Hello Mikrotik world! I would like to replace my draytek routers with mikrotik but I cannot replicate the scenario that draytek calls “physical DMZ in routing mode” shown in the figure below. Is there a way with Mikrotik to be able to achieve the same result?
Thank you
The scenario can be done in the way similar to the following:
- create a new bridge (e.g. named WAN-bridge), add physical ports used for both ISP connection and DMZ
- configure router’s WAN IP settings (address, gateway) on WAN-bridge interface
- manually disable HW offload on ports of this bridge:
/interface bridge port set [ find bridge=WAN-bridge ] hw=no
Without doing it, traffic between ports of WAN-bridge would bypass general CPU code and the following steps would not be effective.
4. enable usage of IP firewall for bridge traffic
/interface bridge settings set use-ip-firewall=yes
Beware that this setting is common for all bridges including LAN bridge. Make sure that either LAN ports are all HW offloaded (not possible for non-ethernet ports such as wlan interfaces) or that IP firewall rules don’t trigger on intra-LAN traffic.
5. construct IP firewall rules (e.g. filter rules) which appropriately protect DMS servers from internet.
DMZ and LAN are still separated by “normal” firewall and firewall rules act on DMZ<->LAN traffic just as it did before on traffic internet<->LAN.
If you don’t need firewall on Mikrotik to act on traffic between WAN and DMZ, then simply skip steps starting from #3 forward.
Hi Mkx,
What is the other way…
To me this is a block of Ips provided by the ISP where one uses one IP for the router itself and then distributes other IPs 1:1 (public to private IP).
One to one NAT or perhaps netmap?
First IP as dhcp client.
Rest netmapped ?
per IP
/ip firewall nat add chain=dstnat dst-address= action=netmap to-addresses=
/ip firewall nat add chain=srcnat src-address= action=netmap to-addresses=
Hi Mkx,
However you must configure Nat for Lan traffic (behind 210.243.230.33), but instead the traffic that starts from addresses 210.243.230.34-36 must not be natted:
how do you get it?
In your opinion, is it better to use proxy arp instead of bridge in some way?
Thx
Hi anav,
unfortunately the client wants some hosts to have public IPs on their interface, only those on LAN need to be under Nat.
Hi Mkx,
What is the other way…
To me this is a block of Ips provided by the ISP where one uses one IP for the router itself and then distributes other IPs 1:1 (public to private IP).
One to one NAT or perhaps netmap?
First IP as dhcp client.
Rest netmapped ?
per IP
/ip firewall nat add chain=dstnat dst-address= action=netmap to-addresses=
/ip firewall nat add chain=srcnat src-address= action=netmap to-addresses=
Ahh okay so this is transparently transporting the available WANIPs through to the other routers.
More interesting indeed.
Maybe I think a selective nat is needed in the firewall options based on the source IP address:
• source ip: 192.168.1.0/24 nat masc. active
• source ip: 201.243.230.32/29 nat NOT active
Is it possible to do this with RouterOS?
Thx
All firewall rules in ROS can be as selective as you wish (almost). E.g. if you have a look at NAT properties, most of properties are “selectors” meaning they are used to select packets on which the rule to act. Only a few are “actions” meaning they define what NAT rule will actually do to packets.
For example:
/ip firewall nat
add chain=src-nat action=srcnat to-addresses=201.243.230.33 src-address=192.168.1.0/24 out-interface=<WAN interface>
So the first property is NAT chain (src-nat, dst-nat, …) Then come two action properties: the second one is what action it should perform (SRC NAT), third one is what in particular action should do (SRC NAT can change SRC address and in this case SRC address of packet will be replaced by to-addresses value). The rest of properties are selectors: fourth property says rule will only act on packets with SRC address in the defined subnet and fifth property says rule will only act on packets leaving router via WAN interface. All selectors are used in AND fashion so all have to be true in order for rule to act.
Default config in SOHO devices has SRC NAT rule which lacks selector of src-address and thus acts on all packets leaving router via WAN interface. In your case that rule is a tad too general. And in your case selector property in-inbridge-port=!DMZ (note the exclamation sign meaning NOT) might be usable.
Note that if none of NAT rules match, packet is passed through NAT chains unaltered, so your “NAT not active” rule is actually default behaviour and you should concentrate on “NAT active” rules.