Researching Potential Office Firewall/Router Solutions

I have been using MikroTik RouterOS/Routerboard at home for around 6 months and now and have also deployed it into a retail location for the business I work for.

Recently at the Corporate Office we have been having issues with our WatchGuard XTM Firewall/Router. I’m looking into replacing it, and using MikroTik since I have just loved everything about it since I started using it.

Here is my questions on its capabilities.

Current we have a /28 here with 50Mbit Up and down, we use those to have NAT to our Internal LAN IP’s 192.168.2.0/24. We don’t assign the Public IP’s to our actual servers etc.

Watchguard provides a nice SSL VPN Connection that allows my boss to VPN from home and be able to access network shares and our servers here at the office as if hes connected.

The issue with this is, both the office and his home subnet are the same 192.168.2.0/24 Would this be a problem in Mikrotik?

I tried to talk him into MikroTik before, but this VPN part was in question. I saw the new HomeVPN Setup thats pretty easy, i tested it, and it did seem to work. But I wasn’t sure if it would 100% work with the same subnets.

Also which device you recommend? We need wireless, I wasn’t sure if to buy an all in one or buy a wireless system and router seperately. I was looking at RB2011UiAS-2HnD-IN

It is not a huge office building. I’m sure the RB2011UiAS-2HnD-IN would be plenty for wireless. I just to make sure we have a stable device to support our 50Mbit up and down and potentially increase that in the future. I don’t want another scenario like our current Watchguard that is just terrible.

We also have about 20-30 NAT Rules

Thank you for your time reading this, and I hope I was clear enough in what im looking for and my questions, I do apologize I am somewhat new to Networking, But I am a bit above a beginner, I know all about the basics, and etc. Just not bigger things such as BGP Routes, and most routing protocols in general.

Change one or both of the subnets and save a lot of grief. Having them the same will cause issues for all sorts of VPN gateways - not just RouterOS. The issues can sometimes be worked around - but best to simply avoid them.

I really dislike running the same subnet at multiple sites. I cannot say if that will cause you any trouble. I dislike it enough that every site I manage uses some randomly chosen subnet in RFC1918 space. So, I don’t have recent experience with your situation.

The CPU in the RB2011-UAS should be sufficient for the bandwidth and number of rules you specify. It just depends on the individual rules. Deep packet inspection rules could cause it to overwork the CPU. Watch how you write your rules to limit the impact on the CPU.

You don’t say how many wired devices you have. Just remember that the RB2011’s have 5 GigE ports and 5 10/100Mbps ports. The CRS125 has 24 GigE ports and the same CPU. I think the wireless is the same also, but I have not specifically looked at those specs. You may already have a separate switch and not care how many ports you get on the router.

I use the 2011 series devices as base of tower routers for up to around 100Mbps of traffic. I do not run VPNs on those routers but do queue tree bandwidth limiting for around 100 clients served from the tower and passthrough traffic to other towers. The queue tree is typically handling 50Mbps or less of traffic.

Unfortunately the subnets wont be something to change, if either of us were to VPN in from a store location, it would be on this subnet also. Over 87 locations… Nah can’t change that, not worth it. It would be nice if you could push routes to the VPN client, such as in OpenVPN. Maybe someday It will happen, I saw someone mention it as a feature request.

I have a seperate 24port Gigabit switch for all the office machines. Somewhere around 20 of them. So I would only utilize one port on the Router itself. There is no deep rules, no filters really at all, just simple NAT’s IP X on port 80 goes to IP Y on port 80 kind of scenario.

Just want to make sure it can handle what I throw at it, if the only concern is the VPN. I think I can work around that.

I would advice you to consider either the http://routerboard.com/CRS109-8G-1S-2HnD-IN the http://routerboard.com/RB951G-2HnD or the http://routerboard.com/RB922UAGS-5HPacD (the last one with a 2.4GHz extra wifi, enclosure and antennas) as your central router and for your branch office locations (and your boss’ home). Then I would create PPTP tunnels on a totally different subnet and place bridged EoIP connections over the VPN tunnels.

Στάλθηκε από το GT-I9100 μου χρησιμοποιώντας Tapatalk

You all obviously discarded the most important request for Taylor’s network: His boss has to be able to browse the network from home. That requires all machines to be on the same network so that windows can resolve machine names via SMB broadcasts.
Browsing which will not work on MT anyway, because their PtP implementations lack broadcast forwarding, and bridging is not available for windows clients.

The OP mentioned access to network server shares. Broadcast traffic over the VPN is not necessary to provide access to network server shares. They can be accessed using the IP address or name if name lookup is available.

Taylor mentioned “as if he was connected”, which usually doesn’t imply access using IP addresses. From own experiences I can tell you, bosses want browsing, visible names in My Network and so on.

I would suggest also replacing the router at boss’ home with a mikrotik (say the http://routerboard.com/RB951G-2HnD), and setting it up the way I described, ie with an EoIP connection over a PPtP link. The EoIP interfaces (one on each side) would be added to the LAN bridge of each of the routers and thus support broadcast and all.

