my only solution?
ether1-gateway (Ethernet)
VLAN500 (PPPOE dial interface) with 212.12.12.193/29
ether2-master-local (Ethernet) - noip with static arp 00:11:22:33:44:55 map to 212.12.12.194
ether3-slave-local (Ethernet) - noip with static arp 00:11:22:33:44:66 map to 212.12.12.195
Would this work?
You can tell bridge to use the IP Firewall under Bridge /Settings or Interface / Bridge / Settings in the CLI. Note however that if you do so the system will then be looking above layer 2 so the overall efficiency will probably be somewhere between pure bridging and pure routing.
There is a simpler filtering system available under Filters within the bridge itself.
If you wanted to try a routed solution then from the D-Link config I suspect that you could just use the PPPoE interface as the default gateway, allocate the .129 address to the router and use the rest of the /29 range on a LAN interface. I suspect that the performance would be fine with a routed solution on something like the RB2011 series.