Dear Mikrotik community,
Here is my situation : Routerboard CCR1009 (v6.20)
I have several public IP behind a bond (bond1);
eth1wan & eth2wan are members, eth1wan is primary
I defined first my addresses (1.1.1.0/27) on bond1
I defined a DHCP with small pool (10.94.106.50-60) for my laptop when maintenance is required.
Gateway is 10.94.106.17 and defined on ‘eth3gateway’
I defined some src-nat rules to force each server to go out behind a dedicated WAN IP;
chain=srcnat action=src-nat to-addresses=1.1.1.2
src-address=10.94.106.10 out-interface=bond1 log=no log-prefix=""
DHCP pool is using a dedicated IP.
I defined some dst-nat rules to forward flow to correct services
chain=dstnat action=dst-nat to-addresses=10.94.106.10 to-ports=25
protocol=tcp dst-address=1.1.1.2 dst-port=25 log=no log-prefix=""
Everything is till here working fine…
Problem #1
When I ping my Gateway (10.94.106.17) from my laptop (10.94.106.60/255.255.255.192) with a cable, I get bad response time ( between 10 and 200ms)
I solved this like this :
I remove all the public IP from ‘bond1’ and create a bridge called ‘bridge’ [no interface, no filters, no nat, no host]
then create all my public IP on ‘bridge’
→ Problem solved, ping is now stable <1ms
But was it the good way to sort this out ?
Problem #2
Whith my previous Gateway (Netgear SRX5308), I was able to block all external flow except what I cleary define for each LAN IP.
I try this :
a. Creating an address list for (for example) servers allowed to send mail
b. creating a rule
chain=forward action=accept protocol=tcp src-address-list=smtp-allow
dst-port=25 log=no log-prefix=""
→ winbox window ‘firewall’ tab NAT is not showing any activity for this rule
Is it the good way to do it ?
Problem #3
One of the server (WAN 1.1.1.2 - LAN 10.94.106.13) is filtering mail flow for several domain (most external, some internal)
If I check the incoming flow for internal server using this filtering service, they appear as 10.94.106.17 (which is my Gateway) and not using their External ip.
If I try to send to an external domain (I mean not using this filtering service), the flow appear from the correct dedicated Wan IP.
I fix this for the moment using this rule :
chain=srcnat action=netmap to-addresses=1.1.1.2 to-ports=25
protocol=tcp src-address=10.94.106.0/26 dst-address=10.94.106.13
out-interface=eth3gateway dst-port=25 log=no log-prefix=""
→ I’m sure it’s not the way to fix this but actually it allow me to avoid drop connection due to internal IP used to send mail
Problem #4
is the same as #3 but related to a web server which was not reachable from Inside;
I fix it for the moment as
chain=srcnat action=netmap to-addresses=1.1.1.3 protocol=tcp
src-address=10.94.106.0/26 dst-address=10.94.106.12
out-interface=eth3gateway dst-port=80 log=no log-prefix=""
Thanks for reading my problem;
Hope to get feedback soon.
F.