The irony is that in networks small enough for such browsing to be useful it is fairly trivial to make the necessary shortcuts to render browsing unnecessary. Even in a small business network, creating unfiltered layer 2 connectivity just to support broadcasts for network browsing is pretty ugly from the security perspective. Explaining to the “boss” how to provide the business connectivity necessary for the business while reducing the vulnerability profile can indeed be an art form, but once the boss buys in everybody else will fall in line, so it can be well worth the effort.

Simply one EoIP between boss home and office?

On the office router EoIP is on bridge with local lan,
on the boss house the EoIP end is on bridge with one ethernet or one VirtualAP.

When boss connect with that ethernet or wireless, obtain IP from the office, and all work like the pc is directly connected to the office.

That would certainly be preferable - even better if we can lock that port to permitted client MAC addresses.

If however the “office” has two servers then I would personally still advocate shortcuts & WINS and save the extra risk not to mention the overhead!

I ended up buying a RB2011UiAS-2HnD-IN My boss isn’t like most bosses, we are pretty much partners, just “technically” he is the boss. He can just use IP’s and I think he does that already. He’s not your typical boss lol.

I talked to him about it and hes fine with switching to it, and he said he could even change his subnet at home and I said hey great that’ll make less hassle. I ordered it Friday before I left work, and this weekend i’ve been preparing my rules heh.

I have the NAT Rules setup, just going through all the filter rules I"ll want. I typically go for a only allow inbound what I should and block everything, and same for outbound, but thats for personal servers. For the Office I might not block all the outbound except whats required, could be more hassle then its worth!

So far this is my Filter Rules I"ve prepared, if any of you have suggestions or comments, I appreciate all.

/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" 
add chain=input protocol=icmp limit=20/5s,2 comment="Allow limited pings" 
add chain=input protocol=icmp action=drop comment="Drop excess pings" 
add chain=input protocol=tcp dst-port=8291 comment="winbox" 
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"
add chain=forward action=log log-prefix=email protocol=tcp dst-port=25
add chain=forward action=drop protocol=tcp dst-port=25

If any of you are in the United States. Where do you buy your MikroTik from? I have had to shop for randomly good places depending on which I needed. I bought this one from Newegg via 3rd party. And SolidSignal for the one for home and the store location I got. But neither places have a good supply it seems.

If you want the device to be a firewall then your forward chain should start with a drop command and then only place accept rules for the traffic that you want to permit above that.

Good to hear that the “boss” isn’t wed to 1999 style network browsing. Now if you can just persuade him that the remote networks’ IP ranges should be changed as and when opportunity arises…

You’ve lost me on the forward chain putting it first… If you could go into more detail it would make it more clear for me.

Yea I’m fine with putting in MikroTik everywhere, it was even discussed as for PCI Compliance for Credit Card Processing at our retail locations. The problem is, we have 87 location.. at least 3-5 computers per location, and the only IT in the company is him and I… lol It would be utter chaos just to maintain these systems! The minute someone dumb enough resets our equipment and I have to drive 4 hours to fix it lol…

But yea. I of course want it to be a firewall, and locked down as tight as I can while still not being too tight as other employees cant do anything, and I don’t want it to impact the performance of the Network.

Edit: woops just reread and saw you mentioned the subnets heh. Same still applies, its a bit of a pain to maintain and do all that lol. I already gave him a schema for what store gets what subnet, I called it our “5 year” plan

When you look at the forward chain rule you would expect to see a drop rule at the end (lowest on the list). That rule is not qualified with any selection criteria - it just says action=drop. Thus only traffic which has been specifically identified to be accepted in earlier (higher) rules will be permitted.

Oh yes I understand now. That is if I want to lock down everyone on my LAN, and I don’t know if I am going to do that yet. I would hvae to figure out any odd ports anyone is using for whatever reasons, and Right now i’ll just leave that alone lol Obviously i blocked smtp port 25, had a rogue virus give me problems with that in the past. (Forgot to add our mail server as an exception on that rule woops, do that now)

I think you are misunderstanding. At the moment the forward chain rules that you have in place means that the device is not behaving like a firewall - it is behaving pretty much like a router in that it will forward packets among ports with only one restriction regarding SMTP.

A typical firewall config starts with:

Allowing NEW connection traffic from the inside / LAN to the outside / WAN.
Allowing ESTABLISHED connection traffic.
Allowing RELATED connection traffic.
If you have multiple LAN ports perhaps allowing inter-LAN port traffic.
Denying all remaining forwarded traffic by default.

Then add other rules as necessary.

You currently have a “drop all” at the end of the input chain but that only affects traffic to the router itself.

We must not be thinking the same thing for sure. My definition of a firewall involves outside traffic coming INTO my network (through the firewall..)

So yes I am blocking everything from coming in, but im not blocking everything going out. (as stated before a few times, i may or may not do this)

You are saying im blocking everything coming, but not everything going out, therefore its not a full firewall in your definition. Am I understanding what you are saying now?

If you want to paste a set of rules you would do or that you are speaking of, that would make more sense to me. (If i didnt already say what you meant)

Not with the filter rules you showed above! The input chain only covers traffic to the router itself. At the moment the forward chain is pretty much open so for instance inbound WAN>LAN traffic is not being restricted.