Set up DMZ on MikroTik router

Hello all,

I’m new to MikroTik and RouterOS and I need very big help.

I just got my hands on CCR2004-1G-12S+2XS which I want to replace my Zyxel EX5601-T0 which is also SFP+ fed, but as much as I heard of, the CCR2004 is much faster, more reliable, got 2 PSU’s, got more SFP+ ports

.
What is the equipment behind:

pfSense on a SuperMicro as Firewall and VPN Server

DrayTek Vigor2832n as VPN Client

Cisco 3850 48P-PoE+4x10GB SFP Module

Ruckus ICX7150-C12P with 2x40Gbps SFP+ modules+license

Waystream ASR6260 (24 port SFP+ 1Gbps and 2x10Gbps SFP+ ports)

HP ProLiant N54L as Plex Server

Dell PowerEdge R320 as NAS

Dell PowerEdge R320 as HTTP+MySQL+Mail

Raspberry Pi 4 B+ as VoIP Server for 6 home phones

Raspberry Pi 3 B+ as CUPS Server for 3 printers

Dell PowerEdge 1950 as TFTP Server for config backups

Few Cisco and Ubiquiti AP’s, few laptops, few PC’s, few MAC’s, handful of phones, TV’s and small devices.

I know. A little bit too much for home use, but I like to do weird stuff in my free time.

Now to the chase: I want to replace the Zyxel with the MikroTik router and need to set up DMZ to go to the pfSense. From the pfSense “everything” will be blocked and access to all that things will be available just if you are connected to the local network or through the VPN supported by the DrayTek. Some of you will ask “Why all that hassle for a small home network with nothing important on it?“. The answer is simple - I like the things the hard way or it’s not fun.

So, if anyone is willing to help me to DMZ from Feed (SFP+: 192.168.0.1) to FW(SFP+: 192.168.0.2) step-by-step I will be very grateful. I’m using WinBox to set it up, not console. The part with the pfSense, VPN, domain on dynamic IP and so on is kinda easy and I’ll not bother you with it

Much more efficient to use the CCR for everything and drop the pfsense and draytek for both firewall and vpns and use VLANS. For me simplifying when practical without sign loss in performance is always the smart move.

Thank you for your answer @anav , but until I have the CCR2004 for free I will not spend so much money for CSR to make the things easy. There is another reason I want the pfSense in place and this is to ban Roblox and YouTube to my daughter on schedule. YouTube will be made accessible only through the VPN for the adults.

So, if anyone can help me with this DMZ I will be very grateful.

Why do you even need the CCR just to do DMZ to a single host? Just plug whatever ISP device directly to the SuperMicro. What can the CCR do with the internet connection that pfSense can't?

My internet is coming through a fiber optic and the SuperMicro does not support SFP+.

Use something like this if you need 10Gbps internet https://www.fs.com/sg/products/243243.html?now_cid=1038 (such converters cost less than $50 if you only need 1Gbps).

Alternatively, just use one of your switches that still have one SFP+ and one RJ45 port free. Set up a VLAN (or multiple if your internet connection also has IPTV and VoIP) between those two ports alone.

Why waste electricity to power a CCR2004 with fans?

Maybe I’m planning to do something in the future that I don’t want to discuss online?!
As you can’t give me the answer, I will keep digging in Google and wait for someone who can…

I already gave you an answer:

If you insist on using the CCR for this purpose, then use it like a switch. In fact because this particular device has no switch chips, you won't even need to worry about maintaining hardware offloading (it doesn't support). Just create an empty bridge then add just the two ports to that bridge and you have your overpriced two-port converter/switch. No layer 3, no IP address configuration required. If you need to transport multiple VLANs (for IPTV and VoIP) add VLANs to that bridge.

As for the rest of the ports, you can later do whatever you want with them, isolated from the two-port bridge.

"Maybe I’m planning to do something in the future that I don’t want to discuss online?!"
Please do not let us know, it would be scarier than a horror film LOL