Hi everyone,
I’m new to RouterOS and I’m still struggling to make sense of its many features.
Today, I was trying to set a “DMZ” for one of my pc. Setting it in a "normal"router device is kind of a simple and straightforward process:
you set a machine’s IP in DMZ, save, and boom, done!
With Mikrotik devices you need to delve deeper into computer network learning. It’s ok. I bought it for this reason.
I know that I can get the job done by trying two ways:
by removing the port from bridge, that will separate the interface from the bridge.
2)by setting firewall rules and allowing any in- and -out traffic for that device’s IP.
For the sake of learning I’d like to try both.
Could you please help me understand what to do?
Thanks
I don’t think anyone here is going to recommend a dmz approach as its usually not necessary and often can be a security risk.
For what reason do you required to open up every port to a PC… for incoming WAN exploitation?
You first need to define DMZ and what you expect from it.
Real DMZ would be separated from LAN and other networks, except for some specifically allowed stuff. You can do that with dedicated interface (to block L2 connectivity) and firewall rules (to block routing on L3).
The usual “normal” router’s “DMZ” is just dstnat/netmap to selected address and there’s no separation at all.
Because on that PC there is a pfsense firewall.
I know that it’s not the best solution, but I’m messing up with settings just for the sake of learning.
My previus LAN setting was something like this:
ISP Router (Public Ip) → DD-WRT (wan IP 192.168.1.11 - gateway 192.168.1.1(ISP router IP LAN)- IP LAN dd-wrt 192.168.3.1 ->Pfsense (WAN IP 192.168.3.80).
I just want to replicate this one on my new Mikrotik device in the place of the DD-wrt router.
I know that it is kind of weird, but I have my reasons. In a few words, the ISP router is not mine.
So, what should I do to let the traffic from and to pfsense not be affected by my Mikrotik?
On my DD-wrt I simply set the pfsense’s IP address in DMZ.
Thank you
I am just practising and I don’t expect anything in particular from it now. I have an idea about what it will be my final LAN setup, but I am now messing up in order to learn how a MikrotiK device works. I will probably use it just as a switch to create VLANs for my pfsense firewall.
Real DMZ would be separated from LAN and other networks, except for some specifically allowed stuff. You can do that with dedicated interface (to block L2 connectivity) and firewall rules (to block routing on L3).
The usual “normal” router’s “DMZ” is just dstnat/netmap to selected address and there’s no separation at all.
Ok, could we please delve deeper into it?
Thank you very much
If it should be the same config with 192.168.1.11 on WAN and 192.168.3.1 on LAN (I guess you were able to configure these parts?), then you can forward everything from 192.168.1.11 to 192.168.3.80 with:
And whether it will be isolated from the rest of LAN or not, depends on where you put 192.168.3.1/24, if on some common interface or bridge, or on separate one. For the latter you’ll want some “/ip firewall filter” rules to either block access from pfsense interface to others (that could be used if you otherwise keep default firewall), or my preferred way is to allow some things and block everything else, e.g.:
yes, I was able to configure those parts, but I’m still a beginner and I need to become familiar to the network stuff and the Mikrotik “world”.
Ok, I need now to make sure that I get it right.
Is the code above sufficient to get the job done without any other hussle? With this solution I don’t need to remove a port (which my pfsense i connected to) from the bridge, do I?
And whether it will be isolated from the rest of LAN or not, depends on where you put 192.168.3.1/24, if on some common interface or bridge, or on separate one. For the latter you’ll want some “/ip firewall filter” rules to either block access from pfsense interface to others (that could be used if you otherwise keep default firewall), or my preferred way is to allow some things and block everything else, e.g.:
If you only want to send incoming traffic to this internal device and you don’t care about isolating that device from anything else that might be in 192.168.3.0/24, dstnat rule is enough (if you have otherwise configured router).
Those other firewall rules show general approach which I think is best, i.e. select what you want to allow and block the rest. That’s in contrast to blocking selected stuff and allowing everything else. If you make a mistake with the former and forget to allow something, you’ll immediatelly notice, because something won’t work. If you make a mistake with the latter and forget to block something, you may never notice, because it didn’t occur to you to test that specific thing.
And yes, in-interface=DMZ is just name of interface, same as WAN and LAN. It’s meant as easy to understand example.
Yes..and no. As I said I’d like to have my pfsense as it were directly exposed to the internet traffic and not be affected by any mikrotik firewall rules, but other devices connected to the same Mikrotik must be able to get access the internet anyway
And yes, in-interface=DMZ is just name of interface, same as WAN and LAN. It’s meant as easy to understand example. >
So, just to recap; I remove a port from the bridge, give it a different subnet and name it “DMZ”, set the pfsense’s IP WAN which must be in the same subnet of the isolated port. As a final step I set this rules:
I would say so. The port with DMZ is no longer on the bridge and in a different subnet so that should stop layer 2 crosstalk to the LAN.
The firewall rules look good to prevent any routing L3 by the MT between the DMZ and the LAN.
Since the traffic is going to be routed through RB, it will be affected by its firewall. It’s up to you to configure it in a way that it won’t interfere with it.
For example, let’s say you’d decide to block access to external SMTP servers using this rule:
If you put it after the drop rule for invalid packets, it will afect both LAN and DMZ. So one solution would be to allow DMZ access to internet first, then block SMTP, and finally allow LAN to internet. And because rules are processed in order from top to bottom, anything from DMZ to internet will be allowed (including SMTP), SMTP from everywhere else will be blocked, and finally everything else except already blocked SMTP from LAN to internet will be allowed too.
But you won’t like the result if you have own SMTP anywhere in LAN or DMZ. Because if the rule allowing forwarded ports (the one with connection-nat-state=dstnat) is still last, incoming connections to your internal SMTP server would be blocked too. That could be solved either by moving this rule closer to top, before the blocking rule. Or you could add out-interface=WAN to blocking rule to prevent if from affecting incoming connections. And this can be done with many things, usually there’s more than one way how to do something.
Don’t be affraid to experiment, it’s fun and trial & error is good way how to learn (from your mistakes ).
Sob doesn’t get anything. Except some weird enjoyment, satisfaction or whatever it is, from answering same questions again and again. Sometimes I’m wondering if that’s even the case. But hey, nobody is holding a gun to my head, I can quit anytime I want.
