I purchased a routerboard because I had read how excellent they were (and RouterOS). What I didn’t realize was how much I didn’t know about networking! That’s why I need help.
I’m trying to do something that I think is pretty simple with the Routerboard. My requirements are:
1)Router for my system install - this is all machine to machine - no users. The system will look like this:
External:
a)ISP 1 (external ip = ip1)
b)ISP 2 (backup ISP, external ip = ip2)
Border:
My 433UAH Routerboard
My network:
My devices (any number of them, let’s say up to 200 for now) These devices should be able to see each other and my servers in the cloud.
More routerboard switches (to grow the number of devices if necessary)
#2)Firewall for my devices. I’d like to open up only specific ports into my device network, like port 4692 plus others. #3)Failover from ISP #1 to ISP #2 whenever ISP #1 is down (so it goes back whenever ISP #1 is up)
I’ve been reading the wiki and forum postings for some time now and I’m having trouble translating this information to my setup. Does anyone have any tips on where to begin? This is a pretty simple setup isn’t it? ( It was with my Linksys - except for the failover )
Are you looking for just failover, or would you like to do some load balancing? If you want load balancing look up PCC, it works very well, also policy based routing would work depending on your needs and would give you failover as well.
As for forwarding certain ports, you are thinking of some NAT rules, they are very easy to set up. Just be sure to set up good firewall filter rules to protect the LAN(s) and your router. There are several use examples of firewalls in the Wiki.
Once again you can get fancier with what and how you want to forward things, but this will get you started down the right path. I like to specify an address list for the dst-address in case you have multiple ISPs, this way you only need one rule to cover all of them.
As for your LAN size, you can specify any subnet size to fit your needs. A /24 will get you 256 addresses, a /23 will get you 512 addresses. Just scale the subnet, DHCP server, and IP pools to your needs.
The most important thing though is to read the Wiki and examples and play around with the options that are there. This forum is good for answering most questions you could come up with, but be ready to play around with what is suggested and what advice is given and modify it to fit your needs.
I’m actually getting more comfortable with RouterOS today. I just got really worried when I had so much trouble so early. I’m not going to be load balancing. We just want the 3g connection as a backup connection.
Thanks for your suggestion on firewalling and port forwarding. I did find a different example in the wiki. I’m guessing I could just follow the “Consumer Protection” in the manual for firewalling:
Yes. There are 3 basic parts to the firewall, and each does something different. Once you start to play around with things and see how things are set up, it makes more sense, starting out however, there is definitely a bit of information overload.
Filter is where you basically filter out your traffic, allow things, deny things etc. Most of your “Firewall” settings will take place here.
NAT is where the dst-nat and src-nat etc happens. These basic functions allow you to NAT a connection out of a specific IP to allow it online, do port forwards, redirect people to different IP addresses etc.
Mangle is where you usually mark connections, routing, and packets for use later on in the router.
In Winbox, everything before the action tab is just a firewall matcher. It inspects the packet that is currently being processes to see if it matches that rule, and if it does, it preforms that action. So not only is the order of rules very important, but also how specific or general you make the rules.
One handy document is this: http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
This details the life of a packet in the MikroTik. It is very useful for figuring out what order you need to do things in, and often why a rule that you have isn’t working like you expected it to.
- except for the failover )