Hello,
I bought CCR1009-8G-1S-1S+ and I need to use it as a firewall on company network. We have a subnet with /24 public IP addresses (e.g. 123.123.123.0/24). I want to use this Mikrotik only as a firewall (DHCP, DNS, etc. is dedicated) and hide behind this firewall three servers with public IP addresses (e.g. 123.123.123.40-42) and allow only port 80/TCP from all addresses and 27/TCP only from one address. I use eth1 as an uplink and to eth2,3,4 are connected servers which I want to hide behind the firewall.
How to do that?
Port eth1 has assigned IP 123.123.123.30 from DHCP (IP - DHCP Client) because of time synchronization and update/upgrade of packages and firmware, and firewall is configured to drop all incoming connections.
0 chain=input action=drop dst-address=123.123.123.30 log=no log-prefix=""
Port eth8 is for local management with static IP from local subnet 192.168.1.0/24 connected directly to the management PC.
When I want to have internet connection on ports 2,3,4 I tried to use bridge (works fine) or port eth1 as a master (also works fine), but firewall rules have not been applied.
1 chain=forward action=accept protocol=tcp dst-address=123.123.123.40
dst-port=80 log=no log-prefix=""
2 chain=forward action=accept protocol=tcp src-address=123.123.123.23
dst-address=123.123.123.40 dst-port=27 log=no log-prefix=""
3 chain=forward action=drop dst-address=123.123.123.40 log=no log-prefix=""
Or is it better to do that with DNAT/SNAT? Or how to do that?
Thank you.