Hardware antivirus

Hello I have problem and I need it solve with mikrotik routerbord. I have hardware antivirus (Panda Gatedefender) filter http, ftp and many P2P protocols but he sometimes work incorect blocking that whant I dont need to blok offcourse this is not microtik problem and I alredy wait solution from panda suport but Spain peoples are wery fast …

For that i hope on your help:
*Panda GateDefender have only two RJ45 ports IN and OUT and he scans all trafic

Now I have internet → Panda Gatedefender → Routerboard 1200 → Lan (shema what prefer PANDA to connect his device )

but I want to make solution when I have posibility to send throught GateDefender only that trafic what I want, example ideal solution will be if I can plug GateDefender to two free ports in routerbord and make configuration to all dst to 80 and 21 and p2p go to one of that ether ports and then back.

I hope somebody understand what I meen, and help me with solution…
sorry for my bad english…

Hello
My English is bad too…don’t worry my friend
i think you want send your selected traffic to your GateDefender and other traffic NOT !
you can use mangle and mark routing to send selected traffic to your GateDefender.that mean you can set default gateway for your selected traffic to your GateDefender and set other default gateway for other traffic.if want this tell me send Example configuration for you.

Good Luck.

But I cant use microtic mangle marking outside router…

maybe i dod not understand what you mean, please post your example configuration.

Hassibi is right. Something like this should work:

Connect your ISP to ether1 of your RB1200 then connect your LAN to ether2 of your RB1200, and set up your firewall rules and NAT as you require. Make sure that your whole network is working properly at this stage BEFORE inserting the Panda.

Then connect the inside interface of your PANDA to Ether10 of your RB1200, using some new subnet that you create.

Then Connect the outside interface of your PANDA to Ether9 of your RB1200, using some new subnet that you create. Make sure these two subnets are completely different that the one for your main LAN. (This step may not be necessary if the PANDA is flexible enough to allow working without the external interface.

Then configure IP>FIREWALL>MANGLE to mark routing for traffic that you want PANDA to filter. E.g. mark routing for http traffic, and give it a routing mark something like http_traf. Then create a route in IP>ROUTES for traffic with that routing mark, sending the traffic to the gateway address which is the new IP of the inside interface of the PANDA. Remember to make sure that the Mangle rule does NOT mangle traffic that is originating from the EXTERNAL interface of the panda.

You can create a bunch of the mangle rules for traffic you want to scan, e.g. SMTP, HTTP, FTP and so on. Also consider some Layer7 rules so that you are not restricted to port based traffic.

That basic framework should get you started with some ideas, but you will have to do some work to understand your network.

Hope that helps.

Alex

Something like this:

I cant set IP address for Gatedefender there address is only for configuration, but anyway I make like inyour example

ISP → ethr1 81.198.XX.XX
LAN → ethr2 192.168.2.1/24

To gatedefender → ethr9 192.168.130.1/30
From gatedefender → ethr8 192.168.131.1/30


add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.130.2 routing-mark=web_mark scope=30 target-scope=10

and add mangle rule if from my pc ask for 80 port then mark that connection:

add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=web_mark passthrough=yes protocol=tcp src-address=192.168.2.17

But then I cant open any web page…

So gatedefender is transparent bridge?

If so then we need to change ip addressing…

Explain more about the gatedefender please, i am not familiar with it.

Yes Gatedefender work like trasparent bridge.

full manual: http://www.pandasecurity.com/enterprise/downloads/docs/product/userguide/02dwn_ug_GDP40.pdf

According to http://www.pandasecurity.com/homeusers/support/card?id=31408&idIdioma=2 the gatedefender can be configured to router mode.

The design above should work in router mode.

Can you try that?

No I have model gatedefender Performa and example what you give is for model Integra, in my model is posibility to set working type only transparent bridge!

OK, let me make a new network design for you.

Do you have manageable switches that can do vlans?

Do you mind if you have client PC on completely separate vlans?

E.g. computers with unfiltered access to internet on one vlan, and client computers with filtered internet on another vlan?

We may need to add another router. Do you have one lying around?

Alex

So, lets try something like this:

1: Connect ISP to ether1 of RB1200
2: Connect LAN1 (Unfiltered Internet users LAN) to ether2 of RB1200, and connect this to an UNTAGGED port of the managed switch that has VLAN1 membership
3: Connect LAN2 (Filtered Internet users LAN) to ether3 of RB1200, and connect this to an UNTAGGED port of the managed switch that has VLAN2 membership
4: Add IP addressing for LAN1 of for example: 192.168.0.0/24 and apply this to ether2
5: Add IP addressing for LAN2 of for example: 192.168.1.0/24 and apply this to ether3

Make users computers that you WANT to filter member of VLAN2

Make users computers that you DO NOT WANT to filter member of VLAN1

I can see some other problems with this setup (for e.g. if this is an office environment, you may have problems with VLAN2 users struggling to reach servers and systems on VLAN1). This could be solved with another router.

I am trying to get my head around achieving this with a METARouter instance…

Forgive my drawing, I dont have some diagram software handy right now.

What do you think?

Alex