Hi All,
Given: two Mikrotik CCR routers. Router1 is fiber connected to internet, and has some high level
firewall rules to clean up internet crud coming in. It routes a /29 static block out to three
servers and Router2, each has one of the static addresses. Very simple, just a bridge and some
ports with bridge IP firewall.
Router2 is a totally normal SOHO config, the WAN port has one of the static addresses, and
it has a few vlan each with a dhcp server (one for wired, one for wifi, one for guest wifi). Normal
Mikrotik soho firewall rules. One bridge with the vlans. One trunk to a vlan-aware switch.
What I’d like to do is use Router2 for some lab experiments, and now that the two routers
are stable for a while, I’d like to put both configs on Router1.
My initial thought is add a Bridge2 to Router1, and basically move over the Router2 vlans
placing them in Bridge2. Then allocate spare ports on Router2 to Bridge2 just like they used
to be on physical Router2.
Still following? Simple so far, the two bridges keep stuff separate, and we have WAN interface
on Bridge2 with the same static address as always, so Router1 knows what to do.
I have two questions:
-
What do I do about firewall rules? Put in a bunch of srcinterface dstinterface stuff to try
and make the Router1 firewall rules apply to Bridge1, and the copied over rules from Router2
onto Bridge2? Seems complicated vs two routers but maybe that’s the only way? -
Is there some other way to think about this maybe with one Bridge and an additional
vlan carrying the static block, so it is separate from the LAN vlans?
Suggestions welcome, hoping I’m not the first with a static block + static servers + NAT’d clients