Hi,
I’m brand new to Mikrotik and detailed router/firewall configuration.
We’re on a large campus network, all of our devices are assigned IPs by DHCP from the campus.
Looks like this:
Campus → Cisco router (fiber in) → rj-45 ethernet to all of our devices
I would like to use a routerOS device to act as a firewall only between campus network and all of our machines.
Question is - what is the best way to do this - I assume without using NAT masq or 1:1 NAT. Put a routerOS device in front of Cisco router?
Thank you for any guidance,
-Jeff
Firewall function without NAT is perfectly possible. Have you considered the relative performance of the Cisco router and proposed Mikrotik router and the connections speeds involved? Which Mikrotik model are you considering?
OK, instead of starting a new thread and clogging up this for anymore than it already is, I’m hoping this thread is close enough to have a simple few questions answered about MikroTik router OS’s.
I’m currently a wisp with a fiber backbone with four class C static public IP blocks. I’m currently using a Cisco to be my router “gateway”, with a couple other machines to manage and shape bandwidth to my customers. All of which (at this time) have static “public” IP addresses. From what I can see, 99.9999% of the people using MikroTik routers are using the full router option, w/firewall, inside private IP blocks, NAT, and many other features I don’t yet understand.
I’m currently going through company restructure and upgrade. I was seriously looking into a “NetEqualizer” which seems to do exactly what I’m looking for but their prices are far beyond ridiculous after some reading about some other company policies of theirs, I see they are equally as ridiculous. I’m looking for other options. In doing so, I’ve come across these MikroTik, routerOS and and one of their hardware router units like the CCR1036. (perhaps not that big). I’ve downloaded the router OS and tried to install it on a PC to get a feel for what I was getting into. It became clear very quickly that that was going to become a full-time job. I am more interested in buying one of their pre-made, ppull out-of-the-box, plug it in, do some configuring, and it’s up and running.
So some of my basic questions are, 1) are these routers designed for public to private with NAT only, OR can they be simple gateway routers,(or bridges) and still have all of the functionality of bandwidth management and shaping?
2) in many places on this form I see people talking about additional cards that need added for most of the equipment, and was wondering if this is just optional stuff for high-end, well educated Mikrotik guru’s, or are these additional components that will be needed, ( and researched), in order to make these routers work?
3) since I’ve been unable to successfully install, ( or rather access and configure) the routerOS software onto a PC to see what it really does, and what am I really going to be getting into when it comes to configuring rules on this router, I am confused about some things. Currently my rules in my current systems are primarily based by IP. This includes upload and download limits per customer, port blocking by IP to and from WAN to LAN even when both sides are public IP’s?
4) has there been anyone who has dealt enough with the different platforms on the market like “netequalizer” and can honestly give some comparisons or “pros and cons” between the two?
5) if this is feasible, what would be the recommended router to purchase with a ( 300 customer) base, 20-50 megabytes fiber pipe, and a router configurable enough so I can set rules to control some of these “hogs” and be able to go away for a day and not have to worry that something is choking my network!?
There is no need to use NAT/PAT on RouterOS - it is as optional as it is on Cisco. I’m not sure which cards you were referring to - the wireless capable routerboards generally have slots for optional wireless cards so maybe that is what you were noticing.
The ISP pipe size is well within the capabilities of several routerboard products or various 3rd party X86 products running RouterOS. The “best” solution is probably going to depend on some additional topology details and the finer details of your goals.
Well, to be honest, I’m not sure how to answer that or where to begin. As stated before I’m currently being fed by fiber feed which then is broadcasted via wirelessly to a 250 foot tower we own 10 miles away in an area with no broadband at all. From there I have it going through a Cisco whose current job is nothing more than to be a router gateway. It translates from my providers IP to my 4 class C IP public blocks. from there it goes through my current bandwidth shaper, and then from there goes through a openbsd PF box to monitor and control state limits. At that point they goes to a series of gigabit switches and out multiple broadcasters to feed customers and/or 16 other towers all of which are in simple bridge mode and pass traffic to the individual customers on each tower. (each customer radio has a static public IP). My hopes, are that I can use router OS much like what a net equalizer does and be nothing more than two NIC’s that are bridged and router OS will have the ability to control bandwidth to each individual IP based on a set of rules. These rules would include maximum download and upload per IP individually, port blocking by groups of IP’s and or individual IP’s, and an added plus would be something similar to PFtop and OpenBSD in UNIX in which I could monitor every state connection to see who is doing what on what port. ( primarily to find who is file sharing, and or doing what ever on what ports at what rate)
As you may or may not know, when it comes to wireless Internet service providers, filesharing is kryptonite to a wireless network. The number of packets that are normally uploaded with very little data could just the network and overload the APs to where the entire network can slow to a crawl if not managed/blocked.
My current shaper has the ability to limit bandwidth on many different levels. It can give them a maximum download until they download a certain amount per day at which time it begins to throttle them back a bit, and/or I can make rules to where at certain times late at night or on weekends they have twice as much bandwidth. I see for the most part that this net equalizer does similar things, but again their prices are ludicrous for the scale of my operation.
As I stated before, I tried downloading the router OS directly and installing it on a PC but I have found challenges with configuring it or even accessing. I downloaded the additional software where I could connect to router OS via Mac address and according to that software NO IP’s were issued to the NIC’s. the instructions state that by default at least one of the internal next would be given an IP address of 192.168.88.x . This didn’t seem to be the case. And though I was able to access the OS via the secondhand program by Mac address, I found no place to change the IP addresses so I can actually use the web GUI which I’m assuming give you greater access to all the features. On top of this, there appears to be a 24-hour trial period, which I can already tell may be just enough time for me to realize I have no idea what up doing! certainly not enough to figure out if this can do what I need/want.
So again, I’m open to buy a out-of-the-box unit that I believe they call a cloud core router but I need to know if it is capable of doing everything I’ve specified. That said, I realize since the cost is significantly cheaper, I expect a certain amount of a learning curve, large amounts of “homework”, and a great deal of testing by trial and error. But if there is someone in here that is familiar enough with this equipment to tell me if it’s even capable of doing what I’m trying to do with it, it would be much appreciated. I started wireless 12 years ago and have ran a computer store for the last 20 years so I’m not afraid of the hardware/software learning curve. But I have to admit, with age learning is getting a bit harder and much slower. LOL