mikrotik ccr and fortigate firewall policy

blackmetal · November 22, 2017, 4:10pm

Hello,
i have a mikrotik CCR1036 2s±em and it works as router and i connected a cisco 3750 to this router. now we want add a new firewall in this network and connect a port from firewall to switch or router and pass some /32 or less throu firewall device, how can i do it?
i know i can do static route a prefix to firewall and create vlan there then in switch access vlan to that VLANID to that port, but we have some VLANs that created in mikrotik CCR and we can not move all ips traffic thro firewall. we want move traffic for some ips in that vlan thro that firewall
any idea?
thanks

kujo · November 22, 2017, 9:57pm

Hi! Can you attach a scheme of your net and your plan?

Yours respectfully!

blackmetal · November 23, 2017, 7:34am

hi,
please check attachment , this is my net diagram.
and i know i can connect fortinet to my core switch then static route my prefix to foritnet and create vlan on it then in my switch access to that vlan for that port,
but i need to all of my vlans created in mikrotik,
thanks

kujo · November 23, 2017, 11:35am

You can move traffic by mangle in any needed gateway. Can you?

Yours respectfully!

blackmetal · November 23, 2017, 11:40am

with mangale i can manage receive packets what about sent packets? those packets generate by my devices will go throu router directly, because they have my router as gateway

kujo · November 23, 2017, 1:32pm

You can mangle new gateway IP

Yours respectfully!

blackmetal · November 23, 2017, 2:34pm

Hi
In mu 3750 i should add mangle for that right?
Can you give me some example for in and out ?

blackmetal · November 23, 2017, 3:16pm

and is there any other way except mangle?

kujo · November 23, 2017, 7:36pm

Maybe you need create a bridge on ccr, then add a wan port of provider and wan port of fortigate uplink, then you only assign needed external addr to fortigate? But, if you create a bridge, then all ip config need be at bridge interface, not at physical port.

Yours respectfully!

blackmetal · November 24, 2017, 7:35am

there is an idea that create a mangle for incoming traffic that set fortinet as gateway and in ccr create another mangle for that src ips orginate from my network for set next hop to fortinet ,
in this way the only issue is for outgoing traffic first they travel to mikrotik then i set next hop to fortinet and then fortinet again set enxt hop to mikrotik and goes out of my router, is this way correct and logical?

kujo · November 24, 2017, 10:52am

If you need put a fortigate to WAN side-create a wan bridge. Its may works. Can you put scheme with traffic directions?

Yours respectfully!

kujo · November 24, 2017, 10:53am

If you need put a fortigate to WAN side-create a wan bridge. Its may works. Can you put scheme with traffic directions?

Yours respectfully!