The first time I saw this device I knew it would be right for me.
I started reading to see that I’m 100% sure know how to do what I want.
But I got overwhelmed by the info and came to ask for your guidance/referral.
What I’m looking for is this - a router that has these functions:
No NAT (masquerading)
Inbound firewall (meaning, firewall that is active on packets coming from WAN and leaving through LAN).
Outbound firewall (meaning, firewall that is active on packets coming from LAN and leaving through WAN).
The device is used as a secondary router, this is why I want NAT disabled.
Could you please provide the links which show how to do the above?
It’s simple. If you don’t know where to start, then start with default config, which is standard WAN-LAN router with NAT, go to IP->Firewall->NAT and remove the masquerade rule. And tadaaa, you have what you want. Then go to IP->Firewall->Filter, try to understand what’s there (it allows everything from LAN to WAN and blocks everything from WAN to LAN) and change it as you need.
@anav: Why switch? What’s so unusual about router that doesn’t have NAT?
If it looks like a duck, and quacks like a duck, its a witch, Burn the witch.
Sob, believe it not that was going to be my suggestion, but in fear of being laughed out of the thread by mkx, I defaulted to the switch comment LOL.
Seriously though how does the flow work how does traffic get through the router without nat to other devices, how do firewall rules work as the subnet now includes the router itself and all the devices behind the natless router and all the IPs outside the router as well… Yes, its outside my limited networking comfort zone!!!
The same way as traffic between different VLANs: IP addresses and ports don’t get changed. Consider a case (not possible for the last 20 years, but never the less), where a small business gets a /24 block of routable addresses and network admin decides to use them directly on LAN devices (since there are only a handfull of devices, mostly iPads of owner’s kids). So when such device makes connection to some internet server, its IP address can pass border router without performing NAT and reply will still make it back. Such LAN should be by all means protected with a firewall (could be running on the border router), but no NAT.
I would accept this kind of configuration, but I prefer having a different subnet for the LAN - therefore a router is preferred (instead of a switch).
Thank you!
Is this the “hEx Lite” default configuration?
How do I know what exactly is the default configuration (before purchasing the device) ?
I assume that you refer to the web interface.
Before I buy, I prefer to read the docs for the command line interface in order to make sure that I will be able to do what I need.
In order to limit certain traffic from LAN to WAN, I assume it would be done with the command:
Before allowing a specific traffic from LAN to WAN, is it possible to monitor the traffic with which the devices on LAN (or WAN) are trying to communicate?
There is no ultimate guide to RouterOS, only collection of assorted manual pages (wiki style).
What you need to know is that RouterOS is highly versatile and you can do almost anything thinkable with it.
With ROS you can use either CLI or GUI, with later you can choose between web-based (webfig) and windows executable (winbox). But whichever UI you use, the configuration tree is the same. And you can always move between them…
You can always construct a firewall filter, but instead of action=drop you can use action=passthrough. This way you’ll see counters for tge rule. Optionally define property log and you’ll see some details for particular packets.
Default config is not important, I just mentioned it because I thought you already have something. You can create any config you want. For what you described, just two addresses and one route are enough as starting point. If you don’t have anything yet and you’re not sure it’s what you need, you can download CHR (speed-limited version is free), which is RouterOS VM, and play with that. Run it under VirtualBox, VMware Player, or anything, and you’ll be able to test the interface and everything.
From the OP quote: “What I’m looking for is this - a router that has these functions:
No NAT (masquerading)”
and quote: “I would accept this kind of configuration, but I prefer having a different subnet for the LAN - therefore a router is preferred (instead of a switch).”
Hopefully Sob you can see where I am perplexed, on how to achieve both goals. What am I missing??
Thanks for trying the problem is me.
I just dont get it. I dont see how the second router doesnt translate the second LAN out its wanip which is really a lanip on the first router.
I have no concept or way of understanding natless I guess.
You are thinking in your terms and cannot walk a mile in my dim shoes LOL.
So if there is no NAT
a. what is the LANIP of the second router?
b. how does the second LAN route anywhere?
c. how does the other lan reach the second lan…
This is the basic, normal way, devices seeing other devices’ real addresses. In this case only within LAN, but it’s how whole internet once worked and will work again with IPv6. NAT is just ugly hack. But back to Earth…
Answers:
a) It’s 192.168.89.1/24 on LAN2. Second router also has some 192.168.88.X/24 on “WAN”, which in this case is not best name, it’s simply the interface connected to router1 (LAN1).
b) Devices in LAN2 have router2 (192.168.89.1) as their default gateway. And router2 has router1 (192.168.88.1) as its default gateway. So device with e.g. 192.168.89.100 wanting to communicate with e.g. 8.8.8.8 knows that it needs to send the packet to router2 and it knows that it needs to forward it to router1.
c) Using correct route, of course. Router1 will have route to 192.168.89.0/24 via 192.168.88.X (router2). Devices in LAN1 can have same route. If not, they will initially send traffic destined to 192.168.89.0/24 to router1, which will forward it to router2, and it will also send icmp redirect to source device, to tell it that it can send such packets directly to router2.
Or to illustrate the concept: when doing traceroute to some distant host (avoid cloud-hosted servers because those will always be close to you), you’ll see plenty of intermediate routers .. and none of them (part your own home gateway) will do NAT.
You can try to compare traceroutes in both directions (if you have possibility to run traceroute from the remote end, there are a few public traceroute services).
If you trace hops of the other way and compare IP addresses, you’ll see they are usually not the same, but sometimes they could be from the same subnet if a few routers are part of ISP’s routing network (could be MAN, could be global). That’s because those routers have multiple interfaces, each interface has its own address and in traceroute the IP address of ingress interface is shown. Some traceroute clients can reverse resolve IP addresses to DNS names (if ISP bothers with DNS records for their routers) and DNS names sometimes reflect geographical area. In those cases it’s fun to trace route and compare it from different starting places. E.g. my home ISP has one of upstream connections through seabone while my employer’s ISP has one of upstream connections through cogentco.
Anyway, in example by @sob, traceroute made from e.g. 192.168.89.15 to e.g. 192.168.88.42 will be like this:
In both directions the first hop will be the misterious router2, but as different ingress interfaces will be used, traceroute will show different IP addresses.
Apart from the addressing, that’s exactly how part of my home network is configured, [router] being my LTE router that does NAT, and [router2] being my main router that does not. The only point that might be missed is that [router] needs a route to 192.168.89.0/24 with [router2] as the gateway, otherwise it won’t know where to send replies.
Some routes have to be defined in /ip route. On SOHO routers usually there’s single entry which is default route. In this case router (the main one) needs additional entry
