With this topology:
ISP - rb4011 - rb4011 (with wifi) - other devices
I’d like to confirm that I’m on the right track. If I want to dst-nat a public address to some internal device, I believe this is the flow, but would appreciate a sanity check.
I’ll need a dst-nat nat chain rule + a forward chain rule on the edge router, and then a forward chain rule on the next router? Am I on the right track?
It’s one possibility. The other one (with much simpler config on the “internal” RB4011) depends on whether you need to separate “other devices” network from network between the two RB4011. In other words, what is the use case for the right side RB4011 … would an ethernet switch and a simple AP do the job instead or you actually need a router with firewall because there are other things between in the space between RB4011s that you didn’t mention?
Well…the short of it is that I tend to fully embrace over-engineering. I’ve got an rb4011 at the edge, terminating the ethernet handoff from my ISP. Then I have an rb4011 wifi model connected to the edge router. That’s the extent of the family network, with a 2nd rb4011 wap waiting for me to have time to install, but otherwise that’s it.
Then I have a crs326 behind the edge router also, for the port density I need for my lab (cisco collab engineer by trade). Realistically, this is what I’ll want to dst-nat to, but for now I threw a raspberry pi on one of the wap ports just to get the dst-nat configs working.
Had a chance to work on this today, and have it working, but not sure if this is the best way (most secure, cleanest, etc) to accomplish it. Any thoughts/ideas/comments are appreciated.
First though, looking to confirm what I believe to be the case – using dst-nat seems to bypass the other fw chains. This seems to align with https://wiki.mikrotik.com/wiki/Manual:Packet_Flow, but I’m not 100%.
No, dstnat doesn’t bypass any chains, it may only redirect packets that would otherwise go in input chain to forward chain or other way around (with usual port forwarding it’s the former). If you don’t need to add any extra rules in forward chain, it’s because you either already have rule allowing dstnatted connections or open firewall.
I’m accepting established, related, and untracked connections. When the dst-nat is hit, the firewall tracks subsequent packets under that conversation right?
Is it considered best practice to create explicit forward rules though?
Draw a network diagram to assist in your explanations of the requirements.
You can daisy chain port forwardings 20 times if you need to, to get to the next device.
These are all DST NAT rules, the only firewall rule needed on each device assuming they are all MT devices is add chain=forward action=accept connection-nat-state=dstnat
My opinion here is you are making your life more complicated than needed. Two simple options:
Eliminate the left side (in your original drawing) 4011 and use the right side 4011 as the only router.
Eliminate the right side 4011 and use the left side 4011 as your only router, and add an access point where it works for coverage.
Either saves you a couple hundred bucks (or since you already have the second 4011, gives you a spare).
You gain essentially nothing by having the second router.
Draw a network diagram to assist in your explanations of the requirements.
You can daisy chain port forwardings 20 times if you need to, to get to the next device.
These are all DST NAT rules, the only firewall rule needed on each device assuming they are all MT devices is
add chain=forward action=accept connection-nat-state=dstnat
Noted on the drawing. Interesting about that forward rule being required. I don’t have that rule on either router, and it’s working fine. Something for me to look into later.
My opinion here is you are making your life more complicated than needed. Two simple options:
…
I glossed over my home/work setup a bit for brevity. I work from home, and have a fairly complex home lab and work from home setup, which I’d rather physically segregate than just vlan off. New house, and my 2nd ISP service isn’t delivered yet, but when it is, I’m completely segregating my home and work networks by adding additional components. Overkill? Absolutely. Do I care? Not in the least. I understand completely that I could collapse the edge and wap. Like I said…I over engineer, and I’m not ashamed of it. I also do 10gig between the edge and wap. Is it needed? Likely not, but the theoretical throughput on the wap is higher than 1gbps.