Hey guys,

So…first of all, don’t be to harsh on me as this is my first mikrotik experience ever.
Have known about mikrotik for some years now, but haven’t paid attention to it until now.

Right…so…here some history about my issue…

Up until now i had a Fortigate 60B i had in place as a gateway/firewall/security device, basically a one stop shop for routing and security.
I don’t know how many of you have had any chance in working with fortigate appliances but they are great (until the nvram goes haywire and you have to pay to get the nvram replaced outside of warranty way to much then it’s worth).

So, on my FGT Unit, i have 2 wan ports a dmz port and 8 lan 100mbit ports. The lan ports are all in the same root vlan.
At this point, thanks to someone who recommended me mikrotik routers in order to change the fgt unit, i’ve got my hands on a RB951Ui-2HnD for testing purposes only.

In order to get it to be a viable as a replacement, i need it to set it up to act as the fgt unit did, meaning:

I need to set it up as following:

1. dual pppoe connections on the same physical port?
2. the FGT unit had ip pool for every DNAT i had set up (via firewall policies) according to my needs at the time.

Firewall policy example:

==================================================
{firewall policy}

config firewall policy
set srcintf “wan2”
set dstintf “internal”
set srcaddr “ANY”
set dstaddr “wan2_storage”
set action accept
set schedule “always”
set service “ANY”
set logtraffic enable
set nat enable
set ippool enable
set poolname “wan2-storage”
next

{details of ip pool specified in the policy}

config firewall ippool
edit “wan2-storage”
set endip 10.0.5.255
set startip 10.0.4.0
next
end

{details of vip group specified in the policy}

config firewall vipgrp
edit “wan2_storage”
set interface “wan2”
set member “wan2storage_https”
next
end

{details of virtual ip specified in the vip group}

config firewall vip
edit “wan2storage_https”
set extintf “wan2”
set portforward enable
set mappedip 10.0.0.2
set extport 443
set mappedport 65001
next
end

Meaning, for every connection coming to “wan2-storage” port 44004 the traffic is port forwarded to 10.0.0.2 port 65001.
The server at 10.0.0.2 wouldn’t see the 10.0.0.254 (fgt internal ip) in this situation, but it would “see” the connection coming from one of the ip’s from the 10.0.4.0/23 subnet. Unable to set FGT to forward the public ip to the servers behind it, this was the “solution” i had set myself with. If mikrotik can forward the public ip address to the servers behind it, that’ll be great!

3. port forwarding: in conjunction with the above requirement (if you want to call it that way), one other thing is p.forwarding. I’ve read that many people somehow complain about this as not being to straight forward.

4. VIP Groups of port forwardings for firewall policies simplification possible?

5. RADIUS Authentication for specific services: VPN groups, Public Wifi Groups?

6. Speaking of Wifi…is it possible to set up a 5Ghz wifi wisp network?

7. DHCP Pools for DMZ, LAN, VPNs (l2tp and ipsec) with ip reservations based on MAC addressing?

8. syslog for specific lan address?

9. SNMP to nagios posible?

10. mikrotik external “ping” services, just to check if the device is connected to wan?

11. if question 1 is posible, setting up ddns on specific virtual ports (i’m assuming that something like a virtual port would be used) for both wan connection posible?

12. vpn setup l2tp with one of the dhcp ip pools from question 7 and auth from question 5 posible?

13. conf management - backup/restore from this BR to a new device maybe other than the same series posible?

I’ve read the wiki for the things i was interested about, but i’m not really sure that i can set it up…

So…

The main question is: anyone out there willing to help me out in setting the RB according to the above information? willingless to learn is no problem.
I just need a few pointers on what and how to get started with this.

I repeat. This device is a testing device to get me started to see if can handle “the power” as a friend of mine once said


so…any help would be greatly appreciated.

Seriously?

No one willing to give out some steps i need to do to set this thing up?

Hi there,

are you able to post a complete export of your current Fortigate device and a network diagram of what the current device is doing. Please make sure when you export your config you remove any sensitive passwords or ip addresses.

Thanks
Rob

Hi Rob,

Sorry for the late reply, but i was kinda losing hope that anyone would answer.

Attached you can find the config file for the fortigate 60b unit. It’s an old config file but the general information is the same…

Will update with network diagram as soon as possible…

Xam

UPDATE: Basic Network Diagram attached

Cerberus_20141123 - Copy - Copy.txt (154 KB)

thanks for that, with the Fortigate are you able to ssh into the unit and perform a show full-configuration and copy the output to a txt file.

Thanks

Hi Rob,

The configuration file is attached above.
Unfortunately, the fortigate is busted, meaning is no longer in production.
The nvram is fried and need to send it to fortinet support in France for a replacement…

hi,

im not sure if you can run 2 PPPoE connections on the same interface ( happy to be corrected if this is not the case)

I will build a config on a test router and send post the output, pretty busy at work at the moment but hope to have it done in the next day or so.

Thanks

That’s a long list of requests. It does not fit entirely in my 22" screen

1. I remember long time ago to have tested if two pppoe can be established on the same interface, and if recall it worked. But why would you need both of them on the same interface? It is always better to have them separated.
2. You can setup dhcp server on any interface of the router, but only one per interface and obviously you need to assign an IP address at the interface first.

/ip address
add address=10.0.1.0/24 interface=ether3
add address=10.0.0.0/24 interface=ether4

3. Port forwarding is pretty straight forward, I don’t know why people would complain, unless they don’t know it:

/ip firewall nat
add chain=dstnat in-interface=wan2 protocol=tcp dst-port=44004 action=dst-nat to-addresses=10.0.0.2 to-ports=65001

4. I don’t understand what you mean with VIP groups port forwarding
5. Radius is possible, but how you want to implement it?
6. Of course you can start a WISP in 5GHz, as long as local legislation allows it.
7. DHCP based on mac-address is possible. Once a mac address gets an IP from the pool, you can make that entry static, so that the same mac-address gets always the same IP
8. syslog is possible, it depends on how you plan to collect or store the log
9. SNMP is possible, although I don’t know nagios, but I guess you can.
10. You can ping Mikrotik from outside, as long as it has a Public IP
11. DDNS is possible by scripts, to changeip.org for example, you can search the wiki for the scripts. Now Mikrotik has a service of its own for that purpose. You can find it in /ip cloud menu, but it will show only one of the two Public IP
12. The L2TP needs to be setup and see in detail how you would want it. You need to set it up and then see how it works.
    13 Backup restore is easy and complicated at the same time . You can use the backup of your router to transfer it on another router of the same model. But if wireless is involved in configuration it will not transfer it on the other router because of different mac-addresses of the wireless cards. This can be done from the file menu.
    Another option is to export the config, and then import it on the other router:

/export file=whatever

then copy the file to the other router, and on the other one do:

/import file=whatever.rsc

Anyway, you need to start something. Do things step by step and post here how things are going and where you found difficulties. It is easier for forumers to help you that way, rather than with the whole configuration.