Need help replacing a Fortigate with MikroTik

jt2048 · January 21, 2014, 4:32pm

I’m trying to replace our head end Fortinets with MikroTiks and we’ve got most of that worked out however I need help with one final piece. The box needs to do the following;

o Terminate the main IP from our provider and provide NAT/masquerade on the main IP. We know how to do that.
o Terminate a /27 as a secondary IP on the main interface. We know how to do that as well.
o Replicate the functionality of a Fortigate ‘VIP’ on each address in the /27, we don’t know how to do that. A Fortigate VIP (Virtual IP address) is nothing more than a public IP in the /27 secondary IP block that is routed to an internal private IP address. NAT and Masq. is provided.

This should look pretty similar to the main filter and NAT rules but I’m not sure what the syntax would look like for all the discrete IP addresses within the /27

Please help me get this working so I can dump my slow Fortigate 60C units!

JT

lordzar · January 21, 2014, 5:49pm

So far you have an x.x.x.x./27 on your wan interface. Just add a /32 within that /27 onto the same wan interface then just program your src/dst nat rules accordingly just using that /32 as the src or dst address.

Then you can map everything to a single host or break up the ports to multiple hosts just as you normally would.

jt2048 · January 22, 2014, 5:34am

Right, got it. Just like the manual says (whoda thunkit?) Works like socks on a rooster, thanks! Now, next question, given the NAT rules;

2 chain=dstnat action=dst-nat to-addresses=192.168.80.1 dst-address=xx.xxx.182.114

3 chain=srcnat action=src-nat to-addresses=xx.xxx.182.114 src-address=192.168.80.1

How can I restrict access to xx.xxx.182.114 to just selected external addresses? Can I do this from inside the NAT rules or do I need to go to the main firewall?

JT

rjickity · January 22, 2014, 7:05am

that would be under your /ip firewall filter and you’d want to deal with it on the forward chain. bear in mind that filter foward happens after nat so IP addressing will be the translated address

jt2048 · January 22, 2014, 4:34pm

So I want to allow $IP1 $IP2 and $IP3 to 192.168.80.1 and disallow all others, what does that look like? Sorry for all the dumb questions, I am an IPFW guy and still trying to wrap my mind around chains…

JT

lordzar · January 23, 2014, 6:11am

Something along the lines of:

Create a list of good addresses:
/ip firewall address-list
add address=24.12.4.2 list=goodguys
add address=24.12.4.4 list=goodguys
add address=24.12.4.6 list=goodguys

Then, allow those hosts, but block everything else.
/ip firewall filter
add action=accept chain=forward dst-address=192.168.80.1 src-address-list=goodguys
add action=drop chain=forward dst-address=192.168.80.1