I’m new using MikroTik RouterOS.
I own a RouterBoard 750 and now I wan’t to separate the DMZ from the LAN.
Ether1 is the WAN Port using PPPoE to get an Internet connection. The provided IP-Address is dynamic.
Ether2 should be the Port for the DMZ, using the IP-Network 10.0.1.0/24.
Ether3 should be LAN1, using IP-Network 10.0.2.0/24.
Ether4 should be LAN2, using IP-Network 10.0.3.0/24
Ether5 is not connected.
I want to get access from all LAN-Ports to the Internet and to the DMZ.
Traffic from the Internet should be routed to the DMZ.
The DMZ-Clients shouldn’t have access to the LANs.
I’m trying to solve this Problem since weeks, but either I can’t connect from LAN to DMZ and DMZ to LAN or I can connect from LAN to DMZ and from DMZ to LAN
Build your firewall rules as per requirement
/ip firewall filter
add action=drop chain=forward connection-state=invalid comment=“Drop invalid connections”
add chain=forward connection-state=established comment=“Allow established traffic”
add chain=forward connection-state=related comment=“Allow related traffic”
add chain=forward in-interface=ether3 comment=“Allow traffic from LAN1”
add chain=forward in-interface=ether4 comment=“Allow traffic from LAN2”
add chain=forward in-interface=ether2 out-interface=pppoe-client commnet=“Allow traffic from DMZ to internet”
add chain=forward in-interface=pppoe-client out-interface=ether2 comment=“Allow traffic from internet to DMZ”
add action=drop chain=forward comment="Block all other traffic"I assume you have a NAT rule on your outgoing interface (I called it pppoe-client) and therefor you have to create dst-nat rules in order to let connections going to your DMZ.
If you eg have a web server in your DMZ, you need a rule like
/ip firewall nat
add chain=dst-nat action=dstnat in-interface=pppoe-client dst-port=80 to-address=10.0.1.x to-ports=80 protocol=tcpPS. I have written these rules without testing them on a device so there can be typo’s
