For connecting mikrotik router to internet, there are 2 ways
1.Which on is the best and why? - PPPoE on Mikrotik, because you just remove 1 NAT in your Modem!
2. Which one is more secure? - PPPoE on modem and mikrotik with DHCP Client on connection port with modem, act as DMZ router and “WAN” dynamic IP
3. When pppoe is on mikrotik, does it have effect on performance? - No it does not!
So pppoe on modem is more secure.
Suppose that we have static ip for the connection port with modem and without dmz config. Mikrotik other port is connected to a pc and the dhcp server was set for that port. In this situation for security which one will be the best.
Pppoe on router or modem?
Thanks
I would go with PPPoE on router. Why? One could be marginally better than other however the MikroTik is fully secure and in your control. The same cannot he said for the modem. So as quickly as you can offload the work from the modem to the Mikrotik.
If You trust the ISP provided hardware. Even if Your (his) ISP is honest, it doesn’t mean its routers are secure. Time and again we see problems left unsolved on modem/router firmware provided by the ISPs.
Mikrotik, at least, we know that makes the effort to keep everything secure.
That said, IF your ISP is secure conscious, and the router receives the necessary patches, THEN I agree:that using it as router, and Mikrotik as a second line of defense, is better. But only if.
When pppoe is on modem , there is double nat. In this situation i know that double nat can have effect on speed and performance but i want to know that having double nat is good or bad for security? Does it improve security or not?
Dear All
I am facing an issue
ISP has provided me one wan ip and vlan
Wan is 10.214.98.3/24 with gateway 10.214.98.1 and vlan 115
I have done configuration like
10.214.98.3 /24 to ether 1
Ip route 0.0.0.0/0 with gateway 10.214.98.1
For vlan I have created bridge port with STP none
Also vlan 115 with user tag
Autoneotiation enabled for ether1
Vlan 115 mapped with up 10 214.98.3
But i am not able to ping gateway
Also when i use directly laptop with vlan setup 115 and up as 10.214.98.3 /24 with gateway 10.214.98.1 I am able to ping gateway.
Can anyone pls help
Double NAT in principle means double firewall (I know, firewall and NAT don’t go not necessarily together, but on SOHO devices they do) … so you get two layers of security and you start to aporoach the onion-like layered security.
But this only works if you carefully configure both firewalls. If you have enough control over ISP’s modem/firewall, then it is doable. You have to consider whether it is worth the trouble … keeping in mind how attractive your LAN is for hackers … and difficulty in troubleshooting.
Remember: poorly configured/maintained firewall is worth nothing, just gives false impression of security. Not to mention that ISP can change settings at any time without you knowing it (my ISP regularly resets config to defaults and next time my router reboots I loose internet because by default ISP router wants to terminate PPPoE and I can only have one active PPPoE session at a time).
IMHO it’s better to have single firewall with tight (if not paranoid) rules than to have two loosely-configured firewalls. And I didn’t think of performance (yet).
Thank you all