Hey guys, so I’ve already received some help from Dmitry(a Mikrotik Consultant) and I am posting this as a How-to as well as getting a little more info. He has been rather busy lately and I dont want to pester him anymore. So here is my setup:
Old Network is on the left, New on the right.
The plan is to have all the machines behind the mikrotik firewall or in my case, just NAT.
First, in my setup, my ISP is doing all the routing for me, so I’m just configuring the mikrotik with the ISP as the gateway.
(I’m a noob, so I’m using Winbox)
- So from a totally empty Mikrotik, I first assign my Public ip addresses to the WAN port (ether1 in my case). I’ve done this and included the broadcast and network.. I’m not sure how important that is when setting ip with 0.0.0.0/24 format. I now have 4 Public networks assigned with a total 8 IP addresses.
- I then went into the routing table (ip/routes for winbox) and added all the gateways. I did this with all 4 gateways having a destination of 0.0.0.0 and setting a “Routing Mark” for each. Starting with, silver1, silver2, gold1, gold2)
- I then went into mangle under firewall, and added the following information for each server sending data over the internet:
chain:prerouting
src-address: one rule per server - you will specify server’s internal address here (like 192.168.0.2, etc)
in-interface: your local interface, that the servers are connected to
action:mark-routing
new-routing-mark: respective routing mark for that server (keep in mind, which server is going to get which address; we will get to address assignment in the next step)
- Under NAT, I set the following for each server assigning their respective “from” IP Addresses.
source nat goes like this: (assigning which server gets which Public IP)
chain:srcnat
src-address: one rule per server, specify internal addresses here
out-interface: your external interface name
action:src-nat
to-src-address: the external address of the respective server
- Also under NAT I added the following settings for each port that needed to be forwarded to each respective server:
destination nat goes like this:
chain:dstnat
dst-address: one rule per server, but you specify the external (public!) server addresses
protocol: TCP
dst-port: 80
action:dst-nat
to-dst-address: internal (private!) address of the respective server
in-interface: ISP’s interface (in my case, WAN)
So a couple questions about this setup. I have not implemented it yet, but I need to very soon. One question is: In my old setup, I have 3 servers off of the Mikrotik and that was configured using NAT under a single IP address. Each server got FTP on a different port, and RDP, etc. So under this configuration, how can I do that still? have 3 servers share one of these addresses?
Lastly, is there anything missing or anything I should add to this configuration that would make it more secure or just any other general comments that someone with experience can speak to? It has taken me a while to write all this out, so if I’ve forgotten anything, I’ll update it later if I remember.
Update
I was told that all I have to do is create more rules based on step #5. I see how this would work for inbound traffic, but can that server still send data out? I’m heading down to the data center tomorrow and can test it at that point. Do I need to create a srcnat for each server just using the same public IP possibly? Not sure how it will differentiate the packets though… maybe it tags them based on MAC address or something shrugs